43 research outputs found
Slide Attacks on a Class of Hash Functions
Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for sponge-function like structures. As it turns out, certain constructions for hash-function-based MACs can be vulnerable to forgery and even to key recovery attacks. In other cases, we can at least distinguish a given hash function from a random oracle. To illustrate our results, we describe attacks against the Grindahl-256 and Grindahl-512 hash functions. To the best of our knowledge, this is the first cryptanalytic result on Grindahl-512. Furthermore, we point out a slide-based distinguisher attack on a slightly modified version of RadioGatĂşn. We finally discuss simple countermeasures as a defense against slide attacks. Key words: slide attacks, hash function, Grindahl, RadioGatĂşn, MAC, sponge function.
Hash functions - characteristics, implementation and collisions
HašovacĂ funkce patřà mezi prvky modernĂ kryptografie. Jejich Ăşkolem je na vstupu oÄŤekávaná data pĹ™evĂ©st do unikátnĂ bitovĂ© posloupnosti. HašovacĂ funkce jsou pouĹľĂvány v mnoha aplikaÄŤnĂch oblastech, jako je ověřovánĂ integrity zpráv, autentizace informacĂ, jsou pouĹľĂvány v kryptografickĂ˝ch protokolech, ke komparaci dat a dalšĂch aplikacĂch. CĂlem diplomovĂ© práce je charakterizovat hašovacĂ funkce, popsat jejich základnĂ vlastnosti a vyuĹľitĂ. Dále se zaměřit na jednu hašovacĂ funkci, konkrĂ©tnÄ› MD5, a tu náleĹľitÄ› popsat. Popsat jejĂ konstrukci, bezpeÄŤnost a moĹľnosti ĂştokĹŻ na tuto funkci. PoslednĂm Ăşkolem je tuto funkci implementovat a implementovat i kolize na ni. V ĂşvodnĂch kapitolách je v práci popsána základnĂ definice hašovacĂ funkce, jsou popsány vlastnosti, jakĂ© by funkce mÄ›la mĂt, zmĂnÄ›ny metody, kterĂ˝mi je moĹľnĂ© pĹ™edcházet jejich kolizĂm a zmĂnÄ›ny oblasti, ve kterĂ˝ch se hašovacĂch funkcĂ vyuĹľĂvá. Dalšà kapitoly jsou zaměřeny na charakteristiky druhĹŻ hašovacĂch funkcĂ. TÄ›mito druhy jsou základnĂ hašovacĂ funkce postavenĂ© na základnĂch bitovĂ˝ch operacĂch, dokonalĂ© hašovacĂ funkce a kryptografickĂ© hašovacĂ funkce. Po dokonÄŤenĂ charakteristiky hašovacĂch funkcĂ se dále vÄ›nuji praktickĂ˝m záleĹľitostem. Je popsán základnĂ vzhled a ovládánĂ programu, na kterĂ˝ navazuje postupnĂ© popisovánĂ jednotlivĂ˝ch jeho funkcĂ, kterĂ© jsou i dostateÄŤnÄ› teoreticky vysvÄ›tleny. V dalšĂm textu je popsána funkce MD5, kde se vÄ›nuji jejĂ konstrukci, bezpeÄŤnostnĂm rizikĹŻm a samotnĂ© implementaci. Jako poslednĂ navazuje kapitola, tĂ˝kajĂcĂ se samotnĂ˝ch ĂştokĹŻ na hašovacĂ funkce, ve kterĂ© je popsána metoda tunelovánĂ hašovacĂ funkce, metoda Ăştoku brutálnĂ silou a slovnĂkovĂ˝ Ăştok.Hash functions belong to elements of modern cryptography. Their task is to transfer the data expected on the entry into a unique bite sequence. Hash functions are used in many application areas, such as message integrity verification, information authentication, and are used in cryptographic protocols, to compare data and other applications. The goal of the master’s thesis is to characterize hash functions to describe their basic characteristics and use. Next task was to focus on one hash function, in particular MD5, and describe it properly. That means, to describe its construction, safety and possible attacks on this function. The last task was to implement this function and collisions. The introductory chapters describe the basic definition of hash function, the properties of the function. The chapters mention the methods preventing collisions and the areas were the hash functions are used. Further chapters are focused on the characteristics of various types of hash functions. These types include basic hash functions built on basic bit operations, perfect hash functions and cryptographic hash functions. After concluding the characteristics of hash functions, I devoted to practical matters. The thesis describes the basic appearance and control of the program and its individual functions which are explained theoretically. The following text describes the function MD5, its construction, safety risks and implementation. The last chapter refers to attacks on hash functions and describes the hash function tunneling method, brute force attack and dictionary attack.
