Lars R. Knudsen,Xuejia Lai

DOI: https://doi.org/10.1007/bfb0053455

1994-01-01

Abstract:In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the Parallel-DM presented at Crypto'93[3].

Zheng Gong,Xuejia Lai,Kefei Chen

2008-01-01

Abstract:In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered. Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose's two examples which were left as an open problem. Therefore, although all the rate-1 hash functions in this general class are failed to be optimally (second) preimage resistant, the necessary conditions are refined for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the refined conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in the compression function has the key length is equal to the block length, while the other is doubled.

Walter Hohl,Xuejia Lai,Thomas Meier,Christian Waldvogel

DOI: https://doi.org/10.1007/3-540-48329-2_32

1993-01-01

Abstract:Cryptographic hash functions obtained by iterating a round function constructed from a block cipher and for which the hash-code length is twice the block length m of the underlying block cipher are considered. The computational security of such hash functions against two particular attacks, namely, the free-start target and free-start collision attacks, is investigated; these two attacks differentiate themselves from the "usual" target and collision attacks by not specifying the initial value of the iterations. The motivation is that computationally secure iterated hash functions against these two particular attacks implies computationally secure iterated hash functions against the "usual" target and collision attacks. For a general class of such 2m-bit iterated hash functions, tighter upper bounds than the one yet published in the literature on the complexity of free-start target and free-start collision attacks are derived. A proposal for a 2m-bit iterated hash function achieving these upper bounds is made; this new proposal is shown to be computationally more secure against free-start target and free-start collision attacks than some of the already proposed schemes falling into this general class. It is also shown that our proposal is better than the present proposal for an ISO standard in the sense that both schemes achieve these upper bounds but one encryption is required in our proposal for hashing one m-bit message block as opposed to two encryptions in the ISO proposal. Finally, two new attacks on the LOKI Double-Block-Hash function are presented with lower complexities than the known ones.

Yiyuan Luo,Xuejia Lai,Tiejun Jia

DOI: https://doi.org/10.1007/s12095-014-0117-2

2014-01-01

Cryptography and Communications

Abstract:In this paper we attack a 2n-bit double length hash function proposed by Lee et al. This proposal is a blockcipher-based hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of O(23n/4) and a preimage attack with complexity of O(2n). Our result shows this construction is much worse than an ideal 2n-bit hash function.

Gong Zheng,Luo Yiyuan,Lai Xuejia,Chen Kefei

IF: 1.019

2012-01-01

Chinese Journal of Electronics

Abstract:The security of double-block-length hash functions with rate 1, which are based on a block cipher with a block length of n bits and a key length of 2n bits, was analyzed by Satoh et al. and Hirose. In this paper, we reconsider the security of this general class of hash functions (named FDBL-II for brevity). The new counter-examples and attacks are presented on FDBL-II, which reveal some flaws in the necessary conditions proposed by Satoh et al. and Hirose. Moreover, our analysis shows that all rate-1 hash functions in FDBL-II fail to be optimally (second) preimage resistant. Finally, the necessary conditions are revised for ensuring that a subclass of hash functions in FDBL-II can be optimally secure against collision attacks.

Xuejia Lai,James L. Massey

DOI: https://doi.org/10.1007/3-540-47555-9_5

2007-01-01

Abstract:Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing m -bit and 2 m -bit hash round functions from m -bit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple (in both directions) invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2 m -bit hash round functions are formulated. Finally, three new hash round functions based on an m -bit block cipher with a 2 m -bit key are proposed.

