Yingxin Li,Fukang Liu,Gaoli Wang

DOI: https://doi.org/10.1007/978-3-031-58716-0_6

2024-01-01

Abstract:The SHA-2 family including SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA512/256 is a U.S. federal standard published by NIST. Especially, there is no doubt that SHA-256 is one of the most important hash functions used in real-world applications. Due to its complex design compared with SHA-1, there is almost no progress in collision attacks on SHA-2 after ASIACRYPT 2015. In this work, we retake this challenge and aim to significantly improve collision attacks on the SHA-2 family. First, we observe from many existing attacks on SHA-2 that the current advanced tool to search for SHA-2 characteristics has reached the bottleneck. Specifically, longer differential characteristics could not be found, and this causes that the collision attack could not reach more steps. To address this issue, we adopt Liu et al.’s MILP-based method and implement it with SAT/SMT for SHA-2, where we also add more techniques to detect contradictions in SHA-2 characteristics. This answers an open problem left in Liu et al.’s paper to apply the technique to SHA-2. With this SAT/SMT-based tool, we search for SHA-2 characteristics by controlling its sparsity in a dedicated way. As a result, we successfully find the first practical semi-free-start (SFS) colliding message pair for 39-step SHA-256, improving the best 38-step SFS collision attack published at EUROCRYPT 2013. In addition, we also report the first practical free-start (FS) collision attack on 40-step SHA-224, while the previously best theoretic 40-step attack has time complexity 2 110 . Moreover, for the first time, we can mount practical and theoretic collision attacks on 28-step and 31-step SHA-512, respectively, which improve the best collision attack only reaching 27 steps of SHA-512 at ASIACRYPT 2015. In a word, with new techniques to find SHA-2 characteristics, we have made some notable progress in the analysis of SHA-2 after the major achievements made at EUROCRYPT 2013 and ASIACRYPT 2015.

Somitra Kumar Sanadhya,Palash Sarkar

DOI: https://doi.org/10.48550/arXiv.0803.1220

2008-03-08

Abstract:In this note, we provide the first 22-step collisions for SHA-256 and SHA-512. Detailed technique of generating these collisions will be provided in the next revision of this note.

Cryptography and Security

Xiaoyun Wang,Yiqun Lisa Yin,Hongbo Yu

DOI: https://doi.org/10.1007/11535218_2

2005-01-01

Abstract:In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

Yingxin Li,Fukang Liu,Gaoli Wang

DOI: https://doi.org/10.46586/tosc.v2023.i4.112-142

2023-01-01

Abstract:As an ISO/IEC standard, the hash function RIPEMD-160 has been used to generate the Bitcoin address with SHA-256. However, due to the complex doublebranch structure of RIPEMD-160, the best collision attack only reaches 36 out of 80 steps of RIPEMD-160, and the best semi-free-start (SFS) collision attack only reaches 40 steps. To improve the 36-step collision attack proposed at EUROCRYPT 2023, we explored the possibility of using different message differences to increase the number of attacked steps, and we finally identified one choice allowing a 40-step collision attack. To find the corresponding 40-step differential characteristic, we re-implement the MILP-based method to search for signed differential characteristics with SAT/SMT. As a result, we can find a colliding message pair for 40-step RIPEMD-160 in practical time, which significantly improves the best collision attack on RIPEMD-160. For the best SFS collision attack published at ToSC 2019, we observe that the bottleneck is the probability of the right-branch differential characteristics as they are fully uncontrolled in the message modification. To address this issue, we utilize our SAT/SMT-based tool to search for high-probability differential characteristics for the right branch. Consequently, we can mount successful SFS collision attacks on 41, 42 and 43 steps of RIPEMD-160, thus significantly improving the SFS collision attacks. In addition, we also searched for a 44-step differential characteristic, but the differential probability is too low to allow a meaningful SFS collision attack.

A. Arul Lawernce Selvakumar,R. S. Ratastogi,A.Arul Lawernce Selvakumar,R.S.Ratastogi

DOI: https://doi.org/10.48550/arXiv.1402.1314

2014-02-06

Cryptography and Security

Abstract:In this paper we analyse the role of some of the building blocks in SHA-256. We show that the disturbance correction strategy is applicable to the SHA-256 architecture and we prove that functions $\Sigma$, $\sigma$ are vital for the security of SHA-256 by showing that for a variant without them it is possible to find collisions with complexity 2 64 hash operations. As a step towards an analysis of the full function, we present the results of our experiments on Hamming weights of expanded messages for different variants of the message expansion and show that there exist low-weight expanded messages for XOR-linearised variants.

