Showing papers on "Collision attack published in 2019"

From Collisions to Chosen-Prefix Collisions Application to Full SHA-1

Abstract: A chosen-prefix collision attack is a stronger variant of a collision attack, where an arbitrary pair of challenge prefixes are turned into a collision. Chosen-prefix collisions are usually significantly harder to produce than (identical-prefix) collisions, but the practical impact of such an attack is much larger. While many cryptographic constructions rely on collision-resistance for their security proofs, collision attacks are hard to turn into break of concrete protocols, because the adversary has a limited control over the colliding messages. On the other hand, chosen-prefix collisions have been shown to break certificates (by creating a rogue CA) and many internet protocols (TLS, SSH, IPsec).

An Efficient Collision Power Attack on AES Encryption in Edge Computing

Abstract: Edge computing has become a promising paradigm for the context-aware and delay-sensitive IoT data analytics. For the sake of security, some cryptographic algorithms such as AES, RSA, and so on, are employed for the encryption communication and authentication. The collision power attack is a typical physical attack to recover the secret key of the AES algorithm. However, almost all collision attacks aim at the detection of internal collisions caused by the output of S-boxes, and the linear layers are not concerned with those protected implementations. The relation between the mask and the masked data has been given little attention and stays as is, where the leakages still exist. In this paper, we focus on three typical AES implementations in edge computing, and propose a new type of collision attack by making use of leakages from linear layers, which is capable of breaking masking schemes with uniformly distributed random masks. In addition, a novel scalable collision attack of general applicability and high-efficiency is proposed and applied to masked linear layers and masked S-boxes. It can reach an equal level of performance compared to the second-order power analysis with acceptable off-line search, which improves the known collision attacks significantly.

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations

Abstract: White-box cryptography is the last security barrier for a cryptographic software implementation deployed in an untrusted environment. The principle of internal encodings is a commonly used white-box technique to protect block cipher implementations. It consists in representing an implementation as a network of look-up tables which are then encoded using randomly generated bijections (the internal encodings). When this approach is implemented based on nibble (i.e. 4-bit wide) encodings, the protected implementation has been shown to be vulnerable to differential computation analysis (DCA). The latter is essentially an adaptation of differential power analysis techniques to computation traces consisting of runtime information, e.g., memory accesses, of the target software. In order to thwart DCA, it has then been suggested to use wider encodings, and in particular byte encodings, at least to protect the outer rounds of the block cipher which are the prime targets of DCA.In this work, we provide an in-depth analysis of when and why DCA works. We pinpoint the properties of the target variables and the encodings that make the attack (in)feasible. In particular, we show that DCA can break encodings wider than 4-bit, such as byte encodings. Additionally, we propose new DCA-like attacks inspired from side-channel analysis techniques. Specifically, we describe a collision attack particularly effective against the internal encoding countermeasure. We also investigate mutual information analysis (MIA) which naturally applies in this context. Compared to the original DCA, these attacks are also passive and they require very limited knowledge of the attacked implementation, but they achieve significant improvements in terms of trace complexity. All the analyses of our work are experimentally backed up with various attack simulation results. We also verified the practicability of our analyses and attack techniques against a publicly available white-box AES implementation protected with byte encodings –which DCA has failed to break before– and against a “masked” white-box AES implementation –which intends to resist DCA.

Cryptanalysis of hash functions based on blockciphers suitable for IoT service platform security

