Collision attack

About: Collision attack is a research topic. Over the lifetime, 1093 publications have been published within this topic receiving 28389 citations.

On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgard Hashing

Abstract: We studyGhoshal,Ashrujit Komargodski,Ilan the power of preprocessing adversaries in finding bounded-length collisions in the widely used Merkle-Damgård (MD) hashing in the random oracle model. Specifically, we consider adversaries with arbitrary S-bit advice about the random oracle and can make at most T queries to it. Our goal is to characterize the advantage of such adversaries in finding a B-block collision in an MD hash function constructed using the random oracle with range size N as the compression function (given a random salt). The answer to this question is completely understood for very large values of B (essentially $$\varOmega (T)$$ ) as well as for $$B=1,2$$ . For $$B\approx T$$ , Coretti et al. (EUROCRYPT ’18) gave matching upper and lower bounds of $$\tilde{\varTheta }(ST^2/N)$$ . Akshima et al. (CRYPTO ’20) observed that the attack of Coretti et al. could be adapted to work for any value of $$B>1$$ , giving an attack with advantage $$\tilde{\varOmega }(STB/N + T^2/N)$$ . Unfortunately, they could only prove that this attack is optimal for $$B=2$$ . Their proof involves a compression argument with exhaustive case analysis and, as they claim, a naive attempt to generalize their bound to larger values of B (even for $$B=3$$ ) would lead to an explosion in the number of cases needed to be analyzed, making it unmanageable. With the lack of a more general upper bound, they formulated the STB conjecture, stating that the best-possible advantage is $$\tilde{O}(STB/N + T^2/N)$$ for any $$B>1$$ . In this work, we confirm the STB conjecture in many new parameter settings. For instance, in one result, we show that the conjecture holds for all constant values of B. Further, using combinatorial properties of graphs, we are able to confirm the conjecture even for super constant values of B, as long as some restriction is made on S. For instance, we confirm the conjecture for all $$B \leqslant T^{1/4}$$ as long as $$S \leqslant T^{1/8}$$ . Technically, we develop structural characterizations for bounded-length collisions in MD hashing that allow us to give a compression argument in which the number of cases needed to be handled does not explode.

ZesT: an all-purpose hash function based on Zemor-Tillich

Abstract: Hash functions are a very important cryptographic primitive The collision resistance of provable hash functions relies on hard mathematical problems This makes them very appealing for the cryptographic community since collision resistance is by far the most important property that a hash function should satisfy However, provable hash functions tend to be slower than specially-designed hash functions like SHA, and their algebraic structure often implies homomorphic properties and weak behaviors on particular inputs We introduce the ZesT hash function, a provable hash function that is based on the Zemor-Tillich hash function ZesT is provably collision and preimage resistant if the balance problem corresponding to Zemor-Tillich is hard, a problem that has remained unbroken since CRYPTO'94 The function admits an ultra-lightweight implementation in ASIC and it is currently between 2 to 3 times less ecient than SHA on FPGA, and between 4 to 10 times slower than SHA in software The function has structural parallelism, and its simplicity will certainly allow a much wider range of implementations and many code optimization techniques A careful examination and pseudorandom tests performed with the Dieharder revealed no apparent malleability weakness, which suggests that the function can be used as a general-purpose hash function Finally, ZesT can be slightly modied to reach all the requirements of the NIST competition We stress that the hardness of the balance problem corresponding to Zemor-Tillich should be further studied and better established by the cryptography community In that case, our function ZesT will denfinitely become a very appealing all-purpose hash function

Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions.

Abstract: Counter-cryptanalysis, the concept of using cryptanalytic techniques to detect cryptanalytic attacks, was introduced by Stevens at CRYPTO 2013 [22] with a hash collision detection algorithm. That is, an algorithm that detects whether a given single message is part of a colliding message pair constructed using a cryptanalytic collision attack on MD5 or SHA-1. The concept's utility was proven when it was used to expose the then-unknown cryptanalytic collision attack exploited by the Flame espionage supermalware. So far there is a significant cost: to detect collision attacks against SHA-1 (respectively MD5) costs the equivalent of hashing the message 15 (respectively 224) times. In this paper we present a significant performance improvement for collision detection based on the new concept of unavoidable conditions. Unavoidable conditions are conditions that are necessary for all feasible attacks in a certain attack class. As such they can be used to quickly dismiss particular attack classes that may have been used in the construction of the message. To determine an unavoidable condition one must rule out any feasible variant attack where this condition might not be necessary, otherwise adversaries aware of counter-cryptanalysis could easily bypass this improved collision detection with a carefully chosen variant attack. We provide a formal model for unavoidable conditions for collision attacks on MD5-like compression functions. Furthermore, based on a conjecture solidly supported by the current state of the art, we show how we can determine such unavoidable conditions for SHA-1. We have implemented the improved SHA-1 collision detection using such unavoidable conditions and which is about 16 times faster than without our unavoidable condition improvements. We have measured that overall our implemented SHA-1 with collision detection is only a factor 1.96 slower, on average, than SHA-1. Our work is very timely given the recently announced SHA-1 collision proving that SHA-1 is now practically broken

Fast and robust TCP session lookup by digest hash

Abstract: We present a new design for fast and robust TCP session lookup. The design uses a "set-associative" hash table, where each hash bucket keeps multiple "compressed and canonical" tags. The canonical tags encode both the flow identifiers and the addresses of the TCP contexts by a forward signature function F(Tag(flow identifier), address) during installation. On session lookup, an inverse function F/sup I/ (Tag(flow identifier), tag) matches sessions and recovers the address of the TCP context. We show that the method is effective and storage-efficient. It is also resistant to denial-of-service attack that is fabricated by forcing excessive hash collisions.