52 research outputs found
A Formula That Generates Hash Collisions
We present an explicit formula that produces hash collisions for the
Merkle-Damg{\aa}rd construction. The formula works for arbitrary choice of
message block and irrespective of the standardized constants used in hash
functions, although some padding schemes may cause the formula to fail. This
formula bears no obvious practical implications because at least one of any
pair of colliding messages will have length double exponential in the security
parameter. However, due to ambiguity in existing definitions of collision
resistance, this formula arguably breaks the collision resistance of some hash
functions.Comment: 10 page
Second Preimages on n-Bit Hash Functions for Much Less than 2n Work
Abstract. We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with DamgĖard-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2 k-message-block message with about k Ć 2 n/2+1 +2 nāk+1 work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2 60 byte message in about 2 106 work, rather than the previously expected 2 160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messagesāpatterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the DamgĖard-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
On hashing with tweakable ciphers
Cryptographic hash functions are often built on block ciphers in order to reduce the security analysis of the hash to that of the cipher, and to minimize the hardware size. Well known hash constructs are used in international standards like MD5 and SHA-1. Recently, researchers proposed new modes of operations for hash functions to protect against generic attacks, and it remains open how to base such functions on block ciphers. An attracting and intuitive choice is to combine previous constructions with tweakable block ciphers. We investigate such constructions, and show the surprising result that combining a provably secure mode of operation with a provably secure tweakable cipher does not guarantee the security of the constructed hash function. In fact, simple attacks can be possible when the interaction between secure components leaves some additional "freedom" to an adversary. Our techniques are derived from the principle of slide attacks, which were introduced for attacking block ciphers
On the Design of Secure and Fast Double Block Length Hash Functions
In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered.
Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose's two examples which were left as an open problem. Therefore, although all the rate-1 hash functions in this general class are failed to be optimally (second) preimage resistant, the necessary conditions are refined for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the refined conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in
the compression function has the key length is equal to the block length, while the other is doubled
New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity
Dithered hash functions were proposed by Rivest as a method
to mitigate second preimage attacks on Merkle-Damgard hash functions.
Despite that, second preimage attacks against dithered hash functions
were proposed by Andreeva et al. One issue with these second preimage
attacks is their huge memory requirement in the precomputation and the
online phases. In this paper, we present new second preimage attacks on
the dithered Merkle-Damgard construction. These attacks consume significantly
less memory in the online phase (with a negligible increase in
the online time complexity) than previous attacks. For example, in the
case of MD5 with the Keranen sequence, we reduce the memory complexity
from about 2^51 blocks to about 2^26.7 blocks (about 545 MB). We also
present an essentially memoryless variant of Andreeva et al. attack. In
case of MD5-Keranen or SHA1-Keranen, the offline and online memory
complexity is 2^15.2 message blocks (about 188ā235 KB), at the expense
of increasing the offline time complexity
Pseudo-Cryptanalysis of Luffa
In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about iteration computations with bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is iteration computations with bytes memory.
It is noted that, we can find the pseudo-collision pairs and the pseudo-second images only changing a few different bits of initial
values. That is directly converted to the forgery attack on NMAC in
related key cases
- ā¦