scispace - formally typeset
Search or ask a question

Showing papers on "Collision attack published in 2015"


Journal ArticleDOI
TL;DR: In this paper, the rebound attack was introduced as a variant of differential cryptanalysis on hash functions and applied to the hash function Whirlpool, standardized by ISO/IEC.
Abstract: We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the 10-round Whirlpool hash function and compression function. Our results are collisions for 5.5 and near-collisions for 7.5 rounds on the hash function, as well as semi-free-start collisions for 7.5 and semi-free-start near-collisions for 9.5 rounds on the compression function. Additionally, we introduce the subspace problem as a generalization of near-collision resistance. Finally, we present the first distinguishers that apply to the full compression function and the full underlying block cipher W of Whirlpool.

66 citations


Book ChapterDOI
04 Nov 2015
TL;DR: The reasoning extends to hybrid schemes, where the communication party to protect against side-channel attacks is stateful, and is illustrated by describing a collision attack against an example of a hybrid scheme patented by Kocher, and presenting a tweak leading to beyond birthday security.
Abstract: Fresh re-keying is a type of protocol which aims at splitting the task of protecting an encryption/authentication scheme against side-channel attacks in two parts. One part, a re-keying function, has to satisfy a minimum set of properties such as good diffusion, and is based on an algebraic structure that is easy to protect against side-channel attacks with countermeasures such as masking. The other part, a block cipher, brings resistance against mathematical cryptanalysis, and only has to be secure against single-measurement attacks. Since fresh re-keying schemes are cheap and stateless, they are convenient to use in practice and do not require any synchronization between communication parties. However, it has been shown that their first instantiation from Africacrypt 2010 only provides birthday security because of a mathematical only collision-based key recovery attack recently put forward by Dobraunigi¾?eti¾?al. CARDIS 2014. In this paper, we provide two provably secure in the ideal cipher model solutions to avoid such collision attacks. The first one is based on classical block ciphers, but does not achieve beyond-birthday CPA security i.e. it only provably prevents the CARDIS 2014 key recovery attack and requires an additional block cipher execution in the protocol. The second one is based on tweakable block ciphers and provides tight CPA security while also being more efficient. As a complement, we also show that our reasoning extends to hybrid schemes, where the communication party to protect against side-channel attacks is stateful. We illustrate this claim by describing a collision attack against an example of a hybrid scheme patented by Kocher, and presenting a tweak leading to beyond birthday security. We conclude the paper by discussing the use of fresh/hybrid re-keying for encryption and authentication, together with a cautionary note on their side-channel resistance.

45 citations


09 Mar 2015
TL;DR: This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system that is suitable for compact implementations, relatively simple to implement, and naturally resists side-channel attacks.
Abstract: This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system. It follows existing descriptions in scientific literature. The note specifies the WOTS+ one-time signature scheme, a single-tree (XMSS) and a multi-tree variant (XMSS^MT) of XMSS. Both variants use WOTS+ as a main building block. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and, besides some special instantiations, is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures withstand attacks using quantum computers.

39 citations


Book ChapterDOI
20 Apr 2015
TL;DR: This paper extends a collision attack applied to an instance of an exponentiation to an adversary who seeks to determine whether the output of one operation is used as the input to another, and demonstrates that a side-channel resistant implementation of a group exponentiation algorithm will require countermeasures that introduce enough noise such that an attack is not practical.
Abstract: Public key cryptographic algorithms are typically based on group exponentiation algorithms where the exponent is unknown to an adversary A collision attack applied to an instance of an exponentiation is typically where an adversary seeks to determine whether two operations in the exponentiation have the same input In this paper, we extend this to an adversary who seeks to determine whether the output of one operation is used as the input to another We describe implementations of these attacks applied to a 192-bit scalar multiplication over an elliptic curve that only require a single power consumption trace to succeed with a high probability Moreover, our attacks do not require any knowledge of the input to the exponentiation algorithm These attacks would, therefore, be applicable to algorithms, such as EC-DSA, where an exponent is ephemeral, or to implementations where an exponent is blinded We then demonstrate that a side-channel resistant implementation of a group exponentiation algorithm will require countermeasures that introduce enough noise such that an attack is not practical, as algorithmic countermeasures are not possible (The work described in this paper was conducted when the last two authors were part of the Cryptography Group at the University of Bristol, United Kingdom)

