scispace - formally typeset
Search or ask a question

Showing papers on "Collision attack published in 2013"


Book ChapterDOI
26 May 2013
TL;DR: Novel techniques are introduced that enable us to determine the theoretical maximum success probability for a given set of (dependent) local colli- sions, as well as the smallest set of message conditions that attains this probability.
Abstract: The main contributions of this paper are two-fold. Firstly, we present a novel direction in the cryptanalysis of the crypto- graphic hash function SHA-1. Our work builds on previous cryptanalytic efforts on SHA-1 based on combinations of local collisions. Due to depen- dencies, previous approaches used heuristic corrections when combining the success probabilities and message conditions of the individual local collisions. Although this leads to success probabilities that are seemingly sufficient for feasible collision attacks, this approach most often does not lead to the maximum success probability possible as desired. We introduce novel techniques that enable us to determine the theoretical maximum success probability for a given set of (dependent) local colli- sions, as well as the smallest set of message conditions that attains this probability. We apply our new techniques and present an implemented open-source near-collision attack on SHA-1 with a complexity equivalent to 2 57.5 SHA-1 compressions. Secondly, we present an identical-prefix collision attack and a chosen- prefix collision attack on SHA-1 with complexities equivalent to approx- imately 2 61 and 2 77.1 SHA-1 compressions, respectively.

85 citations


Book ChapterDOI
26 May 2013
TL;DR: In this paper, the authors focus on the construction of semi-free-start collisions for SHA-256, and show how to turn them into collisions using a two-block approach.
Abstract: In this paper, we focus on the construction of semi-free-start collisions for SHA-256, and show how to turn them into collisions. We present a collision attack on 28 steps of the hash function with practical complexity. Using a two-block approach we are able to turn a semi-free-start collision into a collision for 31 steps with a complexity of at most 265.5. The main improvement of our work is to extend the size of the local collisions used in these attacks. To construct differential characteristics and confirming message pairs for longer local collisions, we had to improve the search strategy of our automated search tool. To test the limits of our techniques we present a semi-free-start collision for 38 steps.

71 citations


Book ChapterDOI
14 Aug 2013
TL;DR: This paper shows that two of the main existing countermeasures for elliptic curve implementations become irrelevant when going from vertical to horizontali¾?
Abstract: Elliptic curves based algorithms are nowadays widely spread among embedded systems. They indeed have the double advantage of providing efficient implementations with short certificates and of being relatively easy to secure against side-channel attacks. As a matter of fact, when an algorithm with constant execution flow is implemented together with randomization techniques, the obtained design usually thwarts classical side-channel attacks while keeping good performances. Recently, a new technique that makes some randomizations ineffective, has been successfully applied in the context of RSA implementations. This method, related to a so-called horizontali¾?modus operandi, introduced by Walter in 2001, turns out to be very powerful since it only requires leakages on a single algorithm execution. In this paper, we combine such kind of techniques together with the collision correlation analysis, introduced at CHES 2010 by Moradi et al., to propose a new attack on elliptic curves atomic implementations or unified formulas with input randomization. We show how it may be applied against several state-of-the art implementations, including those of Chevallier-Mames et al., of Longa and of Giraud-Verneuil and also Bernstein and Lange for unified Edward's formulas. Finally, we provide simulation results for several sizes of elliptic curves on different hardware architectures. These results, which turn out to be the very first horizontali¾?attacks on elliptic curves, open new perspectives in securing such implementations. Indeed, this paper shows that two of the main existing countermeasures for elliptic curve implementations become irrelevant when going from vertical to horizontali¾? analysis.

67 citations


Journal ArticleDOI
TL;DR: A preimage attack on reduced versions of Keccak hash functions, using the recently developed toolkit CryptLogVer for generating the conjunctive normal form, CNF, which is passed to the SAT solver PrecoSAT.

45 citations


Book ChapterDOI
11 Mar 2013
TL;DR: In this paper, a preimage attack was performed on 4-round Keccak and a 5-round distinguisher on the main building block of the hash function, the permutation.
Abstract: In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST’s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-\(f\)[1600] permutation — the main building block of Keccak hash function.