Xinjie Zhao,Tao Wang,Shize Guo,Fan Zhang,Zhijie Shi,Huiying Liu,Kehui Wu

2011-01-01

Abstract:Introduced in 2009, Algebraic Side-Channel Attack (ASCA) has become a very effective cryptanalysis technique that is different from conventional side-channel attacks such as DPA and CPA. In this paper, we propose an innovative and generic attack framework named as SATETASCA (SAT based Error Tolerant Algebraic Side-Channel Attack). The proposed framework is effective even if the leakage information is not accurate and has large variants or errors. We show its generality by successfully launching SAT-ETASCA to AES on two different platforms, using different types of leakages. The first attack is to an AES implementation on an 8-bit microcontroller, using the Hamming weight leakage model. We demonstrate that SAT-ETASCA can recover the full key even when the obtained leakage information has about 60% errors. The second attack is based on an innovative idea of applying the external cache …

Somitra Kumar Sanadhya,Palash Sarkar

DOI: https://doi.org/10.48550/arXiv.0809.0216

2008-09-01

Abstract:Recently, Indesteege et al. [1] had described attacks against 23 and 24-step SHA-512 at SAC '08. Their attacks are based on the differential path by Nikolic and Biryukov [2]. The reported complexities are $2^{44.9}$ and $2^{53}$ calls to the respective step reduced SHA-512 hash function. They provided colliding message pairs for 23-step SHA-512 but did not provide a colliding message pair for 24-step SHA-512. In this note we provide a colliding message pair for 23-step SHA-512 and the first colliding message pair for 24-step SHA-512. Our attacks use the differential path first described by Sanadhya and Sarkar at ACISP '08 [3]. The complexities of our attacks are $2^{16.5}$ and $2^{34.5}$ calls to the respective step reduced SHA-512 hash function. Complete details of the attacks will be provided in an extended version of this note.

Cryptography and Security

Jian Guo,Guohong Liao,Guozhen Liu,Meicheng Liu,Kexin Qiao,Ling Song

DOI: https://doi.org/10.1007/s00145-019-09313-3

2019-01-01

Journal of Cryptology

Abstract:The Keccak hash function is the winner of the SHA-3 competition (2008–2012) and became the SHA-3 standard of NIST in 2015. In this paper, we focus on practical collision attacks against round-reduced SHA-3 and some Keccak variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors to up to three rounds and hence achieve collision attacks for up to 6 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearizing S-boxes of the first round, the problem of finding solutions of 2-round connectors is converted to that of solving a system of linear equations. When linearization is applied to the first two rounds, 3-round connectors become possible. However, due to the quick reduction in the degree of freedom caused by linearization, the connector succeeds only when the 3-round differential trails satisfy some additional conditions. We develop dedicated strategies for searching differential trails and find that such special differential trails indeed exist. To summarize, we obtain the first real collisions on six instances, including three round-reduced instances of SHA-3, namely 5-round SHAKE128, SHA3-224 and SHA3-256, and three instances of Keccak contest, namely Keccak[1440, 160, 5, 160], Keccak[640, 160, 5, 160] and Keccak[1440, 160, 6, 160], improving the number of practically attacked rounds by two. It is remarked that the work here is still far from threatening the security of the full 24-round SHA-3 family.

Kexin Qiao,Ling Song,Meicheng Liu,Jian Guo

DOI: https://doi.org/10.1007/978-3-319-56617-7_8

2017-01-01

Abstract:In this paper, we focus on collision attacks against Keccak hash function family and some of its variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors one round further hence achieve collision attacks for up to 5 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearization of all S-boxes of the first round, the problem of finding solutions of 2-round connectors are converted to that of solving a system of linear equations. However, due to the quick freedom reduction from the linearization, the system has solution only when the 3-round differential trails satisfy some additional conditions. We develop a dedicated differential trail search strategy and find such special differentials indeed exist. As a result, the first practical collision attack against 5-round SHAKE128 and two 5-round instances of the Keccak collision challenges are found with real examples. We also give the first results against 5-round Keccak-224 and 6-round Keccak collision challenges. It is remarked that the work here is still far from threatening the security of the full 24-round Keccak family.

