23 research outputs found
The Collision Security of MDC-4
There are four somewhat classical double length block cipher based compression functions known: MDC-2, MDC-4, Abreast-DM, and Tandem-DM. They all have been developed over 20 years ago. In recent years, cryptographic research has put a focus on block cipher based hashing and found collision security results for three of them (MDC-2, Abreast-DM, Tandem-DM). In this paper, we add MDC-4, which is part of the IBM CLiC cryptographic module (FIPS 140-2 Security Policy for IBM CrytoLite in C, October 2003), to that list by showing that - \u27instantiated\u27 using an ideal block cipher with 128 bit key/plaintext/ciphertext size - no adversary asking less than queries can find a collision with probability greater than . This is the first result on the collision security of the hash function MDC-4.
The compression function MDC-4 is created by interconnecting two MDC-2 compression functions but only hashing one message block with them instead of two. The developers aim for MDC-4 was to offer a higher security margin, when compared to MEDC-2, but still being fast enough for practical purposes.
The MDC-2 collision security proof of Steinberger (EUROCRYPT 2007) cannot be directly applied to MDC-4 due to the structural differences. Although sharing many commonalities, our proof for MDC-4 is much shorter and we claim that our presentation is also easier to grasp
New Preimage Attack on MDC-4
In this paper, we provide some cryptanalytic results for
double-block-length (DBL) hash modes of block ciphers, MDC-4. Our
preimage attacks follow the framework of Knudsen et al.\u27s
time/memory trade-off preimage attack on MDC-2. We find how to apply
it to our objects. When the block length of the underlying block
cipher is bits, the most efficient preimage attack on MDC-4
requires time and space about , which is to be compared to
the previous best known preimage attack having time complexity of
. Additionally, we propose an enhanced version of MDC-4,
MDC-4 based on a simple idea. It is secure against our preimage
attack and previous attacks and has the same efficiency as MDC-4
Vortex: A new family of one-way hash functions based on AES rounds and carry-less multiplication
Abstract. We present Vortex a new family of one way hash functions that can produce message digests of 256 bits. The main idea behind the design of these hash functions is that we use well known algorithms that can support very fast diffusion in a small number of steps. We also balance the cryptographic strength that comes from iterating block cipher rounds with SBox substitution and diffusion (like Whirlpool) against the need to have a lightweight implementation with as small number of rounds as possible. We use only 3 AES rounds as opposed to 10 since our goal is not to protect a secret symmetric key but to support perfect mixing of the bits of the input into the hash value. Three AES rounds are followed by our variant of Galois Field multiplication. This achieves cross-mixing between 128-bit sets. We present a set of qualitative arguments why we believe Vortex supports collision resistance and first pre-image resistance
The Security of Abreast-DM in the Ideal Cipher Model
In this paper, we give a security proof for Abreast-DM in terms of collision resistance and preimage resistance. As old as Tandem-DM, the compression function Abreast-DM is one of the most well-known constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O(2^n). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and Tandem-DM. We also present a wide class of Abreast-DM variants that enjoy a birthday-type security guarantee with a simple proof
Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with -Bit Block and -Bit Key
In this paper, we make attacks on DBL (Double-Block-Length) hash
modes of block ciphers with -bit key and -bit block. Our
preimage attack on the hash function of MDC-4 scheme requires the
time complexity , which is significantly improved compared
to the previous results. Our collision attack on the hash function
of MJH scheme has time complexity less than for .
Our preimage attack on the compression function of MJH scheme find a
preimage with time complexity of . It is converted to a
preimage attack on the hash function with time complexity of
. Our preimage attack on the compression function of
Mennink\u27s scheme find a preimage with time complexity of .
It is converted to a preimage attack on the hash function with time
complexity of . These attacks are helpful for understanding the security of the hash
modes together with their security proofs
Security of Permutation-based Compression Function lp 231
In this paper, we study security of a certain class of permutation-based compression functions. Denoted lp 231 by Rogaway and Steinberger, they are 2n-to-n-bit compression functions using three calls to a single -bit random permutation. We prove that lp 231 is asymptotically preimage resistant up to 2^{2n/3}/n query complexity and collision resistant up to 2^{n/2}/n^{1+e} query complexity for any e>0. Based on a single permutation, lp 231 provides both efficiency and almost optimal collision security
Distinguisher and Related-Key Attack on the Full AES-256 (Extended Version)
In this paper we construct a chosen-key distinguisher and a
related-key attack on the full 256-bit key AES. We define a
notion of {\em differential -multicollision} and show that for
AES-256 -multicollisions can be constructed in time and with negligible memory, while we prove that the same
task for an ideal cipher of the same block size would require at
least time. Using similar
approach and with the same complexity we can also construct
-pseudo collisions for AES-256 in Davies-Meyer hashing mode, a
scheme which is provably secure in the ideal-cipher model. We have
also computed partial -multicollisions in time
on a PC to verify our results. These results show that AES-256 can
not model an ideal cipher in theoretical constructions.
Finally, we extend our results
to find the first publicly known attack on the full 14-round
AES-256: a related-key distinguisher which works for one out of
every keys with data and time complexity and
negligible memory. This distinguisher is translated into a
key-recovery
attack with total complexity of time and memory
Efficient Hashing Using the AES Instruction Set
In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL-256. Although we primarily target architectures supporting AES-NI, our framework has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblock- length hash functions in software
Optimal Collision Security in Double Block Length Hashing with Single Length Key
The idea of double block length hashing is to construct a compression function on 2n bits using a block cipher with an n-bit block size. All optimally secure double length hash functions known in the literature employ a cipher with a key space of double block size, 2n-bit. On the other hand, no optimally secure compression functions built from a cipher with an n-bit key space are known. Our work deals with this problem. Firstly, we prove that for a wide class of compression functions with two calls to its underlying n-bit keyed block cipher collisions can be found in about 2n/2 queries. This attack applies, among others, to functions where the output is derived from the block cipher outputs in a linear way. This observation demonstrates that all security results of designs using a cipher with 2n-bit key space crucially rely on the presence of these extra n key bits. The main contribution of this work is a proof that this issue can be resolved by allowing the compression function to make one extra call to the cipher. We propose a family of compression functions making three block cipher calls that asymptotically achieves optimal collision resistance up to 2n(1-ε) queries and preimage resistance up to 23n(1-ε)/2 queries, for any ε > 0. To our knowledge, this is the first optimally collision secure double block length construction using a block cipher with single length key space. © International Association for Cryptologic Research 2012.status: publishe