38 citations


Journal ArticleDOI
TL;DR: This research proposes preimage attacks on hash function modes instantiating AES including Davies-Meyer, Matyas-Myser-Oseas and Miyaguchi-Preneel modes to evaluate classical and important security notions for hash functions and avoid complicated attack models that seem to have little relevance in practice.
Abstract: We study the security of AES in the open-key setting by showing an analysis on hash function modes instantiating AES including Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel modes. In particular, we propose preimage attacks on these constructions, while most of previous work focused their attention on collision attacks or distinguishers using non-ideal differential properties. This research is based on the motivation that we should evaluate classical and important security notions for hash functions and avoid complicated attack models that seem to have little relevance in practice. We apply a recently developed meet-in-the-middle preimage approach. As a result, we obtain a preimage attack on 7 rounds of Davies-Meyer AES and a second preimage attack on 7 rounds of Matyas-Meyer-Oseas and Miyaguchi-Preneel AES. Considering that the previous best collision attack only can work up to 6 rounds, the number of attacked rounds reaches the best in terms of the classical security notions. In our attacks, the key is regarded as a known constant, and the attacks thus can work for any key length in common.

37 citations


Book ChapterDOI
11 Mar 2013
TL;DR: A key recovery attack, called near collision attack, on Grain v1 is proposed, which utilizes the compact NFSR-LFSR combined structure of Grain v 1 and works even if all of the previous identified weaknesses have been sewed and if a perfect key/IV initialization algorithm is adopted.
Abstract: Grain v1 is one of the \(7\) finalists selected in the final portfolio by the eSTREAM project. It has an elegant and compact structure, especially suitable for a constrained hardware environment. Though a number of potential weaknesses have been identified, no key recovery attack on the original design in the single key model has been found yet. In this paper, we propose a key recovery attack, called near collision attack, on Grain v1. The attack utilizes the compact NFSR-LFSR combined structure of Grain v1 and works even if all of the previous identified weaknesses have been sewed and if a perfect key/IV initialization algorithm is adopted. Our idea is to identify near collisions of the internal states at different time instants and restore the states accordingly. Combined with the BSW sampling and the non-uniform distribution of internal state differences for a fixed keystream difference, our attack has been verified on a reduced version of Grain v1 in experiments. An extrapolation of the results under some assumption indicates an attack on Grain v1 for any fixed IV in \(2^{71.4}\) cipher ticks after the pre-computation of \(2^{73.1}\) ticks, given \(2^{62.8}\)-bit memory and \(2^{67.8}\) keystream bits, which is the best key recovery attack against Grain v1 so far. Hopefully, it provides some new insights on such compact stream ciphers.

28 citations


Journal ArticleDOI
TL;DR: A collision timing attack which exploits the data-dependent timing characteristics of combinational circuits is demonstrated and is based on an also recently published correlation collision attack, which avoids the need for a hypothetical timing model for the underlying combinational circuit to recover the secret materials.
Abstract: When complex functions, for example, substitution boxes of block ciphers, are realized in hardware, timing attributes of the underlying combinational circuit depend on the input/output changes of the function. These characteristics can be exploited by the help of a relatively new scheme called fault sensitivity analysis. A collision timing attack which exploits the data-dependent timing characteristics of combinational circuits is demonstrated in this paper. The attack is based on an also recently published correlation collision attack, which avoids the need for a hypothetical timing model for the underlying combinational circuit to recover the secret materials. The target platforms of our proposed attack are 14 AES ASIC cores of the SASEBO LSI chips in three different process technologies, 13 nm, 90 nm, and 65 nm. Successfully breaking all cores including the DPA-protected and fault attack protected cores indicates the strength of the attack.

