scispace - formally typeset
Search or ask a question

Showing papers on "Collision attack published in 2012"


Book ChapterDOI
19 Mar 2012
TL;DR: The concept of biclique as a tool for preimage attacks was introduced in this paper, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions.
Abstract: We present a new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions. The new tool has proved to be widely applicable by inspiring many authors to publish new results of the full versions of AES, KASUMI, IDEA, and Square. In this paper, we show how our concept leads to the first cryptanalysis of the round-reduced Skein hash function, and describe an attack on the SHA-2 hash function with more rounds than before.

128 citations


ReportDOI
15 Nov 2012
TL;DR: In 2012, the SHA-3 competition was held and the winning algorithm, Keccak as mentioned in this paper, was the first algorithm to advance to the final round of the competition, where it was evaluated by the National Institute of Standards and Technology (NIST).
Abstract: iii Abstract The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007, to develop a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms specified in the Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS). The competition was NIST's response to advances in the cryptanalysis of hash algorithms. advance to the final round of the competition. Eighteen months were provided for the public review of the finalists, and on October 2, 2012, NIST announced the winning algorithm of the SHA-3 competition – Keccak. This report summarizes the evaluation of the five finalists and the selection of the SHA-3 winner.

91 citations


Book ChapterDOI
15 Apr 2012
TL;DR: This article proposes to employ higher-order statistical moments and probability density functions as the figure of merit to detect collisions and removes the shortcomings of the existing correlation collision attacks using first-order moments.
Abstract: By examining the similarity of side-channel leakages, collision attacks evade the indispensable hypothetical leakage models of multi-query based side-channel distinguishers like correlation power analysis and mutual information analysis attacks Most of the side-channel collision attacks compare two selective observations, what makes them similar to simple power analysis attacks A multi-query collision attack detecting several collisions at the same time by means of comparing the leakage averages was presented at CHES 2010 To be successful this attack requires the means of the side-channel leakages to be related to the processed intermediate values It therefore fails in case the mean values and processed data are independent, even though the leakages and the processed values follow a clear relationship The contribution of this article is to extend the scope of this attack by employing additional statistics to detect the colliding situations Instead of restricting the analyses to evaluation of means, we propose to employ higher-order statistical moments and probability density functions as the figure of merit to detect collisions Thus, our new techniques remove the shortcomings of the existing correlation collision attacks using first-order moments In addition to the theoretical discussion of our approach, practical evidence of its suitability for side-channel evaluation is provided We provide four case studies, including three FPGA-based masked hardware implementations and a software implementation using boolean masking on a microcontroller, to support our theoretical groundwork

74 citations


Book ChapterDOI
02 Dec 2012
TL;DR: In this article, improved cryptanalyses for the ISO standard hash function Whirlpool are presented with respect to the fundamental security notions, including preimage and collision attacks, and the difference from attacking the Sbox with balanced differential distribution table (DDT) are reported.
Abstract: In this paper, improved cryptanalyses for the ISO standard hash function Whirlpool are presented with respect to the fundamental security notions. While a subspace distinguisher was presented on full version (10 rounds) of the compression function, its impact to the security of the hash function seems limited. In this paper, we discuss the (second) preimage and collision attacks for the hash function and the compression function of Whirlpool. Regarding the preimage attack, 6 rounds of the hash function are attacked with 2481 computations while the previous best attack is for 5 rounds with 2481.5 computations. Regarding the collision attack, 8 rounds of the compression function are attacked with 2120 computations, while the previous best attack is for 7 rounds with 2184 computations. To verify the correctness, especially for the rebound attack on the Sbox with an unbalanced Differential Distribution Table (DDT), the attack is partially implemented, and the differences from attacking the Sbox with balanced DDT are reported.