Collision Attack on GRINDAHL
Hash functions have been among the most scrutinized cryptographic primitives in the previous decade, mainly due to the cryptanalysis breakthroughs on MD-SHA family and the NIST SHA3 competition that followed. GRINDAHL is a hash function proposed at FSE 2007 that inspired several SHA3 candidates. One of its particularities is that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA2. This paper provides the first cryptanalytic work on this scheme and we show that the 256-bit version of GRINDAHL is not collision resistant. Our attack uses byte-level truncated differentials and leverages a counterintuitive method (reaching an internal state where all bytes are active) in order to ease the construction of good differential paths. Then, by a careful utilization of the freedom degrees inserted every round, and with a work effort of approximatively hash computations, an attacker can generate a collision for the full 256-bit version of GRINDAHL
The Hash Function Fugue
We describe Fugue, a hash function supporting inputs of length
upto 2^{64}-1 bits and hash outputs of length upto 512 bits. Notably, Fugue is not based on a compression function. Rather, it is directly a hash function that supports variable-length inputs.
The starting point for Fugue is the hash function Grindahl, but it extends that design to protect against the kind of attacks that were developed for Grindahl, as well as earlier hash functions like SHA-1.
A key enhancement is the design of a much stronger round function which replaces the AES round function of Grindahl, using better
codes (over longer words) than the AES 4 X 4 MDS matrix. Also,
Fugue makes judicious use of this new round function on a much larger
internal state.
The design of Fugue is proof-oriented: the various components are
designed in such a way as to allow proofs of security, and yet be efficient to implement. As a result, we can prove that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack. Although the proof is computer assisted, the assistance is limited to computing ranks of various matrices
Cryptanalysis and Design of Symmetric Primitives
Der Schwerpunkt dieser Dissertation liegt in der Analyse und dem Design von Block- chiffren und Hashfunktionen. Die Arbeit beginnt mit einer EinfĂĽhrung in Techniken zur Kryptoanalyse von Blockchiffren. Wir beschreiben diese Methoden und zeigen wie man daraus neue Techniken entwickeln kann, welche zu staerkeren Angriffen fuehren. Im zweiten Teil der Arbeit stellen wir eine Reihe von Angriffen auf eine Vielzahl von Blockchiffren dar. Wir haben dabei Angriffe auf reduzierte Versionen von ARIA und dem AES entwickelt. Darueber hinaus praesentieren wir im dritten Teil Angriffe auf interne Blockchiffren von Hashfunktionen. Wir entwickeln Angriffe, welche die inter- nen Blockchiffren von Tiger und HAS-160 auf volle Rundenanzahl brechen. Die hier vorgestellten Angriffe sind die ersten dieser Art. Ein Angriff auf eine reduzierte Ver- sion von SHACAL-2 welcher fast keinen Speicherbedarf hat, wird ebenfalls vorgestellt. Der vierte Teil der Arbeit befasst sich mit den Design und der Analyse von kryp- tographischen Hashfunktionen. Wir habe einen Slide Angriff, eine Technik welche aus der Analyse von Blockchiffren bekannt ist, im Kontext von Hashfunktionen zur Anwendung gebracht. Dabei praesentieren wir verschiedene Angriffe auf GRINDAHL und RADIOGATUN. Aufbauend auf den Angriffen des zweiten und dritten Teils dieser Arbeit stellen wir eine neue Hashfunktion vor, welche wir TWISTER nennen. TWISTER wurde fuer den SHA-3 Wettbewerb entwickelt und ist bereits zur ersten Runde angenommen.This thesis focuses on the cryptanalysis and the design of block ciphers and hash func- tions. The thesis starts with an overview of methods for cryptanalysis of block ciphers which are based on differential cryptanalysis. We explain these concepts and also sev- eral combinations of these attacks. We propose new attacks on reduced versions of ARIA and AES. Furthermore, we analyze the strength of the internal block ciphers of hash functions. We propose the first attacks that break the internal block ciphers of Tiger, HAS-160, and a reduced round version of SHACAL-2. The last part of the thesis is concerned with the analysis and the design of cryptographic hash functions. We adopt a block cipher attack called slide attack into the scenario of hash function cryptanalysis. We then use this new method to attack different variants of GRINDAHL and RADIOGATUN. Finally, we propose a new hash function called TWISTER which was designed and pro- posed for the SHA-3 competition. TWISTER was accepted for round one of this com- petition. Our approach follows a new strategy to design a cryptographic hash function. We also describe several attacks on TWISTER and discuss the security issues concern- ing these attack on TWISTER
On hashing with tweakable ciphers
Cryptographic hash functions are often built on block ciphers in order to reduce the security analysis of the hash to that of the cipher, and to minimize the hardware size. Well known hash constructs are used in international standards like MD5 and SHA-1. Recently, researchers proposed new modes of operations for hash functions to protect against generic attacks, and it remains open how to base such functions on block ciphers. An attracting and intuitive choice is to combine previous constructions with tweakable block ciphers. We investigate such constructions, and show the surprising result that combining a provably secure mode of operation with a provably secure tweakable cipher does not guarantee the security of the constructed hash function. In fact, simple attacks can be possible when the interaction between secure components leaves some additional "freedom" to an adversary. Our techniques are derived from the principle of slide attacks, which were introduced for attacking block ciphers