27 citations


Book ChapterDOI
06 Mar 2013
TL;DR: This work introduces two methodologies to efficiently implement 3-share TI to a given S-box and successfully applies them to PRESENT and is able to decrease the area requirements of its protected S- box by 37-40%.
Abstract: One of the most promising lightweight hardware countermeasures against SCA attacks is the so-called Threshold Implementation (TI) [12] countermeasure. In this work we discuss issues towards its applicability and introduce solutions to boost its implementation efficiency. In particular, our contribution is three-fold: first we introduce two methodologies to efficiently implement 3-share TI to a given S-box. Second, as an example, we successfully apply these methodologies to PRESENT and are able to decrease the area requirements of its protected S-box by 37-40%. Third, we present the first successful practical Mutual Information Attack on the original 3-share TI implementation of PRESENT and compare it with a correlation-enhanced collision attack using second-order moments.

24 citations


Book ChapterDOI
27 Nov 2013
TL;DR: This paper investigates the collision resistance of the Stribog compression function and its internal cipher and presents a message differential path for the internal block cipher that allows it to efficiently obtain a 5-round free- start collision and a 7.75 free-start near collision for theinternal cipher.
Abstract: In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 3411–2012) Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3 In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 775 free-start near collision for the internal cipher with complexities \(2^8\) and \(2^{40}\), respectively Finally, the compression function is analyzed and a 775 round semi free-start collision, 875 and 975 round semi free-start near collisions are presented along with an example for 475 round 50 out of 64 bytes near colliding message pair

23 citations


Journal ArticleDOI
TL;DR: Efficient first-order collision attacks against all NTRU and three countermeasures are given, which cannot be avoided by any padding scheme.

Journal ArticleDOI
TL;DR: The theoretical analysis shows that the improved scheme is more secure than the original one, and it can also keep the parallel merit and other performance advantages of the original scheme.
Abstract: This paper analyzes the security of a chaotic parallel keyed hash function in detail, and points out that it is susceptible to two kinds of forgery attacks and weak key attack (which results in MAC collision). To remedy such security flaws, an improved scheme is further proposed, and its security and performance are also discussed. The theoretical analysis shows that the improved scheme is more secure than the original one. In the meanwhile, it can also keep the parallel merit and other performance advantages of the original scheme.

Journal ArticleDOI
TL;DR: A new clockwise collision attack, called fault rate analysis (FRA) on masked AES, is proposed, which finds that the output mask does not offer protection to the S-box, which leads to a more efficient attack.
Abstract: In 2011, Li presented clockwise collision analysis on nonprotected Advanced Encryption Standard (AES) hardware implementation. In this brief, we first propose a new clockwise collision attack, called fault rate analysis (FRA), on masked AES. Then, we analyze the critical and noncritical paths of the S-box and find that, for its three input bytes, namely, the input value, the input mask, and the output mask, the path relating to the output mask is much shorter than those relating to the other two inputs. Therefore, some sophisticated glitch cycles can be chosen such that the values in the critical path of the whole S-box are destroyed but this short path is not affected. As a result, the output mask does not offer protection to the S-box, which leads to a more efficient attack. Compared with three attacks on masking countermeasures at the Workshop on Cryptographic Hardware and Embedded Systems 2010 and 2011, our method only costs about 8% of their time and 4% of their storage space.

Book ChapterDOI
01 Dec 2013
Abstract: Side-Channel Analysis SCA is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering SCARE considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design ---e.g. the substitution boxes--- assuming that the rest of the cipher is known. Moreover, these attacks are often based on idealized leakage assumption where the adversary recovers noise-free side-channel information. In this paper, we address these limitations and describe a generic SCARE attack that can recover the full secret design of any iterated block cipher with common structure. Specifically we consider the family of Substitution-Permutation Networks with either a classical structure as the AES or with a Feistel structure. Based on a simple and usual assumption on the side-channel leakage we show how to recover all parts of the design of such ciphers. We then relax our assumption and describe a practical SCARE attack that deals with noisy side-channel leakages.