40 citations


DOI
19 Jun 2012
TL;DR: This thesis provides an analysis of the security of the cryptographic hash function standards MD5 and SHA-1 that have been broken since 2004 due to so called identical-prefix collision attacks and introduces a new more flexible attack called the chosen- prefix collision attack that allows significantly more control over the two colliding messages.
Abstract: Cryptographic hash functions compute a small fixed-size hash value for any given message. A main application is in digital signatures which require that it must be hard to find collisions, i.e., two different messages that map to the same hash value. In this thesis we provide an analysis of the security of the cryptographic hash function standards MD5 and SHA-1 that have been broken since 2004 due to so called identical-prefix collision attacks. In particular, we present more efficient identical-prefix collision attacks on both MD5 and SHA-1 that improve upon the literature. Furthermore, we introduce a new more flexible attack on MD5 and SHA-1 called the chosen-prefix collision attack that allows significantly more control over the two colliding messages. Moreover, we have proven that our new attack on MD5 poses a realistic threat to the security of everyday applications with our construction of a rogue Certificat ion Authority (CA). Our rogue CA could have enabled the total subversion of secure communications with any website -- if we had not purposely crippled it. Our research has promoted the migration away from these weak hash functions towards more secure hash functions.

40 citations


Book ChapterDOI
19 Mar 2012
TL;DR: These attacks are the first (pseudo) preimage attacks on round-reduced Grostl hash function, including its compression function and output transformation, and are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki in FSE 2011.
Abstract: The Grostl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grostl hash function. We propose pseudo preimage attacks on Grostl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10)-round Grostl-256 has a complexity of (2244.85,2230.13) (in time and memory) and pseudo preimage attack on 8(out of 14)-round Grostl-512 has a complexity of (2507.32,2507.00). To the best of our knowledge, our attacks are the first (pseudo) preimage attacks on round-reduced Grostl hash function, including its compression function and output transformation. These results are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki. We also improve the time complexities of the preimage attacks against 5-round Whirlpool and 7-round AES hashes by Sasaki in FSE 2011.

37 citations


Book ChapterDOI
19 Mar 2012
TL;DR: This paper presents not only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between a meet-in-the-middle preimage attack and a pseudo collision attack.
Abstract: In this paper, we present a new technique to construct a collision attack from a particular preimage attack which is called a partial target preimage attack. Since most of the recent meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a collision attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo collisions of the 43-step reduced SHA-256 and the 46-step reduced SHA-512 can be obtained with complexities of 2126 and 2254.5, respectively. As far as we know, our results are the best pseudo collision attacks on both SHA-256 and SHA-512 in literature. Moreover, we show that our pseudo collision attacks can be extended to 52 and 57 steps of SHA-256 and SHA-512, respectively, by combined with the recent preimage attacks on SHA-2 by bicliques. Furthermore, since the proposed technique is quite simple, it can be directly applied to other hash functions. We apply our algorithm to several hash functions including Skein and BLAKE, which are the SHA-3 finalists. We present not only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between a meet-in-the-middle preimage attack and a pseudo collision attack.

32 citations


Posted Content
TL;DR: In this paper, the authors proposed pseudo preimage attacks on Grostl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function.
Abstract: The Grostl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grostl hash function. We propose pseudo preimage attacks on Grostl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10)-round Grostl-256 has a complexity of (2 , 2) (in time and memory) and pseudo preimage attack on 8(out of 14)-round Grostl-512 has a complexity of (2, 2). To the best of our knowledge, our attacks are the first (pseudo) preimage attacks on round-reduced Grostl hash function, including its compression function and output transformation. These results are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki. We also improve the time complexities of the preimage attacks against 5-round Whirlpool and 7-round AES hashes by Sasaki in FSE 2011.

