Wei Li,Zhiyong Gao,Dawu Gu,Chenyu Ge,Linfeng Liao,Zhihong Zhou,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.3837/tiis.2017.01.028

2016-01-01

Abstract:With the advancement and deployment of leading-edge telecommunication technologies for sensing and collecting, computing related information, Cloud of Things (CoTs) has emerged as a typical application platform that is envisioned to revolutionize the daily activities of human society, such as intelligent transportation, modern logistics, food safety, environmental monitoring, etc. To avoid any possible malicious attack and resource abuse, employing hash functions is widely recognized as one of the most effective approaches for CoTs to achieve message integrity and data authentication. The Whirlpool hash function has served as part of the joint ISO/IEC 10118-3 International Standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In this paper, we propose an effective differential fault analysis on Whirlpool in the byte-oriented random fault model. The mathematical analysis and experimental results show that 8 random faults on average are required to obtain the current 512-bit message input of whirlpool and the secret

Congming Wei,Bingyou Dong,Jialiang Hua,Xiaoyang Dong,Guoyan Zhang

DOI: https://doi.org/10.1007/s10623-023-01254-0

IF: 1.4

2023-01-01

Designs Codes and Cryptography

Abstract:The Whirlwind hash function was proposed by Barreto et al. (Des Codes Cryptogr 56(2–3):141–162, 2010, https://doi.org/10.1007/s10623-010-9391-y ). In this paper, we focus on preimage and collision attacks on reduced-round Whirlwind. With the help of MILP models, a 7-round pseudo-preimage attack is presented. Then we revisit the framework of Ma et al. and successfully improve the preimage attack on 4-round Whirlwind with time complexity reduced from 2^497 to 2^417 . Meanwhile, by using quantum algorithms, we find a quantum collision attack on 5-round Whirlwind, which improves running time from 2^190.5 to 2^127.15 comparing to standard BHT algorithm while using the same amount of quantum memory. Also, semi-free-start collision of Whirlwind compression function is improved from 6 round to 7 round, while keeping complexity unchanged.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2011.70

2011-01-01

Abstract:In cryptography, a keyed-Hash Message Authentication Code (HMAC) is a type of message authentication code(MAC) calculated with a cryptographic hash function and a secret key. The security of the HMAC relies on the underlying hash function and the secret key. Whirlpool is a block cipher based hash algorithm that has been in public for about ten years. So far no effective attacks have been found on Whirlpool. As a result, HMAC with Whirlpool, i.e., HMAC-Whirlpool, is supposed to be secure. In this paper, we demonstrate that HMAC-Whirlpool is vulnerable to power analysis attacks. We designed two types of attacks: one is based on Differential Power Analysis (DPA) and the other on Correlation Power Analysis (CPA). We successfully launched the attacks at HMAC-Whirlpool running on an Atmel AVR processor. We also compared the attacks in terms of the number of power traces needed.

Yanzhao Shen,Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/s11432-017-9119-6

2017-01-01

Science China Information Sciences

Abstract:SM3 is the Chinese hash standard and is standardized in GB/T 32905-2016 [1].As a hash function,it must fulfill three security requirements,collision resistance,preinage resistance,and second preimage resistance.During the ongoing evaluation,it is believed that whenever the hash function behaves differently from a random function,it is considered as the hash function's weakness.In recent years,the analysis has not only been limited to the classical security requirements,but also in the near-collision,boomerang distinguisher,and (semi-)free-start collision.Most of the previous preimage attacks on SM3 [2,3] are either without padding or padding is not present from the first step.The best boomerang attack on SM3 covers 37 steps [4,5].In this article,we focus on the preimage attack from the first step,with message padding.A preinage attack on 30-step SM3 is proposed.Furthermore,we improve the 37-step boomerang attack and extend it to the 38-step boomerang attack.A summary of the previous results and along with our owns is given in Table 1.

Jiangshan Long,Changhai Ou,Zhu Wang,Shihui Zheng,Fei Yan,Fan Zhang,Siew-Kei Lam

2022-01-01

Abstract:The performance of Side-Channel Attacks (SCAs) decays rapidly when considering more sub-keys, making the full-key recovery a very challenging problem. Limited to independent collision information utilization, collision attacks establish the relationship among sub-keys but do not significantly slow down this trend. To solve it, we first exploit the samples from the previously attacked S-boxes to assist attacks on the targeted S-box under an assumption that similar leakage occurs in program loop or code reuse scenarios. The later considered S-boxes are easier to be recovered since more samples participate in this assist attack, which results in the “snowball” effect. We name this scheme as Snowball, which significantly slows down the attenuation rate of attack performance. We further introduce confusion coefficient into the collision attack to construct collision confusion coefficient, and deduce its relationship with correlation coefficient. Based on this relationship, we give two optimizations on our Snowball exploiting the “values” information and “rankings” information of collision correlation coefficients named Least Deviation from Pearson correlation coefficient (PLD) and Least Deviation from confusion coefficient (CLD). Experiments show that the above optimizations significantly improve the performance of our Snowball.

