45 research outputs found
Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5
This paper presents preimage attacks for the hash functions 3-pass
HAVAL and step-reduced MD5. Introduced in 1992 and 1991
respectively, these functions underwent severe collision attacks,
but no preimage attack. We describe two preimage attacks on the
compression function of 3-pass HAVAL. The attacks have a complexity
of about compression function evaluations instead of
. Furthermore, we present several preimage attacks on the
MD5 compression function that invert up to 47 (out of 64) steps
within trials instead of . Though our attacks are
not practical, they show that the security margin of 3-pass HAVAL
and step-reduced MD5 with respect to preimage attacks is not as high
as expected
Preimages for Step-Reduced SHA-2
In this paper, we present a preimage attack for 42 step-reduced SHA-256 with time complexity and memory requirements of order . The same attack also applies to 42 step-reduced SHA-512 with time complexity and memory requirements of order . Our attack is meet-in-the-middle preimage attack
Improved Preimage Attack on One-block MD4
We propose an improved preimage attack on one-block MD4 with the
time complexity MD4 compression function operations, as
compared to in \cite{AokiS-sac08}. We research the attack
procedure in \cite{AokiS-sac08} and formulate the complexity for
computing a preimage attack on one-block MD4. We attain the result
mainly through the following two aspects with the help of the
complexity formula. First, we continue to compute two more steps
backward to get two more chaining values for comparison during the
meet-in-the-middle attack. Second, we search two more neutral words
in one independent chunk, and then propose the multi-neutral-word
partial-fixing technique to get more message freedom and skip ten
steps for partial-fixing, as compared to previous four steps. We
also use the initial structure technique and apply the same idea to
improve the pseudo-preimage and preimage attacks on Extended MD4
with and improvement factor, as compared to
previous attacks in \cite{SasakiA-acisp09}, respectively
Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing
The Meet-in-the-Middle (MITM) preimage attack is highly effective in breaking the preimage resistance of many hash functions, including but not limited to the full MD5, HAVAL, and Tiger, and reduced SHA-0/1/2. It was also shown to be a threat to hash functions built on block ciphers like AES by Sasaki in 2011. Recently, such attacks on AES hashing modes evolved from merely using the freedom of choosing the internal state to also exploiting the freedom of choosing the message state. However, detecting such attacks especially those evolved variants is difficult. In previous works, the search space of the configurations of such attacks is limited, such that manual analysis is practical, which results in sub-optimal solutions. In this paper, we remove artificial limitations in previous works, formulate the essential ideas of the construction of the attack in well-defined ways, and translate the problem of searching for the best attacks into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. The MILP models capture a large solution space of valid attacks; and the objectives of the MILP models are attack configurations with the minimized computational complexity. With such MILP models and using the off-the-shelf solver, it is efficient to search for the best attacks exhaustively. As a result, we obtain the first attacks against the full (5-round) and an extended (5.5-round) version of Haraka-512 v2, and 8-round AES-128 hashing modes, as well as improved attacks covering more rounds of Haraka-256 v2 and other members of AES and Rijndael hashing modes
Comprehensive Preimage Security Evaluations on Rijndael-based Hashing
The Meet-in-the-Middle (MITM) attack is one of the most powerful cryptanalysis techniques, as seen by its use in preimage attacks on MD4, MD5, Tiger, HAVAL, and Haraka-512 v2 hash functions and key recovery for full-round KTANTAN. An efficient approach to constructing MITM attacks is automation, which refers to modeling MITM characteristics and objectives into constraints and using optimizers to search for the best attack configuration. This work focuses on the simplification and renovation of the most advanced superposition framework based on Mixed-Integer Linear Programming (MILP) proposed at CRYPTO 2022. With the refined automation model, this work provides the first comprehensive analysis of the preimage security of hash functions based on all versions of the Rijndael block cipher, the origin of the Advanced Encryption Standard (AES), and improves the best-known results. Specifically, this work has extended the attack rounds of Rijndael 256-192 and 256-256, reduced the attack complexity of Rijndael 256-128 and 128-192 (AES192), and filled the gap of preimage security evaluation on Rijndael versions with a block size of 192 bits
Generic Universal Forgery Attack on Iterative Hash-based MACs
In this article, we study the security of iterative hash-based MACs, such as HMAC or NMAC, with regards to universal forgery attacks. Leveraging recent advances in the analysis of functional graphs built from the iteration of HMAC or NMAC, we exhibit the very first generic universal forgery attack against hash-based MACs. In particular, our work implies that the universal forgery resistance of an n-bit output HMAC construction is not 2^n queries as long believed by the community. The techniques we introduce extend the previous functional graphs-based attacks that only took in account the cycle structure or the collision probability: we show that one can extract much more meaningful secret information by also analyzing the distance of a node from the cycle of its component in the functional graph
Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512
In this paper, we propose preimage attacks on 41-step SHA-256 and 46-step SHA-512,
which drastically increase the number of attacked steps compared to the best previous preimage attack working for only 24 steps.
The time complexity for 41-step SHA-256 is compression function operations and the memory requirement is
words.
The time complexity for 46-step SHA-512 is compression function operations and the memory requirement is
words.
Our attack is a meet-in-the-middle attack.
We first consider the application of previous meet-in-the-middle attack techniques to SHA-2.
We then analyze the message expansion of SHA-2 by considering all previous techniques
to find a new independent message-word partition.
We first explain the attack on 40-step SHA-256 whose complexity is to describe the ideas.
We then explain how to extend the attack
Enhancing the Security Level of SHA-1 by Replacing the MD Paradigm
Cryptographic hash functions are important cryptographic techniques and are used widely in many cryptographic applications and protocols. All the MD4 design based hash functions such as MD5, SHA-0, SHA-1 and RIPEMD-160 are built on Merkle-Damgard iterative method. Recent differential and generic attacks against these popular hash functions have shown weaknesses of both specific hash functions and their underlying Merkle-Damgard construction. In this paper we propose a hash function which follows design principle of SHA-1 and is based on dither construction. Its compression function takes three inputs and generates a single output of 160-bit length. An extra input to a compression function is generated through a fast pseudo-random function. Dither construction shows strong resistance against major generic and other cryptanalytic attacks. The security of proposed hash function against generic attacks, differential attack, birthday attack and statistical attack was analyzed in detail. It is exhaustedly compared with SHA-1 because hash functions from SHA-2 and SHA-3 are of higher bit length and known to be more secure than SHA-1. It is shown that the proposed hash function has high sensitivity to an input message and is secure against different cryptanalytic attacks
New Preimage Attacks Against Reduced SHA-1
This paper shows preimage attacks against reduced SHA-1 up to 57 steps. The best previous attack has been presented at CRYPTO 2009 and was for 48 steps finding a two-block preimage with incorrect padding at the cost of 2159.3 evaluations of the compression function. For the same variant our attacks find a one-block preimage at 2150.6 and a correctly padded two-block preimage at 2151.1 evaluations of the compression function. The improved results come out of a differential view on the meet-in-the-middle technique originally developed by Aoki and Sasaki. The new framework closely relates meet-in-the-middle attacks to differential cryptanalysis which turns out to be particularly useful for hash functions with linear message expansion and weak diffusion properties