32 citations


Book ChapterDOI
30 Mar 2015
TL;DR: The existence of SIM-SO-CCA secure PKE is established assuming only the existence of one-way functions and \(i\mathcal {O}\) in constructing different cryptographic primitives.
Abstract: We study simulation-based, selective opening security against chosen-ciphertext attacks (SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext attack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptively chooses to open some of them, and obtains the corresponding plaintexts and random coins used in the creation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertexts with respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a ppt SO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the opened messages. Building on techniques used to achieve weak deniable encryption and non-committing encryption, Fehr et al. (Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE from extended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoretic primitive called Cross Authentication Codes (XACs). We generalize their approach by introducing a special type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO-CCA secure PKE. We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We also give three instantiations of our construction. The first uses hash proof systems, the second relies on the \(n\)-Linear assumption, and the third uses indistinguishability obfuscation (\(i\mathcal {O}\)) in combination with extracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014). Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-way functions and \(i\mathcal {O}\). This result further highlights the simplicity and power of \(i\mathcal {O}\) in constructing different cryptographic primitives.

28 citations


Book ChapterDOI
16 Aug 2015
TL;DR: This work exploits the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years, which results in particular in better differential paths than the ones used for hash function collisions so far.
Abstract: In this paper we analyze the security of the compression function of SHA-1 against collision attacks, or equivalently free-start collisions on the hash function. While a lot of work has been dedicated to the analysis of SHA-1 in the past decade, this is the first time that free-start collisions have been considered for this function. We exploit the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years. This results in particular in better differential paths than the ones used for hash function collisions so far. Overall, our attack requires about \(2^{50}\) evaluations of the compression function in order to compute a one-block free-start collision for a 76-step reduced version, which is so far the highest number of steps reached for a collision on the SHA-1 compression function. We have developed an efficient GPU framework for the highly branching code typical of a cryptanalytic collision attack and used it in an optimized implementation of our attack on recent GTX 970 GPUs. We report that a single cheap US$ 350 GTX 970 is sufficient to find the collision in less than 5 days. This showcases how recent mainstream GPUs seem to be a good platform for expensive and even highly-branching cryptanalysis computations. Finally, our work should be taken as a reminder that cryptanalysis on SHA-1 continues to improve. This is yet another proof that the industry should quickly move away from using this function.

23 citations


Journal ArticleDOI
TL;DR: This work uses new techniques for the cryptanalysis of hash functions to find a collision of the full SHA-0 which is the first published collision of this function, and very efficient collision attacks on reduced versions of SHA-1.
Abstract: We present new techniques for the cryptanalysis of hash functions. Our contributions are two-fold: both on the search level of the compression function and on the meta-structure. The former led to the neutral bits technique, while the latter led to the multi-block technique. The usefulness of these techniques is demonstrated on SHA-0 and SHA-1, but they are applicable to other hash functions as well. We use these techniques to find a collision of the full SHA-0 which is the first published collision of this function, and very efficient collision attacks on reduced versions of SHA-1.

15 citations


Book ChapterDOI
TL;DR: In this article, the authors improved the Big Mac attack presented by Bauer et alii to considerably increase the success rate, instead of comparing only two multiplications, the targeted implementation permits to compare many multiplications and give experiment results with traces taken from a real target to prove the soundness of their attack.
Abstract: At CHES 2001, Walter introduced the Big Mac attack against an implementation of rsa. It is an horizontal collision attack, based on the detection of common operands in two multiplications. The attack is very powerful since one single power trace of an exponentiation permits to recover all bits of the secret exponent. Moreover, the attack works with unknown or blinded input. The technique was later studied and improved by Clavier et alii and presented at INDOCRYPT 2012. At SAC 2013, Bauer et alii presented the first attack based on the Big Mac principle on implementations based on elliptic curves with simulation results. In this work, we improve the attack presented by Bauer et alii to considerably increase the success rate. Instead of comparing only two multiplications, the targeted implementation permits to compare many multiplications. We give experiment results with traces taken from a real target to prove the soundness of our attack. In fact, the experimental results show that the original Big Mac technique given by Walter was better that the technique given by Clavier et alii. With our experiments on a real target, we show that the theoretical improvements are not necessarily the more suitable methods depending on the targeted implementations.