30 citations


Book ChapterDOI
09 Sep 2012
TL;DR: This paper suggests that the exploitation of linear collisions in block ciphers can be naturally re-written as a Low Density Parity Check Code decoding problem, and shows that there exist (theoretical) contexts in which collision attacks succeed in exploiting leakages whereas all other non-profiled side-channel attacks fail.
Abstract: Side-channel collision attacks are one of the most investigated techniques allowing the combination of mathematical and physical cryptanalysis. In this paper, we discuss their relevance in the security evaluation of leaking devices with two main contributions. On the one hand, we suggest that the exploitation of linear collisions in block ciphers can be naturally re-written as a Low Density Parity Check Code decoding problem. By combining this re-writing with a Bayesian extension of the collision detection techniques, we succeed in improving the efficiency and error tolerance of previously introduced attacks. On the other hand, we provide various experiments in order to discuss the practicality of such attacks compared to standard DPA. Our results exhibit that collision attacks are less efficient in classical implementation contexts, e.g. 8-bit microcontrollers leaking according to a linear power consumption model. We also observe that the detection of collisions in software devices may be difficult in the case of optimized implementations, because of less regular assembly codes. Interestingly, the soft decoding approach is particularly useful in these more challenging scenarios. Finally, we show that there exist (theoretical) contexts in which collision attacks succeed in exploiting leakages whereas all other non-profiled side-channel attacks fail.

23 citations


Book ChapterDOI
19 Mar 2012
TL;DR: In this paper, the security of RIPEMD-128 against collision attacks was analyzed and a new assessment of the security margin was provided by showing attacks on up to 48 (out of 64) steps of the hash function.
Abstract: In this paper, we analyze the security of RIPEMD-128 against collision attacks. The ISO/IEC standard RIPEMD-128 was proposed 15 years ago and may be used as a drop-in replacement for 128-bit hash functions like MD5. Only few results have been published for RIPEMD-128, the best being a preimage attack for the first 33 steps of the hash function with complexity 2124.5. In this work, we provide a new assessment of the security margin of RIPEMD-128 by showing attacks on up to 48 (out of 64) steps of the hash function. We present a collision attack reduced to 38 steps and a near-collisions attack for 44 steps, both with practical complexity. Furthermore, we show non-random properties for 48 steps of the RIPEMD-128 hash function, and provide an example for a collision on the compression function for 48 steps. For all attacks we use complex nonlinear differential characteristics. Due to the more complicated dual-stream structure of RIPEMD-128 compared to its predecessor, finding high-probability characteristics as well as conforming message pairs is nontrivial. Doing any of these steps by hand is almost impossible or at least, very time consuming. We present a general strategy to analyze dual-stream hash functions and use an automatic search tool for the two main steps of the attack. Our tool is able to find differential characteristics and perform advanced message modification simultaneously in the two streams.

21 citations


Patent
27 Apr 2012
TL;DR: In this paper, a prefix-free value is obtained by applying a hash function to the prefix free value, and a hash value is used in a cryptographic scheme, such that a public key or a private key is generated based on the hash value.
Abstract: Methods, systems, and computer programs for producing hash values are disclosed. A prefix-free value is obtained based on input data. The prefix-free value can be based on an implicit certificate, a message to be signed, a message to be verified, or other suitable information. A hash value is obtained by applying a hash function to the prefix-free value. The hash value is used in a cryptographic scheme. In some instances, a public key or a private key is generated based on the hash value. In some instances, a digital signature is generated based on the hash value, or a digital signature is verified based on the hash value, as appropriate.

Posted Content
TL;DR: A single-block collision attack based on other message dierences together with an example colliding message pair is presented, based on a new collision algorithm that exploits the low number of bitconditions in the rst round.
Abstract: In 2010, Tao Xie and Dengguo Feng [XF10] constructed the rst single-block collision for MD5 consisting of two 64-byte messages that have the same MD5 hash. Details of their attack, developed using what they call an evolutionary approach, has not been disclosed \for security reasons". Instead they have posted a challenge to the cryptology community to nd a new dierent single-block collision attack for MD5. This paper answers that challenge by presenting a single-block collision attack based on other message dierences together with an example colliding message pair. The attack is based on a new collision nding algorithm that exploits the low number of bitconditions in the rst round. It uses a new way to choose message blocks that satisfy bitconditions up to step 22 and additionally uses three known tunnels to correct bitconditions up to step 25. The attack has an average runtime complexity equivalent to 2 49:8 calls to MD5’s compression function.