Proceedings ArticleDOI
Jega Anish Dev1
04 Nov 2013
TL;DR: This paper quantifies the advantage of using the CPU simultaneously with the GPU for hash cracking and describes how a potential attacker could come to possess capabilities of hash rates of at least greater than 11 times the rate of the world's fastest GPU cluster based MD5 brute forcing machine with no investment.
Abstract: Cryptographic Hash functions find ubiquitous use in various applications like digital signatures, message authentication codes and other forms of digital security. Their associated vulnerabilities therefore make them a prevalent target for cyber criminals. Cracking a hash involves brute force which is generally extremely time or computing power intensive. Recent times have seen usage of GPUs for brute forcing hashes thus significantly accelerating the rate of hash generation during brute force. This has further been extended to simultaneous usage of multiple GPUs over multiple machines or building GPU clusters having multiple GPUs on a single machine. Attackers use these methods to crack hashes within practical durations of time, to the tune of hours or days, depending on the strength of the password. This paper quantifies the advantage of using the CPU simultaneously with the GPU for hash cracking and describes how a potential attacker, with respect to the size of the botnet used, could come to possess capabilities of hash rates of at least greater than 11 times the rate of the world's fastest GPU cluster based MD5 brute forcing machine with no investment.

Book ChapterDOI
06 Mar 2013
TL;DR: This paper addresses the problem of heterogeneous leakage pointed out by Gerard and Standaert by inserting an efficient termination algorithm in the key-recovery phase of the collision-correlation attack, and shows the superiority of 2nd-order CPA when its leakage model is not too far from the real leakage function.
Abstract: In this paper we study the collision-correlation attack published by Clavier etal. at CHES 2011 on a 1st-order Boolean masking scheme and show its lack of robustness against unknown and high level of measurement noise. In order to improve the attack, we follow the approach that Gerard and Standaert proposed in a recent paper at CHES 2012. Then we address the problem of heterogeneous leakage pointed out by Gerard and Standaert (when the leakage noise is different from one Sbox output to the others due for instance to implementation particularities or resynchronisation reasons), by inserting an efficient termination algorithm in the key-recovery phase of the attack. In a last contribution, we compare (over simulations and real experiments) the enhanced collision-correlation attack and the 2nd-order CPA attack. Similarly to the results of Gerard and Standaert, we show - in the context of masked implementations - the superiority of 2nd-order CPA when its leakage model is not too far from the real leakage function.

Book ChapterDOI
25 Feb 2013
TL;DR: This work provides the first security analysis of reduced SM3 regarding its collision resistance and extends the methods used in the recent collision attacks on SHA-2 and shows how the techniques can be effectively applied to SM3.
Abstract: In this work, we provide the first security analysis of reduced SM3 regarding its collision resistance. SM3 is a Chinese hash function standard published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service systems and hence, might be used in several cryptographic applications in China. So far only few results have been published for the SM3 hash function. Since the design of SM3 is very similar to the MD4 family of hash functions and in particular to SHA-2, a revaluation of the security of SM3 regarding collision resistance is important taking into account recent advances in the cryptanalysis of SHA-2. In this paper, we extend the methods used in the recent collision attacks on SHA-2 and show how the techniques can be effectively applied to SM3. Our results are a collision attack on the hash function for 20 out of 64 steps and a free-start collision attack for 24 steps of SM3, both with practical complexity.

Journal ArticleDOI
01 Nov 2013
TL;DR: This work proposes a novel scheme in which the RSUs in a VANET use a one-way hash chain scheme to generate a series of public/private key pairs and to distribute them along with an n bit hash code H@^ and a proof cipher C@^ to the vehicles in its range.
Abstract: Improving road safety and optimizing road traffic relies on both Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications. The successful deployment of vehicular communication depends on the two contentious factors, security and privacy. Though several researches have been conducted on the issuance of pseudonyms to deal with these issues, the traditional PKI based schemes used for the generation of these pseudonyms produce an enormous signing and verification costs. In order to address this problem, we propose a novel scheme in which the RSUs in a VANET use a one-way hash chain scheme to generate a series of public/private key pairs and to distribute them along with an n bit hash code H@^ and a proof cipher C@^ to the vehicles in its range. Since the RSU will provide a synchronized clock to all vehicles, anytime a vehicle can verify another vehicle by combining the vehicle's public key and its n bit hash code, which should prove the same cryptographic hash function of the receiving vehicle. Through this proposed Hash-chain based Authentication Protocol (HAP), the certificate costs of messages are immensely reduced. Moreover, if an attacker tries to compromise a node's public key it will be infeasible for him/her to achieve the desired task, as the vehicle frequently changes its public/private keys in a random fashion and hence guarantees a secured vehicle communication. We analyzed the proposed protocol extensively to validate its better performance when compared to its counterparts.