14 citations


Proceedings ArticleDOI
01 Dec 2015
TL;DR: A special variant of collision attack against the protected ECDSA signature computation is demonstrated, exploiting the leakage from multiprecision integer multiplier, which is a building block of several published scalable FPGA-enabled ECC crypto-processors.
Abstract: When considering Elliptic Curve Cryptography (ECC) implementations, countermeasures against side channel attacks are primarily focused on elliptic curve arithmetic. On the other hand, Elliptic Curve Digital Signature Algorithm (ECDSA) implementation also uses a modular multiplication of a private key dA, and publicly known random parameter r. The side channel leakage of the multiplication rdA can reveal the private key, especially in systems with narrow-width data-path used for multiprecision arithmetic. The proposed countermeasure is based on the different order of arithmetic operations, masking the critical multiplication by a random ephemeral key k-1. In this work, we demonstrate a special variant of collision attack against the protected ECDSA signature computation. The collision attack exploits the leakage from multiprecision integer multiplier, which is a building block of several published scalable FPGA-enabled ECC crypto-processors. Our concrete experimental results were obtained from hardware DISIPA platform based on Altera Cyclone III FPGA.

13 citations


Journal ArticleDOI
TL;DR: In this article, the Streebog hash function was used in the context of malicious hashing and the rebound attack was applied to find three solutions for three different differential paths for four rounds and then, using the freedom of the round constants they connect them to obtain a collision for the 12 rounds of the compression function.
Abstract: In August 2012, the Streebog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). In this study, the authors investigate the new standard in the context of malicious hashing and present a practical collision for a malicious version of the full hash function. In particular, they apply the rebound attack to find three solutions for three different differential paths for four rounds. Then, using the freedom of the round constants they connect them to obtain a collision for the 12 rounds of the compression function. Additionally, and because of the simple processing of the counter, they bypass the barrier of the checksum finalisation step and transfer the compression function collision to the hash function output with no additional cost. The presented attack has a practical complexity and is verified by an example. Although the results of this study may not have a direct impact on the security of the current Streebog hash function, it presents an urge for the designers to publish the origin of the used parameters and the rational behind their choices in order for this function to gain enough confidence and widespread adoption by the security community.

12 citations


Book ChapterDOI
29 Nov 2015
TL;DR: R reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent and is able to prove a lower-bound for the attack's complexity.
Abstract: In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East. As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update. Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5 [25]. He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered. In this paper, we demonstrate that significantly more information can be deduced from the example collision. Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions. In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices. Furthermore, we were able to prove a lower-bound for the attack's complexity. This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent. As it allegedly was developed by some nation-states [11, 12, 19], we discuss potential insights to their cryptanalytic knowledge and capabilities.

Journal ArticleDOI
TL;DR: Since the author's distinguishers on 34/35-steps compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, they are able to obtain boomerang quartets of these attacks.
Abstract: In this study, the authors study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by Aumasson et al. For SM3, they present boomerang distinguishers for the compression function reduced to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 2192, respectively. Then, they show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, they launch boomerang attacks on up to 7- and 8-round keyed permutation of BLAKE-256, which are the first valid 7-round and 8-round boomerangs for BLAKE-256. Especially, since the author's distinguishers on 34/35-steps compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, they are able to obtain boomerang quartets of these attacks. As far as they know, these are the best results against round-reduced SM3 and BLAKE-256.

Book ChapterDOI
13 Apr 2015
TL;DR: In this paper, a single-shot collision attack on RSA proposed by Hanley et al. is studied focusing on the difference between two operands of multipliers and an experimental result to successfully analyze an FPGA implementation of RSA with the multiply always method is also presented.
Abstract: The single-shot collision attack on RSA proposed by Hanleyi¾?eti¾?al. is studied focusing on the difference between two operands of multipliers. There are two consequences. Firstly, designing order of operands can be a cost-effective countermeasure.We show a concrete example in which operand order determines success and failure of the attack. Secondly, countermeasures can be ineffective if the asymmetric leakage is considered. In addition to the main results, the attack by Hanley et al. is extended using the signal-processing technique of the big mac attack. An experimental result to successfully analyze an FPGA implementation of RSA with the multiply-always method is also presented.