Fukang Liu,Gaoli Wang,Santanu Sarkar,Ravi Anand,Willi Meier,Yingxin Li,Takanori Isobe

DOI: https://doi.org/10.1007/978-3-031-30634-1_7

2023-01-01

Abstract:The hash function RIPEMD-160 is an ISO/IEC standard and is being used to generate the bitcoin address together with SHA-256. Despite the fact that many hash functions in the MD-SHA hash family have been broken, RIPEMD-160 remains secure and the best collision attack could only reach up to 34 out of 80 rounds, which was published at CRYPTO 2019. In this paper, we propose a new collision attack on RIPEMD-160 that can reach up to 36 rounds with time complexity $$2^{64.5}$$ . This new attack is facilitated by a new strategy to choose the message differences and new techniques to simultaneously handle the differential conditions on both branches. Moreover, different from all the previous work on RIPEMD-160, we utilize a MILP-based method to search for differential characteristics, where we construct a model to accurately describe the signed difference transitions through its round function. As far as we know, this is the first model targeting the signed difference transitions for the MD-SHA hash family. Indeed, we are more motivated to design this model by the fact that many automatic tools to search for such differential characteristics are not publicly available and implementing them from scratch is too time-consuming and difficult. Hence, we expect that this can be an alternative easy tool for future research, which only requires to write down some simple linear inequalities.

Amit Kumar Chauhan,Abhishek Kumar,Somitra Kumar Sanadhya

DOI: https://doi.org/10.46586/tosc.v2021.i1.316-336

2021-03-19

IACR Transactions on Symmetric Cryptology

Abstract:Recently, Hosoyamada and Sasaki (EUROCRYPT 2020), and Xiaoyang Dong et al. (ASIACRYPT 2020) proposed quantum collision attacks against AES-like hashing modes AES-MMO and AES-MP. Their collision attacks are based on the quantum version of the rebound attack technique exploiting the differential trails whose probabilities are too low to be useful in the classical setting but large enough in the quantum setting. In this work, we present dedicated quantum free-start collision attacks on Hirose’s double block length compression function instantiated with AES-256, namely HCF-AES-256. The best publicly known classical attack against HCF-AES-256 covers up to 9 out of 14 rounds. We present a new 10-round differential trail for HCF-AES-256 with probability 2−160, and use it to find collisions with a quantum version of the rebound attack. Our attack succeeds with a time complexity of 285.11 and requires 216 qRAM in the quantum-attack setting, where an attacker can make only classical queries to the oracle and perform offline computations. We also present a quantum free-start collision attack on HCF-AES-256 with a time complexity of 286.07 which outperforms Chailloux, Naya-Plasencia, and Schrottenloher’s generic quantum collision attack (ASIACRYPT 2017) in a model when large qRAM is not available.

Norbert Pramstaller,Christian Rechberger,Vincent Rijmen

DOI: https://doi.org/10.1007/11693383_16

2006-01-01

Abstract:We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.

Huiyu Tan,Pengfei Gao,Fu Song,Taolue Chen,Zhilin Wu

DOI: https://doi.org/10.46586/tches.v2024.i4.1-39

2024-01-01

Abstract:Fault injection attacks represent a type of active, physical attack against cryptographic circuits. Various countermeasures have been proposed to thwart such attacks, however, the design and implementation of which are intricate, error-prone, and laborious. The current formal fault-resistance verification approaches are limited in efficiency and scalability. In this paper, we formalize the fault-resistance verification problem and show that it is coNP-complete. We then devise a novel approach for encoding the fault-resistance verification problem as the Boolean satisfiability (SAT) problem so that modern off-the-shelf SAT solvers can be utilized. The approach is implemented in an open-source tool FIRMER which is evaluated extensively on realistic cryptographic circuit benchmarks. The experimental results show that FIRMER is able to verify fault-resistance of almost all (72/76) benchmarks in 3 minutes (the other three are verified in 35 minutes and the hardest one is verified in 4 hours). In contrast, the prior approach fails on 31 fault-resistance verification tasks even after 24 hours (per task).