Book ChapterDOI
19 Mar 2012
TL;DR: This paper exploits the very weak diffusion properties of the internal permutation when the attacker can control the Hamming weight of the input values, leading to a practical free-start collision attack on the ARMADILLO2 compression function and describes a new attack so-called local-linearization that seems to be very efficient on data-dependent bit transpositions designs.
Abstract: The ARMADILLO2 primitive is a very innovative hardware-oriented multi-purpose design published at CHES 2010 and based on data-dependent bit transpositions. In this paper, we first show a very unpleasant property of the internal permutation that allows for example to obtain a cheap distinguisher on ARMADILLO2 when instantiated as a stream-cipher. Then, we exploit the very weak diffusion properties of the internal permutation when the attacker can control the Hamming weight of the input values, leading to a practical free-start collision attack on the ARMADILLO2 compression function. Moreover, we describe a new attack so-called local-linearization that seems to be very efficient on data-dependent bit transpositions designs and we obtain a practical semi-free-start collision attack on the ARMADILLO2 hash function. Finally, we provide a related-key recovery attack when ARMADILLO2 is instantiated as a stream cipher. All collision attacks have been verified experimentally, they require negligible memory and a very small number of computations (less than one second on an average computer), even for the high security versions of the scheme.

Proceedings ArticleDOI
07 Nov 2012
TL;DR: This paper deals with an original application of the SAT problem to encode the well-known MD?
Abstract: The SATisfiability Problem is a core problem in mathematical logic and computing theory. In the last years, progresses have led it to be a great and competitive approach to practically solve a wide range of industrial and academic problems. Thus, the current SAT solving capacity allows the propositional formalism to be an interesting alternative to tackle cryptographic problems, and particularly introduced a new field called logical cryptanalysis [15]. This paper deals with an original application of the SAT problem to encode the well-known MD? and SHA? hash functions algorithm in a generic DIMACS formula. As cryptographic hash functions are central elements in modern cryptography we choose to validate our modelisation with a dedicated attack on the inversion of these functions. This attack behaves like a reverse-engineering process, thanks to a state of the art SAT solver achieving a weakening of the second preimage of MD? and SHA?. As a result, we present our modelisation and an improvement of the current limit of best practical attacks on step-reduced MD4, MD5 and SHA? inversions, respectively up to 39, 28 and 23 broken steps. Finally, a brief analyse of our results allows to give an idea about logical cryptanalysis and hash functions.

Patent
28 Sep 2012
TL;DR: A first hash value is obtained by applying a first hash function to a first input, such as an implicit certificate, message to be signed, a message to verify, or other suitable information as mentioned in this paper.
Abstract: Methods, systems, and computer programs for producing hash values are disclosed. A first hash value is obtained by applying a first hash function to a first input. The first input can be based on an implicit certificate, a message to be signed, a message to be verified, or other suitable information. A second hash value is obtained by applying a second hash function to a second input. The second input is based on the first hash value. The second hash value is used in a cryptographic scheme. In some instances, a public key or a private key is generated based on the second hash value. In some instances, a digital signature is generated based on the second hash value, or a digital signature is verified based on the second hash value, as appropriate.

Book ChapterDOI
Dmitry Khovratovich1
02 Dec 2012
TL;DR: In this article, the concept of sliced bicliques was introduced for the cryptanalysis of block ciphers and hash functions, which allows to convert preimage attacks into collision attacks and derive the first collision attacks on the reduced SHA-3 finalist Skein in the hash function setting up to 11 rounds.
Abstract: We extend and improve biclique attacks, which were recently introduced for the cryptanalysis of block ciphers and hash functions While previous attacks required a primitive to have a key or a message schedule, we show how to mount attacks on the primitives with these parameters fixed, ie on permutations We introduce the concept of sliced bicliques, which is a translation of regular bicliques to the framework with permutations The new framework allows to convert preimage attacks into collision attacks and derive the first collision attacks on the reduced SHA-3 finalist Skein in the hash function setting up to 11 rounds We also demonstrate new preimage attacks on the reduced Skein and the output transformation of the reduced Grostl Finally, the sophisticated technique of message compensation gets a simple explanation with bicliques