Yiyuan Luo,Xuejia Lai

2010-01-01

Abstract:In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of Single-Block-Length (SBL) or double call DoubleBlock-Length (DBL) compression functions based on (kn, n) blockciphers, where kn is the key length and n is the block length and k is an integer. This criterion is simpler than previous works in the literature. Based on the criterion, we can get many results from this criterion, and we can get a conclusion on such class of blockcipher-based hash functions. We solved the open problem left by Hirose. Our results show that to build a secure double call DBL compression function, it is required k >= m+ 1 where m is the number of message blocks. Thus, we can only build rate 1/2 secure double DBL blockcipher-based compression functions if k == 2. At last, we pointed out flaws in Stam’s theorem about supercharged functions and gave a revision of this theorem and added another condition for the security of supercharged compression functions.

bozhong liu,zheng gong,xiaohong chen,weidong qiu,dong zheng

DOI: https://doi.org/10.1109/ITAPP.2010.5566639

2010-01-01

Abstract:Hash functions are widely used in authentication. In this paper, the security of Lin et al.'s efficient block-cipher-based hash function is reviewed. By using Joux's multicollisions and Kelsey et al.'s expandable message techniques, we find the scheme is vulnerable to collision, preimage and second preimage attacks. Some modifications are recommended to avoid those security flaws in Lin et al.'s hash construction.

Wang Xiaoyun,Feng Dengguo,Yu Xiuyuan

DOI: https://doi.org/10.1360/122004-107

2005-01-01

Abstract:In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Huafei Zhu,Lixin Ran,Yumin Wang

IF: 1.019

1999-01-01

Chinese Journal of Electronics

Abstract:Cryptographic hash functions are very important for cryptographic protocols such as signature scheme and message authentication. Based on the pioneer work of X. Lai et al., a new framework of hash algorithm is developed in this paper. In our hash scheme, an extra pseudorandom keystream generator is not needed which may be more conveniently for practical use. We have proved that the security of the new hash scheme is equivalent to that of feedback shift registers (FSRs) controlled by 2m - bit security keys.

Yusuke Naito

DOI: https://doi.org/10.1007/978-3-030-30530-7_4

2019-01-01

Abstract:Existing double-block-length (DBL) hash functions, in order to achieve optimal indifferentiable security (security up to O(2n)documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$O(2^n)$$end{document} query complexity), require a block cipher with ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$n$$end{document}-bit blocks and kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$k$$end{document}-bit keys such that 2n≤kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$2nle k$$end{document}, and a post-processing function with two block cipher calls. In this paper, we consider the indifferentiability of MDPHdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {MDPH}$$end{document}, a combination of the MDP domain extender and Hirose’s compression function. MDPHdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {MDPH}$$end{document} does not require the post-processing function (thus has better efficiency), and supports block ciphers with n<kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$n< k$$end{document}. We show that MDPHdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {MDPH}$$end{document} achieves (nearly) optimal indifferentiable security. To the best of our knowledge, this is the first result for DBL hashing with optimal indifferentiable security, with support for block ciphers with n<kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$n< k$$end{document}, and without the post-processing function.

Zhenzhen Bao,Xiaoyang Dong,Jian Guo,Zheng Li,Danping Shi,Siwei Sun,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-030-77870-5_27

2021-01-01

Abstract:The Meet-in-the-Middle (MITM) preimage attack is highly effective in breaking the preimage resistance of many hash functions, including but not limited to the full MD5, HAVAL, and Tiger, and reduced SHA-0/1/2. It was also shown to be a threat to hash functions built on block ciphers like AES by Sasaki in 2011. Recently, such attacks on AES hashing modes evolved from merely using the freedom of choosing the internal state to also exploiting the freedom of choosing the message state. However, detecting such attacks especially those evolved variants is difficult. In previous works, the search space of the configurations of such attacks is limited, such that manual analysis is practical, which results in sub-optimal solutions. In this paper, we remove artificial limitations in previous works, formulate the essential ideas of the construction of the attack in well-defined ways, and translate the problem of searching for the best attacks into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. The MILP models capture a large solution space of valid attacks; and the objectives of the MILP models are attack configurations with the minimized computational complexity. With such MILP models and using the off-the-shelf solver, it is efficient to search for the best attacks exhaustively. As a result, we obtain the first attacks against the full (5-round) and an extended (5.5-round) version of Haraka-512 v2, and 8-round AES-128 hashing modes, as well as improved attacks covering more rounds of Haraka-256 v2 and other members of AES and Rijndael hashing modes.

