Collision attack

About: Collision attack is a research topic. Over the lifetime, 1093 publications have been published within this topic receiving 28389 citations.

On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study

Abstract: In February 2017, the SHA-1 hashing algorithm was practically broken using an identical-prefix collision attack implemented on a GPU cluster, and in January 2020 a chosen-prefix collision was first computed with practical implications on various security protocols. These advances opened the door for several research questions, such as the minimal cost to perform these attacks in practice. In particular, one may wonder what is the best technology for software/hardware cryptanalysis of such primitives. In this paper, we address some of these questions by studying the challenges and costs of building an ASIC cluster for performing attacks against a hash function. Our study takes into account different scenarios and includes two cryptanalytic strategies that can be used to find such collisions: a classical generic birthday search, and a state-of-the-art differential attack using neutral bits for SHA-1.

Chaotic neural networks and farfalle construction based parallel keyed secure hash function

Abstract: Parallel computing of hash functions along with the security requirements have great advantage in order to reduce the time consumption and overhead of the CPU. In this article, a keyed hash function based on farfalle construction and chaotic neural networks (CNNs) is proposed, which generates a hash value with arbitrary (defined by user) length (eg, 256 and 512 bits). The proposed hash function has parallelism merit because it is built over farfalle construction which avoids the dependency between the blocks of a given message. Moreover, the proposed hash function is chaos based (ie, it relies on chaotic maps and CNNs which have non‐periodic behavior). The security analysis shows that the proposed hash function is robust and satisfies the properties of hash algorithms, such as random‐like (non‐periodic) behavior, ideal sensitivity to original message and secret key, one‐way property and optimal diffusion effect. The speed performance of the hash function is also analyzed and compared with a hash function which was built based on sponge construction and CNN, and compared with secure hash algorithm (SHA) variants like SHA‐2 and SHA‐3. The results have shown that the proposed hash function has lower time complexity and higher throughput especially with large size messages. Additionally, the proposed hash function has enough resistance to multiple attacks, such as collision attack, birthday attack, exhaustive key search attack, preimage and second preimage attacks, and meet‐in‐the‐middle attack. These advantages make it ideal to be used as a good collision‐resistant hash function.

Data tamper-proofing method and system

Abstract: The invention discloses a data tamper-proofing method comprising the following steps of after original data information is segmented before sending, hashing the segmented information by using a pre-stored hash function to acquire an original data information verification string; synchronously sending the original data and the original data information verification string when in sending, synchronously receiving the sent data information and original data information verification string when in receiving; after the data information and the original data information verification string are received, segmenting the received data information, and then hashing the segmented information by using the pre-stored hash function to acquire a received data information verification string; and judging whether the received data information verification string is accordant with the original data information verification string by comparison, if yes, determining that the received data information is not tampered, and otherwise, determining that the received data information is tampered. The invention also provides a data tamper-proofing system. According to the method and the system provided by the invention, the difficulty of tampering the data by a third party is greatly increased, a collision attack from the third party with the aid of a rainbow table is effectively prevented, data falsification of a user is prevented, and data transmission security is ensured.

Weak Security Notions of Cryptographic Unkeyed Hash Functions and Their Amplifiability

Abstract: Cryptographic unkeyed hash functions should satisfy preimage resistance, second-preimage resistance and collision resistance. In this article, weak second-preimage resistance and weak collision resistance are defined following the definition of weak one-wayness. Preimage resistance is one-wayness of cryptographic hash functions. The properties of weak collision resistance is discussed in this article. The same kind of results can be obtained for weak second-preimage resistance. Weak collision resistance means that the probability of failing to find a collision is not negligible, while collision resistance means that the success probability is negligible. It is shown that there really exist weakly collision resistant hash functions if collision resistant ones exist. Then, it is shown that weak collision resistance is amplifiable, that is, collision resistant hash functions can be constructed from weakly collision resistant ones. Unfortunately, the method of amplification presented in this article is applicable only to a certain kind of hash functions. However, the method is applicable to hash functions based on discrete logarithms. This implies that collision resistant hash functions can be obtained even if the discrete logarithm problem is much easier than is believed and only weakly intractable, that is, exponentiation modulo a prime is weakly one-way.

Cryptanalyses of Narrow-Pipe Mode of Operation in AURORA-512 Hash Function

Abstract: We present cryptanalyses of the AURORA-512 hash function, which is a SHA-3 candidate. We first describe a collision attack on AURORA-512. We then show a second-preimage attack on AURORA-512/-384 and explain that the randomized hashing can also be attacked. We finally show a full key-recovery attack on HMAC-AURORA-512 and universal forgery on HMAC-AURORA-384. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgard (DMMD)," which produces 512-bit output by updating two 256-bit chaining variables in parallel. We do not look inside of the compression function. Hence, our attack can work even if the compression function is regarded as a random oracle. The time complexity of our collision attack is approximately 2236 AURORA-512 operations, and 2236×512 bits of memory is required. Our second-preimage attack works on any given message. The time complexity is approximately 2290 AURORA-512 operations, and 2288×512 bits of memory is required. Our key-recovery attack on HMAC-AURORA-512, which uses 512-bit secret keys, requires 2257 queries, 2259 off-line AURORA-512 operations, and a negligible amount of memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and key-recovery attacks.