Patent
27 Apr 2012
TL;DR: In this article, a prefix-free value is obtained by applying a hash function to the prefix free value, and a hash value is used in a cryptographic scheme, such that a public key or a private key is generated based on the hash value.
Abstract: Methods, systems, and computer programs for producing hash values are disclosed. A prefix-free value is obtained based on input data. The prefix-free value can be based on an implicit certificate, a message to be signed, a message to be verified, or other suitable information. A hash value is obtained by applying a hash function to the prefix-free value. The hash value is used in a cryptographic scheme. In some instances, a public key or a private key is generated based on the hash value. In some instances, a digital signature is generated based on the hash value, or a digital signature is verified based on the hash value, as appropriate.

Book ChapterDOI
28 Nov 2012
TL;DR: The current paper studies differential properties of the compression function of reduced-round DM-PRESENT-80, which was proposed at CHES 2008 as a lightweight hash function with 64-bit digests and success lies in the detailed analysis of the data transition, where the internal state and message values are carefully chosen.
Abstract: The current paper studies differential properties of the compression function of reduced-round DM-PRESENT-80, which was proposed at CHES 2008 as a lightweight hash function with 64-bit digests. Our main result is a collision attack on 12 rounds with a complexity of 229.18 12-round DM-PRESENT computations. Then, the attack is extended to an 18-round distinguisher and an 12-round second preimage attack. In our analysis, the differential characteristic is satisfied by the start-from-the-middle approach. Our success lies in the detailed analysis of the data transition, where the internal state and message values are carefully chosen so that a differential characteristic for 5 rounds can be satisfied with complexity 1 on average. In order to reduce the attack complexity, we consider as many techniques as possible; multi-inbound technique, early aborting technique, precomputation of look-up tables, multi-differential characteristics.

Journal ArticleDOI
TL;DR: Attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation round function), are presented.
Abstract: We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgard domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

Journal ArticleDOI
TL;DR: The collision problem of a chaos-based hash function with both modification detection and localization capability is investigated and the expense of the birthday attack on the hash function is far less than expected.

01 Jan 2012
TL;DR: An improved method for finding preimages of Very Smooth Hash is developed, compare this method with existing methods and demonstrate its efficiency with practical results, and the methods for finding multicollisions in traditional iterated hash functions are described.
Abstract: In recent years, the amount of electronic communication has grown enormously. This has posed some new problems in information security. In particular, the methods in cryptography have been under much scrutiny. There are several basic primitives that modern cryptographic protocols utilise. One of these is hash functions, which are used to compute short hash values from messages of any length. In this thesis, we study the security of hash functions from two different viewpoints. First of all, we analyse the security of the Very Smooth Hash against preimage attacks. We develop an improved method for finding preimages of Very Smooth Hash, compare this method with existing methods and demonstrate its efficiency with practical results. Furthermore, we generalise this method to the discrete logarithm variants of the Very Smooth Hash. Secondly, we describe the methods for finding multicollisions in traditional iterated hash functions and give some extensions and improvements to these. We also outline a method for finding multicollisions for generalised iterated hash functions and discuss the implications of these findings. In addition, we generalise these multicollision finding methods to some graph-based hash functions.