Lei Wang,Yu Sasaki,Wataru Komatsubara,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1587/transfun.e95.a.100

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.On RIPEMD, We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2(119). It can be converted to a second preimage attack on 47-step hash function with a complexity of 2(124.5). Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2(113) to 2(96).On RIPEMD-128, We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2(123). It can1 be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2(126.5).Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

Shenghui Su,Tao Xie,Shuwang Lu

DOI: https://doi.org/10.48550/arXiv.1408.5999

2017-04-30

Abstract:To examine the integrity and authenticity of an IP address efficiently and economically, this paper proposes a new non-Merkle-Damgard structural (non-MDS) hash function called JUNA that is based on a multivariate permutation problem and an anomalous subset product problem to which no subexponential time solutions are found so far. JUNA includes an initialization algorithm and a compression algorithm, and converts a short message of n bits which is regarded as only one block into a digest of m bits, where 80 <= m <= 232 and 80 <= m <= n <= 4096. The analysis and proof show that the new hash is one-way, weakly collision-free, and strongly collision-free, and its security against existent attacks such as birthday attack and meet-in-the- middle attack is to O(2 ^ m). Moreover, a detailed proof that the new hash function is resistant to the birthday attack is given. Compared with the Chaum-Heijst-Pfitzmann hash based on a discrete logarithm problem, the new hash is lightweight, and thus it opens a door to convenience for utilization of lightweight digital signing schemes.

Cryptography and Security

JiaLin Huang,XueJia Lai

DOI: https://doi.org/10.1007/s11432-014-5096-6

2014-01-01

Science China Information Sciences

Abstract:Recently, several important block ciphers are considered to be broken by the brute-force-like cryptanalysis, with a time complexity faster than the exhaustive key search by going over the entire key space but performing less than a full encryption for each possible key. Motivated by this observation, we describe a meetin-the-middle attack that can always be successfully mounted against any practical block ciphers with success probability one. The data complexity of this attack is the smallest according to the unicity distance. The time complexity can be written as 2 k (1 − ∈), where ∈ > 0 for all practical block ciphers. Previously, the security bound that is commonly accepted is the length k of the given master key. From our result we point out that actually this k-bit security is always overestimated and can never be reached because of the inevitable loss of the key bits. No amount of clever design can prevent it, but increments of the number of rounds can reduce this key loss as much as possible. We give more insight into the problem of the upper bound of effective key bits in block ciphers, and show a more accurate bound. A suggestion about the relationship between the key size and block size is given. That is, when the number of rounds is fixed, it is better to take a key size equal to the block size. Also, effective key bits of many well-known block ciphers are calculated and analyzed, which also confirms their lower security margins than thought before. The results in this article motivate us to reconsider the real complexity that a valid attack should compare to.

Shoichi HIROSE,Hidenori KUWAKADO

DOI: https://doi.org/10.1587/transfun.2023dmp0007

2024-01-01

Abstract:In 2005, Nandi introduced a class of double-block-length compression functions hπ (x) := (h(x) , h( π(x) ) ), where h is a random oracle with an n-bit output and π is a non-cryptographic public permutation. Nandi demonstrated that the collision resistance of hπ is optimal if π has no fixed point in the classical setting. Our study explores the collision resistance of hπ and the Merkle-Damåard hash function using hπ in the quantum random oracle model. Firstly, we reveal that the quantum collision resistance of hπ may not be optimal even if π has no fixed point. If π is an involution, then a colliding pair of inputs can be found for hπ with only O(2n/2) queries by the Grover search. Secondly, we present a sufficient condition on π for the optimal quantum collision resistance of hπ. This condition states that any collision attack needs Ω(22n/3) queries to find a colliding pair of inputs. The proof uses the recent technique of Zhandry&#x27;s compressed oracle. Thirdly, we show that the quantum collision resistance of the Merkle-Damgård hash function using hπ can be optimal even if π is an involution. Finally, we discuss the quantum collision resistance of double-block-length compression functions using a block cipher.

