Collision attack

About: Collision attack is a research topic. Over the lifetime, 1093 publications have been published within this topic receiving 28389 citations.

Improved linear differential attacks on cubehash

Abstract: This paper presents improved collision attacks on round-reduced variants of the hash function CubeHash, one of the SHA-3 second round candidates. We apply two methods for finding linear differential trails that lead to lower estimated attack complexities when used within the framework introduced by Brier, Khazaei, Meier and Peyrin at ASIACRYPT 2009. The first method yields trails that are relatively dense at the beginning and sparse towards the end. In combination with the condition function concept, such trails lead to much faster collision attacks. We demonstrate this by providing a real collision for CubeHash-5/96. The second method randomizes the search for highly probable linear differential trails and leads to significantly better attacks for up to eight rounds.

Collision Attack on the Full Extended MD4 and Pseudo-Preimage Attack on RIPEMD

Abstract: The cryptographic hash functions Extended MD4 and RIPEMD are double-branch hash functions, which consist of two parallel branches. Extended MD4 was proposed by Rivest in 1990, and RIPEMD was devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988 ~ 1992). On the basis of differential analysis and meet-in-the-middle attack principle, this paper proposes a collision attack on the full Extended MD4 and a pseudo-preimage attack on the full RIPEMD respectively. The collision attack on Extended MD4 holds with a complexity of 237, and a collision instance is presented. The pseudo-preimage attack on RIPEMD holds with a complexity of 2125:4, which optimizes the complexity order for brute-force attack. The results in this study will also be beneficial to the analysis of other double-branch hash functions such as RIPEMD-160.

Method of providing a hash value for a piece of data, electronic device and computer program

Abstract: There is provided a method of providing a hash value for a piece of data, where the hash value provides for a time-stamp for the piece of data upon verification. The method comprises deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index of the one-time signing key, and providing the hash value for the piece of data by a hash function including the piece of data and the derived one-time signing key.An electronic device comprising a processor arranged to implement a functional module for deriving a one-time signing key and providing a hash value for apiece of data by a hash function including the piece of data and the derived one-time signing key is also disclosed. The functional module is arranged to perform the method. A computer program for implementing the method on the electronic device is also disclosed.

Low Area-Overhead Low-Entropy Masking Scheme (LEMS) Against Correlation Power Analysis Attack

Abstract: The low-entropy masking scheme (LEMS) is a cost-security tradeoff solution that ensures a certain level of security with much lower overheads than a full-entropy masking scheme (FEMS). However, most existing LEMSs are based on a look-up-table (LUT) and limited to the first-order, which is vulnerable to classical higher-order correlation power analysis (CPA) attack and other special types of attack (e.g., collision attack). This paper proposes a new type of LEMS for a block cipher in which the S-box consists of power functions and an affine function. First, a low masking-complexity algorithm for evaluating S-boxes is developed by fully utilizing the property of a hybrid addition-chain (AC) named LUT-AC. Next, an LEMS for block ciphers is proposed. This LEMS provides two different masking modes to realize various cost-security tradeoff schemes. Due to the “masked invariant property” of the LUT-AC, the masking complexity of the proposed LEMS is equal to ${O}$ ( ${d}$ ), whereas under FEMS it is equal to ${O}$ ( ${d}^{{2}}$ ). Compared with existing LEMSs, the proposed LEMS has following advantages: higher security in terms of the masking entropy; resistance against collision attacks; and scalability to higher-order schemes. Per the proposed algorithm, an architecture without any nonlinear multiplication for evaluating AES is developed by replacing the LUT with seven scalar multiplications. The different LEMSs based on this architecture are developed. Their area overheads are evaluated by implementing different schemes in 65 nm CMOS process. The security of the first-order LEMS with rotation mode is verified by performing CPA on the SAKURA-G FPGA board. From the experimental success rates, it shows that the proposed first-order LEMS can resist CPA without revealing the correct subkey for up to 100 000 power traces, whereas the unprotected scheme is broken at 1100 traces.

Memoryless Unbalanced Meet-in-the-Middle Attacks: Impossible Results and Applications

Abstract: A meet-in-the-middle (MitM) attack is a popular tool for cryptanalysis. It independently computes two functions \(\mathcal{F}\) and \(\mathcal{G}\), and finds a match of their outputs. When the cost of computing \(\mathcal{F}\) and \(\mathcal{G}\) are different, the problem is called unbalanced MitM attack. It is known that, for the balanced case, the MitM attack can be performed only with a negligible memory size without significantly increasing the computational cost by using the Floyd’s cycle-finding algorithm. It is also widely believed that the same technique can be applied to the unbalanced case, while no one has shown the evidence of its possibility yet. This paper contains two contributions. Firstly, we show an impossibility of the memoryless unbalanced MitM attack without significantly increasing the computational cost. The conversion to the memoryless attack with the Floyd’s cycle-finding algorithm always requires additional computational cost. Secondly, we find applications of the memoryless unbalanced MitM attack to show that it is still meaningful even with some additional computational cost. It can be used to generate multi-collisions of hash functions by using a dedicated collision attack algorithm. Our method finds 3-collisions of SHA-1 with 2142 computations and negligible memory size, while the known best attack requires 2106.6 computations and 253.3 memory size. The memoryless unbalanced MitM attack can also be applied to the limited-birthday distinguisher for hash functions.