Book ChapterDOI
10 Jul 2012
TL;DR: In this paper, the authors proposed a new hash function design with variable hash output sizes of 128, 256, and 512 bits, which is secure against preimage, second pre-image and rebound attacks, and is faster than PKC based hashes.
Abstract: Collision resistance is a fundamental property required for cryptographic hash functions. One way to ensure collision resistance is to use hash functions based on public key cryptography (PKC) which reduces collision resistance to a hard mathematical problem, but such primitives are usually slow. A more practical approach is to use symmetric-key design techniques which lead to faster schemes, but collision resistance can only be heuristically inferred from the best probability of a single differential characteristic path. We propose a new hash function design with variable hash output sizes of 128, 256, and 512 bits, that reduces this gap. Due to its inherent Substitution-Permutation Network (SPN) structure and JH mode of operation, we are able to compute its differential collision probability using the concept of differentials. Namely, for each possible input differences, we take into account all the differential paths leading to a collision and this enables us to prove that our hash function is secure against a differential collision attack using a single input difference. None of the SHA-3 finalists could prove such a resistance. At the same time, our hash function design is secure against pre-image, second pre-image and rebound attacks, and is faster than PKC-based hashes. Part of our design includes a generalization of the optimal diffusion used in the classical wide-trail SPN construction from Daemen and Rijmen, which leads to near-optimal differential bounds when applied to non-square byte arrays. We also found a novel way to use parallel copies of a serial matrix over the finite field GF(24), so as to create lightweight and secure byte-based diffusion for our design. Overall, we obtain hash functions that are fast in software, very lightweight in hardware (about 4625 GE for the 256-bit hash output) and that provide much stronger security proofs regarding collision resistance than any of the SHA-3 finalists.

Book ChapterDOI
28 Nov 2012
TL;DR: Research shows that OCB-ZXY still cannot resist against collision attacks, and even if OCB2 and OCB3 adopt the ODPBT technique, collision attacks still exist.
Abstract: Three versions of OCB appeared in the literature: OCB1, OCB2 and OCB3. Ferguson pointed out that OCB1 could not resist against collision attacks, which was improved by Mathiassen. Zhang, Xing and Yang made the first attempt to improve OCB1 against this prevailing attack in blockcipher modes of operation, and proposed a new authenticated encryption mode OCB-ZXY, using offset dependent plaintext block transformation (ODPBT) technique. Our research shows that: 1) OCB-ZXY still cannot resist against collision attacks. 2) OCB2 and OCB3 also suffer from collision attacks, even more severely than OCB1. 3) Even if OCB2 and OCB3 adopt the ODPBT technique, collision attacks still exist.

Patent
26 Mar 2012
TL;DR: In this paper, a hash function is computed over a known image, for example, an address range in a program, and the secret value is combined with the hash in such a way that the combining operation can be reversed at run time.
Abstract: In the present disclosure, a hash function is computed over a known image, for example, an address range in a program. The result of the hash function is known to be the same at two distinct points in time, before the program is run, i.e. signing at build-time, and during the running of the program, i.e. run time. The value that the programmer wishes to hide, i.e. the secret value, is also known at build-time. At build-time, the secret value is combined with the hash in such a way that the combining operation can be reversed at run time. This combined value, i.e. the salt, is stored along with the program. Later, at runtime, the program computes the same hash value as was computed at signing time, and does the reverse combining operation in order to reveal the secret value.

Journal ArticleDOI
07 Sep 2012
TL;DR: The main principle and methods of simple electromagnetic analysis are described and the result is the determination of secret key Hamming weight and this method allows reduction from the number of possible keys for following brute force attack.
Abstract: The article describes the main principle and methods of simple electromagnetic analysis and thus provides an overview of simple electromagnetic analysis. The introductions chapters describe specific SPA attack used visual inspection of EM traces, template based attack and collision attack. After reading the article, the reader is sufficiently informed of any context of SEMA. Another aim of the article is the practical realization of SEMA which is focused on AES implementation. The visual inspection of EM trace of AES is performed step by step and the result is the determination of secret key Hamming weight. On the resulting EM trace, the Hamming weight of the secret key 1 to 8 was clearly visible. This method allows reduction from the number of possible keys for following brute force attack.