Abstract: It is well-known that blockcipher-based hash functions may be attacked when adopting blockciphers having related-key differential properties. However, all forms of related-key differentials are not always effective to attack them. In this paper we provide the general frameworks for collision and second-preimage attacks on hash functions by using related-key differential properties of instantiated blockciphers, and show their various applications. In the literature, there have been several provably secure blockcipher-based hash functions such as 12 PGV schemes, MDC-2, MJH, Abreast-DM, Tandem-DM, and HIROSE. However, their security cannot be guaranteed when they are instantiated with specific blockciphers. In this paper, we first observe related-key differential properties of some blockciphers such as Even-Mansour (EM), Single-key Even-Mansour (SEM), XPX with a fixed tweak (XPX1111), Chaskey cipher, and LOKI, which are suitable for IoT service platform security. We then present how these properties undermine the security of the aforementioned blockcipher-based hash functions. In our analysis, the collision and second-preimage attacks can be applied to several PGV schemes, MDC-2, MJH instantiated with SEM, XPX1111, Chaskey cipher, to PGV no.5, MJH, HIROSE, Abreast-DM, Tandem-DM instantiated with EM. Furthermore, LOKI-based MDC-2 is vulnerable to the collision attack. We also provide the necessary conditions for related-key differentials of blockciphers in order to attack each of the hash functions. To the best of our knowledge, this study is the first comprehensive analysis of hash functions based on blockciphers having related-key differential properties. Our cryptanalytic results support the well-known claim that blockcipher-based hash functions should avoid adopting blockciphers with related-key differential properties, such as the fixed point property in compression functions. We believe that this study provides a better understanding of the security of blockcipher-based hash functions.

From Collisions to Chosen-Prefix Collisions - Application to Full SHA-1.

Abstract: A chosen-prefix collision attack is a stronger variant of a collision attack, where an arbitrary pair of challenge prefixes are turned into a collision. Chosen-prefix collisions are usually significantly harder to produce than (identical-prefix) collisions, but the practical impact of such an attack is much larger. While many cryptographic constructions rely on collision-resistance for their security proofs, collision attacks are hard to turn into break of concrete protocols, because the adversary has a limited control over the colliding messages. On the other hand, chosen-prefix collisions have been shown to break certificates (by creating a rogue CA) and many internet protocols (TLS, SSH, IPsec).

Adaptive Chosen-Plaintext Collision Attack on Masked AES in Edge Computing

Abstract: Edge computing handles delay-sensitive data and provides real-time feedback, while it brings data security issues to edge devices (such as IoT devices and edge servers). Side-channel attacks main threaten to these devices. Collision attack represents a powerful category of side-channel analysis in extracting security information from embedded cryptographic algorithms. Since its proposition in 2003, plenty of collision detection algorithms are presented, most of which enumerate all the values of target plaintext byte to find a collision. In this paper, we establish a relation between “Euclidean distance between traces” and “Hamming distance between values,” and take advantage of the distance information leaked from the power traces of encrypting an adaptively chosen plaintext to reduce the candidate plaintext space. Consequently, the collision is detected at a high pace. Moreover, this improvement is fault-tolerant, and its self-correction feature promotes the efficiency of attacks based on our method significantly. We take AES implemented with masks, which is usually employed in edge computing devices, for instance, to introduce our method and conduct experiments to verify its efficiency. According to the experimental results, for whole key recovery attacks, our method requires only 26.5% plaintexts, 32.2% traces, and much less than 10% computations of the collision-correlation attack launched by Clavier et al.

Low Area-Overhead Low-Entropy Masking Scheme (LEMS) Against Correlation Power Analysis Attack

Abstract: The low-entropy masking scheme (LEMS) is a cost-security tradeoff solution that ensures a certain level of security with much lower overheads than a full-entropy masking scheme (FEMS). However, most existing LEMSs are based on a look-up-table (LUT) and limited to the first-order, which is vulnerable to classical higher-order correlation power analysis (CPA) attack and other special types of attack (e.g., collision attack). This paper proposes a new type of LEMS for a block cipher in which the S-box consists of power functions and an affine function. First, a low masking-complexity algorithm for evaluating S-boxes is developed by fully utilizing the property of a hybrid addition-chain (AC) named LUT-AC. Next, an LEMS for block ciphers is proposed. This LEMS provides two different masking modes to realize various cost-security tradeoff schemes. Due to the “masked invariant property” of the LUT-AC, the masking complexity of the proposed LEMS is equal to ${O}$ ( ${d}$ ), whereas under FEMS it is equal to ${O}$ ( ${d}^{{2}}$ ). Compared with existing LEMSs, the proposed LEMS has following advantages: higher security in terms of the masking entropy; resistance against collision attacks; and scalability to higher-order schemes. Per the proposed algorithm, an architecture without any nonlinear multiplication for evaluating AES is developed by replacing the LUT with seven scalar multiplications. The different LEMSs based on this architecture are developed. Their area overheads are evaluated by implementing different schemes in 65 nm CMOS process. The security of the first-order LEMS with rotation mode is verified by performing CPA on the SAKURA-G FPGA board. From the experimental success rates, it shows that the proposed first-order LEMS can resist CPA without revealing the correct subkey for up to 100 000 power traces, whereas the unprotected scheme is broken at 1100 traces.