Journal ArticleDOI
TL;DR: The authors improve the probabilities of the differential characteristics so that they can give a collision attack on 40-step RIPEMD-128 hash function with a complexity of 235 computations and improve the distinguishing attack proposed by Landelle and Peyrin at EUROCRYPT 2013.
Abstract: RIPEMD-128 is an ISO/IEC standard cryptographic hash function proposed in 1996 by Dobbertin, Bosselaers and Preneel. The compression function of RIPEMD-128 consists of two different and almost independent parallel lines denoted by line1 operation and line2 operation. The initial values and the output values of the last step of the two operations are combined, resulting in the final value of one iteration. In this study, the authors present collision differential characteristics for both 40-step line1 operation and 40-step line2 operation by choosing a proper message difference. By using message modification technique, they improve the probabilities of the differential characteristics so that they can give a collision attack on 40-step RIPEMD-128 hash function with a complexity of 235 computations. Meanwhile, they improve the distinguishing attack proposed by Landelle and Peyrin at EUROCRYPT 2013, and give a distinguisher on the full RIPEMD-128 hash function with a complexity of 290.4 by doing message modification.

Patent
02 Jun 2015
TL;DR: In this paper, a client device for authenticating a user is operable to obtain a sequence of input actions for an image and obtain a partial hash from a Proof of Knowledge (PoK) server where the partial hash is part of a hash used for authentication of the user.
Abstract: Antialiasing for picture passwords and other touch displays is disclosed. In some embodiments a client device for authenticating a user is operable to obtain a sequence of input actions for an image and obtain a partial hash from a Proof of Knowledge (PoK) server where the partial hash is part of a hash used for authentication of the user. The client device is also operable to calculate a hash for the sequence and determine if a part of the hash matches the partial hash. If the part of the hash matches the partial hash, the client device sends a communication to the PoK server to authenticate the user based on the hash for the sequence of the one or more input actions and obtain a response indicating whether the user is authenticated. In this way, sending some hashes to the proof of knowledge server may not be necessary, saving resources.

Posted Content
TL;DR: In this article, the authors presented the first practical break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days of computation on a 64 GPU cluster were necessary to perform the attack.
Abstract: We present in this article a freestart collision example for SHA-1, i.e., a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days of computation on a 64 GPU cluster were necessary to perform the attack. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough in 2005. In particular, we extend the recent freestart collision work on reduced-round SHA-1 from CRYPTO 2015 that leverages the computational power of graphic cards and adapt it to allow the use of boomerang speed-up techniques. We also leverage the cryptanalytic techniques by Stevens from EUROCRYPT 2013 to obtain optimal attack conditions, which required further refinements for this work. Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational/financial cost required by a SHA-1 collision computation. These projections are significantly lower than previously anticipated by the industry, due to the use of the more cost efficient graphics cards compared to regular CPUs. We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 soon. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before example signature forgeries appear in the near future. With our new cost projections in mind, we strongly and urgently recommend against a recent proposal to extend the issuance of SHA-1 certificates by a year in the CAB/forum (the vote closes on October 16 2015 after a discussion period ending on October 9).

Journal ArticleDOI
TL;DR: The zipper hash utilizes two-pass hashing to strengthen the iterated hash functions against the generic attack, and a new tree structure called inverse-diamond is exploited to guarantee that the corresponding message blocks in the two passes be identical.
Abstract: The zipper hash utilizes two-pass hashing to strengthen the iterated hash functions against the generic attack. In this paper, we analyze the features of zipper hash and several existing generic attacks on hash functions. A new tree structure called inverse-diamond, which starts from one fixed point and ends with many points, is exploited to guarantee that the corresponding message blocks in the two passes be identical. Then, combining the inverse-diamond structure of depth l, with the multicollision of length n-ln is bit number of the hash value and the k, 2k+k-1-expandable message together, we firstly present a second preimage attack on zipper hash of which the time complexity is about O2k+n2n/2+2n-k+n-l2n-l+2l+1, less than O2n, and the memory complexity is about O2k+1+3*2l. Specially, if k=l=n/2, then the time complexity is about On2n/2, and the memory complexity is about O2n/2. Copyright © 2015 John Wiley & Sons, Ltd.

Book ChapterDOI
08 Feb 2015
TL;DR: This paper proposes an alternative method to efficiently manage malicious users, which uses hash trees and query frequencies in order to fit better with the needs of Vehicular Ad-hoc Networks.
Abstract: Due to the proliferation of technology in different areas of daily life, many new types of communication networks are emerging. Among the most interesting wireless networks, Vehicular Ad-hoc Networks are remarkable because road safety and traffic efficiency are two advances that any developed society should undertake. Therefore, research on such networks should evolve to take the final step and move from theory to reality. However, first, it is necessary to improve many aspects related to security. In particular, identification and management of malicious users within the network are major research issues. The traditional method using revocation lists to manage these users becomes very inefficient when the network grows. This paper proposes an alternative method to efficiently manage malicious users, which uses hash trees and query frequencies in order to fit better with the needs of Vehicular Ad-hoc Networks.