Patent
03 May 2012
TL;DR: In this paper, a system, method and a computer-readable medium for generating an authentication password for authenticating a client to a server is presented, where a digital certificate that includes private key, and a public key is provided.
Abstract: A system, method and a computer-readable medium for generating an authentication password for authenticating a client to a server. A digital certificate that includes private key, and a public key is provided. A hash of a content of a digital certificate is generated. The hash is also encrypted with a private key. The encrypted hash and the content of the digital certificate are encoded into a certificate blob, which is utilized as an authorization password.

Journal ArticleDOI
TL;DR: In this article, a generic online birthday existential forgery attack on the RMX-hash-then-sign scheme is presented. But the attack is not applicable to the standard hash-based message authentication code (HMAC).
Abstract: At CRYPTO 2006, Halevi and Krawczyk proposed two randomized hash function modes and analyzed the security of digital signature algorithms based on these constructions. They showed that the security of signature schemes based on the two randomized hash function modes relies on properties similar to the second preimage resistance rather than on the collision resistance property of the hash functions. One of the randomized hash function modes was named the RMX hash function mode and was recommended for practical purposes. The National Institute of Standards and Technology (NIST), USA standardized a variant of the RMX hash function mode and published this standard in the Special Publication (SP) 800-106. In this article, we first discuss a generic online birthday existential forgery attack of Dang and Perlner on the RMX-hash-then-sign schemes. We show that a variant of this attack can be applied to forge the other randomize-hash-then-sign schemes. We point out practical limitations of the generic forgery attack on the RMX-hash-then-sign schemes. We then show that these limitations can be overcome for the RMX-hash-then-sign schemes if it is easy to find fixed points for the underlying compression functions, such as for the Davies-Meyer construction used in the popular hash functions such as MD5 designed by Rivest and the SHA family of hash functions designed by the National Security Agency (NSA), USA and published by NIST in the Federal Information Processing Standards (FIPS). We show an online birthday forgery attack on this class of signatures by using a variant of Dean's method of finding fixed point expandable messages for hash functions based on the Davies-Meyer construction. This forgery attack is also applicable to signature schemes based on the variant of RMX standardized by NIST in SP 800-106. We discuss some important applications of our attacks and discuss their applicability on signature schemes based on hash functions with `built-in' randomization. Finally, we compare our attacks on randomize-hash-then-sign schemes with the generic forgery attacks on the standard hash-based message authentication code (HMAC).

Journal ArticleDOI
TL;DR: In this paper, the authors compare the state-of-the-art provable security reductions for the second round candidates and review arguments and bounds against classes of differential attacks against SHA-3.
Abstract: In 2007, the US National Institute for Standards and Technology (NIST) announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities like differential attacks identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. 14 candidates were left in the second round, out of which five candidates have been recently chosen for the final round. An important criterion in the selection process is the SHA-3 hash function security. We identify two important classes of security arguments for the new designs: (1) the possible reductions of the hash function security to the security of its underlying building blocks and (2) arguments against differential attack on building blocks. In this paper, we compare the state of the art provable security reductions for the second round candidates and review arguments and bounds against classes of differential attacks. We discuss all the SHA-3 candidates at a high functional level, analyze, and summarize the security reduction results and bounds against differential attacks. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.