Efficient Collision Attack Frameworks for RIPEMD-160

Abstract: RIPEMD-160 is an ISO/IEC standard and has been applied to generate the Bitcoin address with SHA-256. Due to the complex dual-stream structure, the first collision attack on reduced RIPEMD-160 presented by Liu, Mendel and Wang at Asiacrypt 2017 only reaches 30 steps, having a time complexity of \(2^{70}\). Apart from that, several semi-free-start collision attacks have been published for reduced RIPEMD-160 with the start-from-the-middle method. Inspired from such start-from-the middle structures, we propose two novel efficient collision attack frameworks for reduced RIPEMD-160 by making full use of the weakness of its message expansion. Those two frameworks are called dense-left-and-sparse-right (DLSR) framework and sparse-left-and-dense-right (SLDR) framework. As it turns out, the DLSR framework is more efficient than SLDR framework since one more step can be fully controlled, though with extra \(2^{32}\) memory complexity. To construct the best differential characteristics for the DLSR framework, we carefully build the linearized part of the characteristics and then solve the corresponding nonlinear part using a guess-and-determine approach. Based on the newly discovered differential characteristics, we provide colliding messages pairs for the first practical collision attacks on 30 and 31 (out of 80) steps of RIPEMD-160 with time complexity \(2^{35.9}\) and \(2^{41.5}\) respectively. In addition, benefiting from the partial calculation, we can attack 33 and 34 (out of 80) steps of RIPEMD-160 with time complexity \(2^{67.1}\) and \(2^{74.3}\) respectively. When applying the SLDR framework to the differential characteristic used in the Asiacrypt 2017 paper, we significantly improve the time complexity by a factor of \(2^{13}\). However, it still cannot compete with the results obtained from the DLSR framework. To the best of our knowledge, these are the best collision attacks on reduced RIPEMD-160 with respect to the number of steps, including the first colliding message pairs for 30 and 31 steps of RIPEMD-160.

Cryptanalysis of GSM Encryption in 2G/3G Networks Without Rainbow Tables

Abstract: The GSM standard developed by ETSI for 2G networks adopts the A5/1 stream cipher to protect the over-the-air privacy in cell phone and has become the de-facto global standard in mobile communications, though the emerging of subsequent 3G/4G standards. There are many cryptanalytic results available so far and the most notable ones share the need of a heavy pre-computation with large rainbow tables or distributed cracking network. In this paper, we present a fast near collision attack on GSM encryption in 2G/3G networks, which is completely new and more threatening compared to the previous best results. We adapt the fast near collision attack proposed at Eurocrypt 2018 with the concrete irregular clocking manner in A5/1 to have a state recovery attack with a low complexity. It is shown that if the first 64 bits of one keystream frame are available, the secret key of A5/1 can be reliably found in \(2^{31.79}\) cipher ticks, given around 1 MB memory and after the pre-computation of \(2^{20.26}\) cipher ticks. Our current implementation clearly certified the validity of the suggested attack. Due to the fact that A5/3 and GPRS share the same key with A5/1, this can be converted into attacks against any GSM network eventually.