Saeed Nejati,Jia Hui Liang,Vijay Ganesh,Catherine Gebotys,Krzysztof Czarnecki

DOI: https://doi.org/10.48550/arXiv.1608.04720

2016-08-17

Abstract:SAT solvers are increasingly being used for cryptanalysis of hash functions and symmetric encryption schemes. Inspired by this trend, we present MapleCrypt which is a SAT solver-based cryptanalysis tool for inverting hash functions. We reduce the hash function inversion problem for fixed targets into the satisfiability problem for Boolean logic, and use MapleCrypt to construct preimages for these targets. MapleCrypt has two key features, namely, a multi-armed bandit based adaptive restart (MABR) policy and a counterexample-guided abstraction refinement (CEGAR) technique. The MABR technique uses reinforcement learning to adaptively choose between different restart policies during the run of the solver. The CEGAR technique abstracts away certain steps of the input hash function, replacing them with the identity function, and verifies whether the solution constructed by MapleCrypt indeed hashes to the previously fixed targets. If it is determined that the solution produced is spurious, the abstraction is refined until a correct inversion to the input hash target is produced. We show that the resultant system is faster for inverting the SHA-1 hash function than state-of-the-art inversion tools.

Cryptography and Security

Huiyu Tan,Pengfei Gao,Taolue Chen,Fu Song,Zhilin Wu

2023-07-02

Abstract:Fault injection attacks represent a type of active, physical attack against cryptographic circuits. Various countermeasures have been proposed to thwart such attacks, the design and implementation of which are, however, intricate, error-prone, and laborious. The current formal fault-resistance verification approaches are limited in efficiency and scalability. In this paper, we formalize the fault-resistance verification problem which is shown to be NP-complete. We then devise a novel approach for encoding the fault-resistance verification problem as the Boolean satisfiability (SAT) problem so that off-the-shelf SAT solvers can be utilized. The approach is implemented in an open-source tool FIRMER which is evaluated extensively on realistic cryptographic circuit benchmarks. The experimental results show that FIRMER is able to verify fault-resistance of almost all (46/48) benchmarks in 3 minutes (the other two are verified in 35 minutes). In contrast, the prior approach fails on 23 fault-resistance verification tasks even after 24 hours (per task).

Cryptography and Security,Hardware Architecture,Software Engineering

Di Zhai,Wei Bai,Jianding Fu,Hongjian Gao,Xueqiong Zhu

DOI: https://doi.org/10.1016/j.heliyon.2024.e26119

IF: 3.776

2024-02-28

Heliyon

Abstract:Lightweight cryptography algorithms are a class of ciphers designed to protect data generated and transmitted by the Internet of Things. They typically have low requirements in terms of storage space and power consumption, and are well-suited for resource-limited application scenarios such as embedded systems, actuators, and sensors. The NIST-approved competition for lightweight cryptography aims to identify lightweight cryptographic algorithms that can serve as standards. Its objective is to enhance data security in various scenarios. Among the chosen standards for lightweight cryptography, ASCON has been selected. ASCON-HASH is a hash function within the ASCON family. This paper presents a detailed analysis of the differential characteristics of ASCON-HASH, utilizing the quadratic S-box. Additionally, we employ message modification techniques and ultimately demonstrate a non-practical collision attack on the 2-round ASCON-HASH, requiring a time complexity of 2 98 hash function calls.

Xiaoyun Wang,Hongbo Yu,Yiqun Lisa Yin

DOI: https://doi.org/10.1007/11535218_1

2005-01-01

Abstract:In this paper, we present new techniques for collision search in the hash function SHA-0. Using the new techniques, we can find collisions of the full 80-step SHA-0 with complexity less than 239 hash operations.

Gaoli Wang

DOI: https://doi.org/10.1007/978-3-319-04852-9_23

2014-01-01

Abstract:RIPEMD-128 is an ISO/IEC standard cryptographic hash function proposed in 1996 by Dobbertin, Bosselaers and Preneel. The compression function of RIPEMD-128 consists of two different and independent parallel lines denoted by line1 operation and line2 operation. The initial values and the output values of the last step of the two operations are combined, resulting in the final value of one iteration. In this paper, we present collision differential characteristics for both line1 operation and line2 operation by choosing a proper message difference. By using message modification technique seriously, we improve the probabilities of the differential characteristics so that we can give a collision attack on 40-step RIPEMD-128 with a complexity of 235 computations.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.