DOI
01 Jan 2012
TL;DR: This thesis studies the collision and preimage resistance of certain types of multi-call multi-block-length primitive-based compression (and the corresponding Merkle-Damgard iterated hash) functions and provides a novel framework for blockcipher- based compression functions that compress 3n bits to 2n bits and that use two calls to a 2n-bit key blockciphers with block-length n.
Abstract: Cryptographic hash functions are used in many cryptographic applications, and the design of provably secure hash functions (relative to various security notions) is an active area of research. Most of the currently existing hash functions use the Merkle-Damgard paradigm, where by appropriate iteration the hash function inherits its collision and preimage resistance from the underlying compression function. Compression functions can either be constructed from scratch or be built using well-known cryptographic primitives such as a blockcipher. One classic type of primitive-based compression functions is single-block-length : It contains designs that have an output size matching the output length n of the underlying primitive. The single-block-length setting is well-understood. Yet even for the optimally secure constructions, the (time) complexity of collision- and preimage-finding attacks is at most 2n/2, respectively 2n ; when n = 128 (e.g., Advanced Encryption Standard) the resulting bounds have been deemed unacceptable for current practice. As a remedy, multi-block-length primitive-based compression functions, which output more than n bits, have been proposed. This output expansion is typically achieved by calling the primitive multiple times and then combining the resulting primitive outputs in some clever way. In this thesis, we study the collision and preimage resistance of certain types of multi-call multi-block-length primitive-based compression (and the corresponding Merkle-Damgard iterated hash) functions : Our contribution is three-fold. First, we provide a novel framework for blockcipher-based compression functions that compress 3n bits to 2n bits and that use two calls to a 2n-bit key blockcipher with block-length n. We restrict ourselves to two parallel calls and analyze the sufficient conditions to obtain close-to-optimal collision resistance, either in the compression function or in the Merkle-Damgard iteration. Second, we present a new compression function h: {0,1}3n → {0,1}2n ; it uses two parallel calls to an ideal primitive (public random function) from 2n to n bits. This is similar to MDC-2 or the recently proposed MJH by Lee and Stam (CT-RSA'11). However, unlike these constructions, already in the compression function we achieve that an adversary limited (asymptotically in n) to O (22n(1-δ)/3) queries (for any δ > 0) has a disappearing advantage to find collisions. This is the first construction of this type offering collision resistance beyond 2n/2 queries. Our final contribution is the (re)analysis of the preimage and collision resistance of the Knudsen-Preneel compression functions in the setting of public random functions. Knudsen-Preneel compression functions utilize an [r,k,d] linear error-correcting code over 𝔽2e (for e > 1) to build a compression function from underlying blockciphers operating in the Davies-Meyer mode. Knudsen and Preneel show, in the complexity-theoretic setting, that finding collisions takes time at least 2(d-1)n2. Preimage resistance, however, is conjectured to be the square of the collision resistance. Our results show that both the collision resistance proof and the preimage resistance conjecture of Knudsen and Preneel are incorrect : With the exception of two of the proposed parameters, the Knudsen-Preneel compression functions do not achieve the security level they were designed for.

Book ChapterDOI
09 Dec 2012
TL;DR: A new set of tools for the combinatorial analysis of long words in which the number of occurrences of any symbol is restricted by a fixed constant is introduced, able to further shorten the length of the collison messages in an any fixed size collision set leading to a good deal smaller attack complexity.
Abstract: We study the complexity of multicollision attacks on generalized iterated hash functions. In 2004 A. Joux showed that the size of a multicollision on any iterated hash function can be increased exponentially while the amount of work (or, equivalently, the length of the collision messages) grows only linearly. In Joux’s considerations it was essential that each message block was used only once when computing the hash value. In 2005 M. Nandi and D. Stinson generalized Joux’s method to iterated hash functions where each message block could be employed at most twice and in an arbitrary order. In the following year J. Hoch and A. Shamir further extended Joux’s ideas, this time to so called ICE hash functions that scan the input message any fixed number of times in an arbitrary order. It was proved that by increasing the work polynomially, exponentially large multicollision sets could be created. The informal attack algorithm of Hoch and Shamir was more rigorously described in [8] where also the amount of work of the attack algorithm (and, as well, the length of the multicollision messages) was more precisely evaluated. In [10] new combinatorial results were proved which allowed a considerably more efficient collision set construction. In this paper we introduce a new set of tools for the combinatorial analysis of long words in which the number of occurrences of any symbol is restricted by a fixed constant. By applying these tools we are able to further shorten the length of the collison messages in an any fixed size collision set leading to a good deal smaller attack complexity. Finally, we study the structure of efficient rules for compression in bounded generalized iterated hash functions (called ICE hash functions in [4]).