Group Collision Attack

Abstract: Key enumeration schemes are used to post-process the scores given by side channel distinguishers and enumerate the key candidates from the most possible one to the least possible one, which can be regarded as optimal tools of key search However, the application of them is limited by very large key candidate space and computing power consumption For example, the attacker may spend several weeks or months enumerating the whole 245 key candidates Unlike the former literature that try to propose a more efficient algorithm to process the distinguishers, scores of key candidates directly, we focus on pre-processing and reducing the key candidate space To achieve this goal, a new divide and conquer strategy named group collision attack (GCA) is proposed in this paper The GCA works as follows in brief The key candidates are first divided into groups on which intra-group collision attack is used to remove the impossible key combinations in each group Then, the inter-group collision attack is performed to further remove the impossible key combinations between groups Thus, the complexity of key enumeration is reduced significantly A series of practical experiments are carried out by using our GCA and the experimental results verify its efficiency

New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

Abstract: RIPEMD-160 is a hash function published in 1996, which shares similarities with other hash functions designed in this time-period like MD4, MD5 and SHA-1. However, for RIPEMD-160, no (semi-free-start) collision attacks on the full number of steps are known. Hence, it is still used, e.g., to generate Bitcoin addresses together with SHA-256, and is an ISO/IEC standard. Due to its dual-stream structure, even semifree- start collision attacks starting from the first step only reach 36 steps, which were firstly shown by Mendel et al. at Asiacrypt 2013 and later improved by Liu, Mendel and Wang at Asiacrypt 2017. Both of the attacks are based on a similar freedom degree utilization technique as proposed by Landelle and Peyrin at Eurocrypt 2013. However, the best known semi-free-start collision attack on 36 steps of RIPEMD-160 presented at Asiacrypt 2017 still requires 255.1 time and 232 memory. Consequently, a practical semi-free-start collision attack for the first 36 steps of RIPEMD-160 still requires a significant amount of resources. Considering the structure of these previous semi-free-start collision attacks for 36 steps of RIPEMD-160, it seems hard to extend it to more steps. Thus, we develop a different semi-free-start collision attack framework for reduced RIPEMD-160 by carefully investigating the message expansion of RIPEMD-160. Our new framework has several advantages. First of all, it allows to extend the attacks to more steps. Second, the memory complexity of the attacks is negligible. Hence, we were able to mount semi-free-start collision attacks on 36 and 37 steps of RIPEMD-160 with practical time complexity 241 and 249 respectively. Additionally, we describe semi-free-start collision attacks on 38 and 40 (out of 80) steps of RIPEMD-160 with time complexity 252 and 274.6, respectively. To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160.

Full Collision Attack: Pushing the Limits of Exhaustible Key Spaces.

Abstract: Recovering keys efficiently from very deep candidate space is a very important but challenging issue in Side-Channel Attacks (SCA). State-of-the-art combined collision attacks extract specific collisions from the outputs of a divide-and-conquer attack and an analytical attack, thus reducing the large guessing spaces to much smaller collision spaces. However, the inefficient chain detection makes them timeconsuming. The very limited collisions exploited and very different performance of two combined attacks also prevent their application in much deeper spaces. In this paper, we propose a Minkowski Distance enhanced Collision Attack (MDCA) with performance close to Template Attack (TA), thus making their combination more practical and meaningful. Moreover, we build a more advanced combined collision attack named Combined Full Collision Attack (CFCA) from TA and MDCA to fully exploit collisions. We further incorporate guessing theory into CFCA to enable the determination of suitable thresholds and optimize search orders of sub-keys. Finally, to set the thresholds as small as possible while guaranteeing a high success probability of key recovery, we propose Block based Fault-Tolerant CFCA (BFT-CFCA). We further exploit the Fault-Tolerant Vector (FTV) to provide a reference for its chain space adjustment. Experimental results show that BFT-CFCA notably outperforms the existing methods and CFCA.

Optimizing Fast Near Collision Attack on Grain Using Linear Programming

Abstract: In 2018, an attack named fast-near-collision attack (FNCA) was proposed, which is an improved version of near-collision attack (NCA) on Grain-v1, one of the three hardware-oriented finalists of the eSTREAM project. FNCA is designed as a key recovery attack and takes a divide-and-conquer strategy that needs a merging phase. We propose an improved FNCA where the merging phase is optimized by a linear programming based strategy. It decreases the candidates of the internal state vectors (ISVs) in each step of merging and has a reduction in the overall time complexity. Since the merging phase is vital for a divide-and-conquer strategy, where the most of bits of the full internal state are recovered, other analyses on Grain family with FNCA can get optimized by our method in varying degrees. This paper offers an experiment on a reduced Grain and a theoretical analysis on Grain-v1 to confirm the results. In the case of the reduced Grain of an 80-bit internal state, the time complexity is 2 37.1096 , which has a 27.8% reduction. For Grain-v1, its theoretical time complexity is around 2 73.4 , which is reduced by 79.4% compared with the original one.