computer science, information systems,engineering, electrical & electronic, hardware & architecture

Lingyue Qin,Jialiang Hua,Xiaoyang Dong,Hailun Yan,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-30634-1_6

2023-01-01

Abstract:The Meet-in-the-Middle (MitM) attack has been widely applied to preimage attacks on Merkle-Damgård (MD) hashing. In this paper, we introduce a generic framework of the MitM attack on sponge-based hashing. We find certain bit conditions can significantly reduce the diffusion of the unknown bits and lead to longer MitM characteristics. To find good or optimal configurations of MitM attacks, e.g., the bit conditions, the neutral sets, and the matching points, we introduce the bit-level MILP-based automatic tools on Keccak, Ascon and Xoodyak. To reduce the scale of bit-level models and make them solvable in reasonable time, a series of properties of the targeted hashing are considered in the modelling, such as the linear structure and CP-kernel for Keccak, the Boolean expression of Sbox for Ascon. Finally, we give an improved 4-round preimage attack on Keccak-512/SHA3, and break a nearly 10 years’ cryptanalysis record. We also give the first preimage attacks on 3-/4-round Ascon-XOF and 3-round Xoodyak-XOF.

Seungjun Baek,Sehee Cho,Jongsung Kim

DOI: https://doi.org/10.1007/s11128-022-03499-5

IF: 1.965

2022-04-27

Quantum Information Processing

Abstract:Recently, Hosoyamada and Sasaki (Eurocrypt'20) proposed dedicated quantum collision attacks on AES-MMO and AES-MP and revealed that a differential trail that is not available in the classical setting due to a low probability can be utilized in the quantum settings. Their works encouraged cryptographers to actively perform security analysis of concrete hash functions in the quantum settings, which had not received much attention before. Xiaoyang Dong et al. (Asiacrypt'20) proposed improved dedicated quantum collision attacks on AES-MMO and AES-MP, and Chauhan et al. (ToSC'21) proposed quantum rebound attacks on the double-block-length hash function Hirose instantiated with 10-round reduced AES-256. In this paper, we propose a quantum collision attack on the Davies–Meyer (DM) hash function instantiated with full-round AES-256. We construct a new chosen-key differential trail for AES-256 based on the trail of Biryukov et al. proposed in 2009 and use it to find collisions of the full AES-256-based DM in a quantum setting. We also present quantum free-start collision attacks on the Hirose and MJH hash functions instantiated with full-round AES-256. These attacks are significant in that they are the first algorithms to find full-round (free-start) collisions. In particular, in the case of Hirose-AES-256, our attacks can cover a larger number of constant c than previously proposed attacks and also cover more rounds.

physics, multidisciplinary,quantum science & technology, mathematical

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1587/transfun.e92.a.76

2009-01-01

Abstract:The most widely used hash functions from MD4 family have been broken, which lead to a public competition on designing new hash functions held by NIST. This paper focuses on one concept called near-collision resistance: computationally difficult to find a pair of messages with hash values differing in only few bits, which new hash functions should satisfy. In this paper, we will give a model of near-collisions on MD4, and apply it to attack protocols including HMAC/NMAC-MD4 and MD4(Password||Challenge). Our new outer-key recovery attacks on HMAC/NMAC-MD4 has a complexity of 272 online queries and 277 MD4 computations, while previous result was 288 online queries and 295 MD4 computations. Our attack on MD4(Password||Challenge) can recover 16 password characters with a complexity of 237 online queries and 221 MD4 computations, which is the first approach to attack such protocols.

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2016.i1.13-32

2016-01-01

Abstract:Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).