Book ChapterDOI
26 May 2013
TL;DR: A new cryptanalysis method for double-branch hash functions, by attacking each branch separately and then merging them with free message blocks and shows that 16 years old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.
Abstract: In this article we propose a new cryptanalysis method for double-branch hash functions that we apply on the standard RIPEMD-128, greatly improving over know results. Namely, we were able to build a very good differential path by placing one non-linear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the non-linear part located in later steps, we propose a new method for using the freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16 years old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.

Book ChapterDOI
17 Dec 2013
TL;DR: Reducing the capacity to the output size of the SHA-3 standard slightly improves attacks, while reducing the permutation size degrades attacks on Keccak.
Abstract: In October 2012, NIST has announced Keccak as the winner of the SHA-3 cryptographic hash function competition. Recently, at CT-RSA 2013, NIST brought up the idea to standardize Keccak variants with different parameters than those submitted to the SHA-3 competition. In particular, NIST considers to reduce the capacity to the output size of the SHA-3 standard and additionally, standardize a Keccak variant with a permutation size of 800 instead of 1600 bits. However, these variants have not been analyzed very well during the SHA-3 competition. Especially for the variant using an 800-bit permutation no analysis on the hash function has been published so far. In this work, we analyze these newly proposed Keccak variants and provide practical collisions for up to 4 rounds for all output sizes by constructing internal collisions. Our attacks are based on standard differential cryptanalysis contrary to the recent attacks by Dinur at al. from FSEi¾ź2013. We use a non-linear low probability path for the first two rounds and use methods from coding theory to find a high-probability path for the last two rounds. The low probability path as well as the conforming message pair is found using an automatic differential path search tool. Our results indicate that reducing the capacity slightly improves attacks, while reducing the permutation size degrades attacks on Keccak.

Book ChapterDOI
27 Nov 2013
TL;DR: This paper shows the first cryptanalytic attacks on the round-reduced GOST hash function, and combines the guess-and-determine MitM attack with multi-collision to construct a preimage attack on 6-round GOST-512 hash function.
Abstract: The GOST hash function, defined in GOST R 34.11-2012, was selected as the new Russian standard on August 7, 2012. It is designed to replace the old Russian standard GOST R 34.11-94. The GOST hash function is an AES-based primitive and is considered as an asymmetric reply to the SHA-3. It is an iterated hash function based on the Merkle-Damgard strengthening design. In addition to the common iterated structure, it defines a checksum computed over all input message blocks. The checksum is then needed for the final hash value computation. In this paper, we show the first cryptanalytic attacks on the round-reduced GOST hash function. Using the combination of Super-Sbox technique and multi-collision, we present collision attacks on 5-round of the GOST-256 and GOST-512 hash function, respectively. The complexity of these collision attacks are both (\(2^{122},2^{64}\)) (in time and memory). Furthermore, we combine the guess-and-determine MitM attack with multi-collision to construct a preimage attack on 6-round GOST-512 hash function. The complexity of the preimage attack is about \(2^{505}\) and the memory requirements is about \(2^{64}\). As far as we know, these are the first attacks on the round-reduced GOST hash function.