Database collision attack monitoring method, device and system and computer storage medium

Abstract: The embodiment of the invention discloses a database collision attack monitoring method. The method comprises the steps of obtaining login information of a user login behavior; calculating a databasecollision attack risk value corresponding to at least one user behavior factor according to the login information of the user login behavior; determining a database collision attack risk value of thecurrent login behavior of the user according to the database collision attack risk value corresponding to the at least one user behavior factor; and positioning a database collision attack risk type of the current login behavior of the user according to the database collision attack risk value of the current login behavior of the user. The embodiment of the invention further discloses a database collision attack monitoring device and system and a computer storage medium.

Implementation of MD5 Collision Attack in Program

Abstract: Md5 [1] has been widely used because of its irreversibility, but its security is also questionable. Since Professor Wang [2] pointed out that MD5 is unsafe, Md5 collision and various attack algorithms began to appear and were used in large quantities. In the paper of Bai Honghuan’s MD5 fast collision algorithm [3], the characteristics of MD5 collision were proposed, he pointed out that when the MD5 values of two different files are the same, the files are added with the same prefix, and their MD5 values are still the same. Similarly, when the same suffix is added, MD5 values is still the same, and a program is tested to verify the result.

Collision Attack on 4 Secure PGV Hash Function Schemes based on 4-Round PRESENT-80 with Iterative Differential Approach

Abstract: Preneel-Govaerts-Vandewalle (PGV) hash function schemes is a single-block-length hash function based on block cipher introduced by Preneel et al. in 1993. They proposed 64 basic ways to construct a (collision-resistant) hash functions from a block cipher. They regarded 12 of these 64 schemes are secure, though no proofs or formal claims were given. We take 4 schemes from those 12 schemes to analyzed. In this paper, we show different approach to find collisions in four secure PGV hash function schemes. The use of block cipher that has iterative differential such as PRESENT can let us to find collisions. In 2007, Wang found four iterative characteristics for 4-round PRESENT-80. Based on the analysis, we indicate that those four secure PGV schemes based on 4-round PRESENT-80 are not fulfilled collision resistance property.

Erratum to “A Novel Multiple-Bits Collision Attack Based on Double Detection with Error-Tolerant Mechanism”

Abstract: In the article titled “A Novel Multiple-Bits Collision Attack Based on Double Detection with Error-Tolerant Mechanism” [1], there was a missing reference to a conference article by the same authors, which was intended to have been cited in the Introduction. e text reading “Our Contribution. In this paper, we propose a novel multiple-bits collision attack framework. In particular, double distance voting detection (DDVD) and the error-tolerant and check mechanism are presented to ensure the high accuracy” should be updated to “Our Contribution. In [20], we have already proposed a basic side-channel collision attack strategy. On basis of it, we propose a novel multiple-bits collision attack framework in this paper. In particular, double distance voting detection (DDVD) as well as the error-tolerant and check mechanism are presented to ensure the high accuracy.” Moreover, the reference below [2] should be added to the reference list:

Random delay S-box-based high-speed AES encryption circuit capable of defending collision attack

Abstract: The invention provides a random delay S-box-based high-speed AES encryption circuit capable of defending a collision attack. An AES encryption circuit is a fully-unfolded structure and consists of 10turns of round transformation units; circuit throughput rate is improved through a pipeline technique, and the circuit processing speed is accelerated, wherein a byte substituting unit in a round transformation unit is based on a parallel S-box structure; a random delay is respectively added to an input end and an output end of each S-box, thereby damaging the collision attach detecting conditionand achieving the purpose of defending the collision attack. Compared with the traditional collision attack defensive measure, the circuit in the invention can greatly reduce the circuit area.