Proceedings ArticleDOI
02 Apr 2015
TL;DR: Keccak, the SHA-3 (secure hash algorithm) has been discussed in this paper which consists of padding and permutation module, this is a one way encryption process which has been implemented on FPGA.
Abstract: Security has become a very demanding parameter in today's world of speed communication. It plays an important role in the network and communication fields where cryptographic processes are involved. These processes involve hash function generation which is a one-way encryption code used for security of data. The main examples include digital signatures, MAC (message authentication codes) and in smart cards. Keccak, the SHA-3 (secure hash algorithm) has been discussed in this paper which consists of padding and permutation module. This is a one way encryption process. High level of parallelism is exhibited by this algorithm. This has been implemented on FPGA. The implementation process is very fast and effective. The algorithm aims at increasing the throughput and reducing the area.

Book ChapterDOI
01 Nov 2015
TL;DR: The security analysis of hashing modes instantiated with AES-128 is revisited and the application of biclique technique to the domain of hash functions is extended and highlighted, highlighting the actual security margin provided by these constructions against second preimage attack.
Abstract: In this work, we revisit the security analysis of hashing modes instantiated with AES-128. We use biclique cryptanalysis as the basis for our evaluation. In Asiacrypt'11, Bogdanov et al. had proposed biclique technique for key recovery attacks on full AES-128. Further, they had shown application of this technique to find preimage for compression function instantiated with AES-128 with a complexity of $$2^{125.56}$$2125.56. However, this preimage attack on compression function cannot be directly converted to preimage attack on hash function. This is due to the fact that the initialization vector IV is a publically known constant in the hash function settings and the attacker is not allowed to change it, whereas the compression function attack using bicliques introduced differences in the chaining variable. We extend the application of biclique technique to the domain of hash functions and demonstrate second preimage attack on all 12 PGV modes. The complexities of finding second preimages in our analysis differ based on the PGV construction chosen - the lowest being $$2^{126.3}$$2126.3 and the highest requiring $$2^{126.6}$$2126.6 compression function calls. We implement C programs to find the best biclique trails that guarantee the lowest time complexity possible and calculate the above mentioned values accordingly. Our security analysis requires only 2 message blocks and works on full 10 rounds of AES-128 for all 12 PGV modes. This improves upon the previous best result on AES-128 based hash functions by Sasaki at FSE'11 where the maximum number of rounds attacked is 7. Though our results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions against second preimage attack.

Patent
Hemant Kumar Jain1
21 Dec 2015
TL;DR: In this paper, a two-stage attribution of application layer DDoS attack is presented, where in the first stage a hash index is maintained and in the second stage a string parameter corresponding to the application layer attribute under attack is kept.
Abstract: Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

Journal ArticleDOI
TL;DR: A novel double sieve collision attack based on bitwise collision detection, and an improved version with an error-tolerant mechanism that needs 90% less time and has a success rate of 0.9.
Abstract: Advanced Encryption Standard (AES) is widely used for protecting wireless sensor network (WSN). At the Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2012, Gerard et al. proposed an optimized collision attack and break a practical implementation of AES. However, the attack needs at least 256 averaged power traces and has a high computational complexity because of its byte wise operation. In this paper, we propose a novel double sieve collision attack based on bitwise collision detection, and an improved version with an error-tolerant mechanism. Practical attacks are successfully conducted on a software implementation of AES in a low-power chip which can be used in wireless sensor node. Simulation results show that our attack needs 90% less time than the work published by Gerard et al. to reach a success rate of 0.9.

Posted Content
Jian Zou1, Le Dong
TL;DR: The first cryptanalytic attacks on the round-reduced Kupyna hash function are shown, using the rebound attack and guess-and-determine MitM attack to construct pseudo-preimage attacks on 6-round K upyna-256 and Kuplynn-512 hash function, respectively.
Abstract: The Kupyna hash function was selected as the new Ukrainian standard DSTU 7564:2014 in 2015. It is designed to replace the old Independent States (CIS) standard GOST 34.311-95. The Kupyna hash function is an AES-based primitive, which uses Merkle-Damgard compression function based on Even-Mansour design. In this paper, we show the first cryptanalytic attacks on the round-reduced Kupyna hash function. Using the rebound attack, we present a collision attack on 5-round of the Kupyna-256 hash function. The complexity of this collision attack is (2, 2) (in time and memory). Furthermore, we use guess-anddetermine MitM attack to construct pseudo-preimage attacks on 6-round Kupyna-256 and Kupyna-512 hash function, respectively. The complexity of these preimage attacks are (2, 2) and (2, 2) (in time and memory), respectively.