Posted Content
TL;DR: In this article, the authors proposed a method to choose the optimal input difference for generating MD5 collision pairs, where the sufficient conditions are divided into two classes: strong conditions and weak conditions, by the degree of difficulty for condition satisfaction.
Abstract: We presented the first single block collision attack on MD5 with complexity of 2 MD5 compressions and posted the challenge for another completely new one in 2010. Last year, Stevens presented a single block collision attack to our challenge, with complexity of 2 MD5 compressions. We really appreciate Stevens’s hard work. However, it is a pity that he had not found even a better solution than our original one, let alone a completely new one and the very optimal solution that we preserved and have been hoping that someone can find it, whose collision complexity is about 2 MD5 compressions. In this paper, we propose a method how to choose the optimal input difference for generating MD5 collision pairs. First, we divide the sufficient conditions into two classes: strong conditions and weak conditions, by the degree of difficulty for condition satisfaction. Second, we prove that there exist strong conditions in only 24 steps (one and a half rounds) under specific conditions, by utilizing the weaknesses of compression functions of MD5, which are difference inheriting and message expanding. Third, there should be no difference scaling after state word q25 so that it can result in the least number of strong conditions in each differential path, in such a way we deduce the distribution of strong conditions for each input difference pattern. Finally, we choose the input difference with the least number of strong conditions and the most number of free message words. We implement the most efficient 2-block MD5 collision attack, which needs only about 2 MD5 compressions to find a collision pair, and show a single-block collision attack with complexity 2.

Book ChapterDOI
01 Dec 2013
TL;DR: An improved cryptanalysis of the double-branch hash function standard RIPEMD-160 is proposed using a carefully designed non-linear path search tool and it is shown that some of these message words can lead to very good differential path candidates.
Abstract: In this article, we propose an improved cryptanalysis of the double-branch hash function standard RIPEMD-160. Using a carefully designed non-linear path search tool, we study the potential differential paths that can be constructed from a difference in a single message word and show that some of these message words can lead to very good differential path candidates. Leveraging the recent freedom degree utilization technique from Landelle and Peyrin to merge two branch instances, we eventually manage to obtain a semi-free-start collision attack for 42 steps of the RIPEMD-160 compression function, while the previously best know result reached 36 steps. In addition, we also describe a 36-step semi-free-start collision attack which starts from the first step.

01 Jan 2013
TL;DR: A new family of sponge-based lightweight hash function called spongent is proposed and its security analysis is presented by applying the most important state-of-the-art methods of cryptanalysis and by investigating their complexity.
Abstract: This thesis deals with the analysis and design of cryptographic hash functions that are fundamental components of many cryptographic applications such as digital signatures, authentication, key derivation, random number generation and many others. Due to this versatility they are considered as the “Swiss army knives” of modern cryptology. A hash function is a one-way mathematical function that takes a message of arbitrary length as input and produces an output of fixed (smaller) length. In recent years, several of the approved cryptographic hash functions which are generally inspired by MD4 have been successfully attacked, and serious attacks have been published against the world-wide standard SHA-1. In response, the National Institute of Standards and Technology (NIST) has opened a public competition to develop a new cryptographic hash algorithm, SHA-3, to replace the older SHA-1 and SHA-2 hash functions. The first part of this thesis is focused on the analysis of the hash function JH, one of the finalists of this competition. We demonstrate attacks on JH showing that the algorithm is not as secure as claimed by its designer. We find a semifree-start collision for the hash function and semi-free-start near-collisions for the compression function of reduced-round JH. Moreover, we present distinguishers for the full internal permutation. The second part of this thesis is focused on the design of hash functions. We propose a new family of sponge-based lightweight hash function called spongent. We first explain the design strategy of spongent and then we present its security analysis by applying the most important state-of-the-art methods of cryptanalysis and by investigating their complexity.

Journal ArticleDOI
Wei Li, Zhi Tao, Dawu Gu, Yi Wang, Zhiqiang Liu, Ya Liu 
TL;DR: This paper proposes a new differential fault analysis on the MD5 compression function in the word-oriented random fault model and provides a new reference for the security analysis of the same structure of the hash compression functions.
Abstract: The MD5, proposed by R. Riverst in 1992, is a widely used hash function with Merkle-Damgard structure. In the literature, many studies have been devoted to classical cryptanalysis on the MD5, such as the collision attack, the preimage attack etc. In this paper, we propose a new differential fault analysis on the MD5 compression function in the word-oriented random fault model. The simulating experimental results show that 144 random faults on average are required to obtain the current input message block. Our method not only increases the efficiency of fault injection, but also decreases the number of fault hash values. It provides a new reference for the security analysis of the same structure of the hash compression functions.

Posted Content
TL;DR: Fundamental concepts of cryptographic hash functions, such as collision resistance, preimage resistance, and second-preimage resistance are described and a proof of the collision resistance of the Centera Content Address is presented.
Abstract: Centera uses cryptographic hash functions as a means of addressing stored objects, thus creating a new class of data storage referred to as CAS (content addressed storage). Such hashing serves the useful function of providing a means of uniquely identifying data and providing a global handle to that data, referred to as the Content Address or CA. However, such a model begs the question: how certain can one be that a given CA is indeed unique? In this paper we describe fundamental concepts of cryptographic hash functions, such as collision resistance, preimage resistance, and second-preimage resistance. We then map these properties to the MD5 and SHA-256 hash algorithms, which are used to generate the Centera content address. Finally, we present a proof of the collision resistance of the Centera Content Address.

Journal ArticleDOI
TL;DR: This letter studies the security of SM3 hash function against preimage attack and pseudo-collision attack by using the weakness of diffusion process and linear message expansion to propose preimage attacks on 29-step and 30-step SM3, and Pseudo-pre image attacks on 31-step

Journal ArticleDOI
TL;DR: This work shows that a high-dimensional deterministic multiparty quantum secret sharing scheme is vulnerable to a specific kind of collusion attack, and presents the attack strategy and gives two possible improvements to resist the proposed collision attack.
Abstract: Recently, a high-dimensional deterministic multiparty quantum secret sharing (DMQSS) scheme was proposed (Liu ZH et al in Quantum Inf Process 1---11 2011). However, we show that the scheme is vulnerable to a specific kind of collusion attack. In the worst case, $${\left\lfloor n/2\right\rfloor+1}$$ agents can collude elaborately to reveal the dealer's secret without the help of the other agents. We present the attack strategy in details and also give two possible improvements to resist the proposed collision attack.

Proceedings ArticleDOI
06 Apr 2013
TL;DR: In this paper, modified SHA-192 is introduced having a message digest of length 192 bits with larger bit difference, best properties of MD-5 and SHA-1 are combined.
Abstract: This paper attempts to develop a stronger and safer cryptographic algorithm which would not only be secure, but also reduces total time taken in providing integrity of information. Hash functions were introduced in cryptology as a tool to protect the integrity of information. SHA-1 and MD-5 are among the most commonly used hash function message digest algorithms. Scientists have found collision attacks on SHA-1, MD-5 hash functions so the natural response to overcome this threat was assessing the weak points of these protocols that actually depend on collision resistance for their security. So to increase the security, modified SHA-192 is introduced in this paper having a message digest of length 192 bits with larger bit difference. To generate larger bit difference, best properties of MD-5 and SHA-1 are combined. So the new solution will be no longer vulnerable to the collision attacks.

Journal ArticleDOI
TL;DR: Theoretical analysis and computer simulation indicate that the improved algorithm can completely resist the two kinds of forgery attacks and also shows other better performance than the original one, such as better message and key sensitivity, statistical properties, which can satisfy the performance requirements of a more secure hash function.
Abstract: In this paper, we reconsider and analyze our previous paper a novel hash algorithm construction based on chaotic neural network, then present equal-length and unequal-length forgery attacks against its security in detail, and then propose a significantly improved approach by utilizing a method of complicated nonlinear computation to enhance the security of the original hash algorithm. Theoretical analysis and computer simulation indicate that the improved algorithm can completely resist the two kinds of forgery attacks and also shows other better performance than the original one, such as better message and key sensitivity, statistical properties, which can satisfy the performance requirements of a more secure hash function.