Journal ArticleDOI
TL;DR: This paper improves the preimage attacks against HAVAL-3 hash function to within lower time complexity and memory requirement, compared with the best known attack proposed by Sasaki and Aoki in ASIACRYPT 2008.

Journal ArticleDOI
TL;DR: Use of repeated lookups on Latin squares, non-linear transformations and complex shift operations further increase the strength of the cryptographic hash function at a low computational overhead and ensures that the hashing algorithm satisfy the principal properties of pre-image resistance and collision resistance.

Journal ArticleDOI
TL;DR: This paper attacks a 2n-bit double length hash function proposed by Lee et al. with hash rate 2/3 and finds a collision attack with complexity of O(23n/4) and a preimage attack withcomplexity O(2n).
Abstract: In this paper we attack a 2n-bit double length hash function proposed by Lee et al. This proposal is a blockcipher-based hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of O(23n/4) and a preimage attack with complexity of O(2 n ). Our result shows this construction is much worse than an ideal 2n-bit hash function.

Proceedings ArticleDOI
26 Aug 2015
TL;DR: The cost-time estimates reveal that an FPGA-based attack is more efficient compared to ASIC, and an Application-Specific Instruction-set Processor (ASIP) is proposed, named Cracken, aimed to efficiently realize near collision attack on SHA-1.
Abstract: SHA-1 remains, till date, the most widely used hash function, in spite of several successful cryptanalytic attacks against it. These attacks, however, remain impractical due to high computation complexity and associated cost. We endeavor to do cost-time product estimation for an attack by the aid of application-specific hardware acceleration. This work proposes an Application-Specific Instruction-set Processor (ASIP), named Cracken. Cracken is aimed to efficiently realize near collision attack on SHA-1. The estimations of the physical attack complexity is done using 65nm standard CMOS technology and commercial FPGA devices. It is estimated, with post-layout simulations, that Stevens' differential attack with an estimated complexity of 2^57.5, can be executed in 46 days using 4096 Cracken cores at a cost of Euros 15m. Estimation for real collision with complexity 2^61 is also done. Our cost-time estimates reveal that an FPGA-based attack is more efficient compared to ASIC. Previously reported SHA-1 attacks based on ASIC and cloud computing platforms are also compiled and benchmarked for reference.

Journal ArticleDOI
TL;DR: Experiments and simulations show that in practice, the distinguishers based on least absolute deviation and least square method perform much better than collision-correlation attack and other proposed distinguishers in this paper.
Abstract: Collision attack is often employed against some cryptographic algorithms such as AES and DES. As a usual countermeasure, masking can resist such attacks to some extent. In CHES 2011, Clavier et al. proposed a collision-correlation attack based on Pearson correlation coefficient against masking. In this paper, a collision distinguisher based on least absolute deviation against masking is proposed. Subsequently, we suggest three other distinguishers based on least square method, least exponent method, and central moment product, respectively. Our experiments and simulations show that in practice, our distinguishers based on least absolute deviation and least square method perform much better than collision-correlation attack and other proposed distinguishers in this paper. We also give four application examples, which show that even if the masks are not reused, new distinguishers are competent to collision attacks.

Journal ArticleDOI
TL;DR: The result of this research is plaintext that meets the characteristics of fixed point that does not affect the plaintext hash value because the resulting output is the used IV value itself.

Book ChapterDOI
26 Aug 2015
TL;DR: In this article, improved preimage attacks on the reduced-round GOST hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the meet-in-the-middle preimage attack and the multicollisions were presented.
Abstract: In this paper, we present improved preimage attacks on the reduced-round GOST hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round GOST-256 is proposed which is the first preimage attack for GOST-256 at the hash function level. Then we extend the previous attacks on 5-round GOST-256 and 6-round GOST-512 to 6.5 and 7.5 rounds respectively by exploiting the involution property of the GOST transposition operation. Secondly, inspired by the preimage attack on GOST-256, we also study the impacts of four representative truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against AES-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack. Based on our investigations, we are able to slightly improve the previous pseudo preimage attacks on reduced-round GrOstl-256.