Wei Li,Zhi Tao,Dawu Gu,Yi Wang,Zhiqiang Liu,Ya Liu

DOI: https://doi.org/10.4304/jcp.8.11.2888-2894

2013-01-01

Journal of Computers

Abstract:The MD5, proposed by R. Riverst in 1992, is a widely used hash function with Merkle-Damgard structure. In the literature, many studies have been devoted to classical cryptanalysis on the MD5, such as the collision attack, the preimage attack etc. In this paper, we propose a new differential fault analysis on the MD5 compression function in the word-oriented random fault model. The simulating experimental results show that 144 random faults on average are required to obtain the current input message block. Our method not only increases the efficiency of fault injection, but also decreases the number of fault hash values. It provides a new reference for the security analysis of the same structure of the hash compression functions.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Gaoli Wang,Hongbo Yu

DOI: https://doi.org/10.1049/iet-ifs.2014.0244

2015-01-01

IET Information Security

Abstract:RIPEMD-128 is an ISO/IEC standard cryptographic hash function proposed in 1996 by Dobbertin, Bosselaers and Preneel. The compression function of RIPEMD-128 consists of two different and almost independent parallel lines denoted by line1 operation and line2 operation. The initial values and the output values of the last step of the two operations are combined, resulting in the final value of one iteration. In this study, the authors present collision differential characteristics for both 40-step line1 operation and 40-step line2 operation by choosing a proper message difference. By using message modification technique, they improve the probabilities of the differential characteristics so that they can give a collision attack on 40-step RIPEMD-128 hash function with a complexity of 2(35) computations. Meanwhile, they improve the distinguishing attack proposed by Landelle and Peyrin at EUROCRYPT 2013, and give a distinguisher on the full RIPEMD-128 hash function with a complexity of 2(90.4) by doing message modification.

Lei Wang,Yu Sasaki,Wataru Komatsubara,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1587/transfun.e95.a.100

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.On RIPEMD, We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2(119). It can be converted to a second preimage attack on 47-step hash function with a complexity of 2(124.5). Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2(113) to 2(96).On RIPEMD-128, We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2(123). It can1 be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2(126.5).Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

Yu Sasaki,Wataru Komatsubara,Yasuhide Sakai,Lei Wang,Mitsugu Iwamoto,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.5220/0004521101110122

2013-01-01

Abstract:In this paper, we revisit previous meet-in-the-middle preimage attacks on hash functions. We firstly present a technical improvement for the existing local-collision and initial-structure techniques. With applying some equivalent transformation, we can significantly reduce the memory requirement from the original proposals. We then revisit the previous preimage attacks on MD5 and HAVAL with recent techniques. Consequently, we can improve the memory complexity of the previous preimage attack on full MD5 from 2(45) to 2(13) and on full 4-pass HAVAL from 2(64) to 2(32). Moreover, we extend the preimage attack on 5-pass HAVAL from 151 steps to 158 steps, and present the first preimage attack with a single block message for 3-pass HAVAL.

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.

Jian Guo,Yu Sasaki,Lei Wang,Meiqin Wang,Long Wen

DOI: https://doi.org/10.1007/978-3-662-46706-0_29

2015-01-01

Abstract:A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as K-in and K-out, of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of (Data, Time, Memory) = (2(481.7), 2(482.3), 2(481)).

Yu Sasaki,Lei Wang,Yasuhiro Takasaki,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1007/978-3-642-34117-5_10

2012-01-01

Abstract:This paper studies a boomerang-attack-based distinguisher against full steps of the compression function of HAS-160, which is the hash function standard in Korea. The attack produces a second-order collision for the full steps of the compression function with a complexity of 276.06, which is faster than the currently best-known generic attack with a complexity of 280. Previously Dunkelman et al. in 2009 applied a boomerang-based key-recovery attack on the internal block cipher of HAS-160. Because the goal of their attack is different from ours, the attack on the compression function has been reconstructed and optimized from scratch. As a result of the exhaustive search of the message difference, we found that the same message difference as theirs is the best choice for the first subcipher. We then propose some improvement to construct a differential characteristic from the message difference, which the probability of the characteristic increases from 2− 47 to 2− 44. Thus our new characteristic also improves their key-recovery attack on the internal block cipher of HAS-160.

Dongxia Bai,Hongbo Yu,Gaoli Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-39059-3_17

2013-01-01

Abstract:The cryptographic hash function SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. It is based on the Merkle-Damgård design and is very similar to SHA-2 but includes some additional strengthening features. In this paper, we apply the boomerang attack to SM3 compression function, and present such distinguishers on up to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 293 compression function calls respectively. Especially, we are able to obtain the examples of the distinguishers on 34-step and 35-step on a PC due to their practical complexities. In addition, incompatible problems in the recent boomerang attack are pointed out. © 2013 Springer-Verlag.

Jian Guo,Yu Sasaki,Lei Wang,Shuang Wu

DOI: https://doi.org/10.1007/978-3-642-42045-0_2

2015-01-01

Abstract:In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on "original" key recovery for HMAC ( previous works only succeeded in recovering the equivalent keys). Interestingly, the number of attacked rounds is comparable with that for collision and preimage attacks on Whirlpool hash function itself. Lastly, we present a distinguishing-H attack against the full HMAC- and NMAC-Whirlpool.

Xiaoyun Wang,Hongbo Yu

DOI: https://doi.org/10.1007/11426639_2

2005-01-01

Abstract:MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-31284-7_17

2012-01-01

Abstract:This paper presents differential-based distinguishers against ISO standard hash functions RIPEMD-128 and RIPEMD-160. Second-order differential paths are constructed on reduced steps of their compression functions. These lead to 4-sum attacks on 47 steps (out of 64 steps) of RIPEMD-128 and 40 steps (out of 80 steps) of RIPEMD-160. Then new properties called a (partial) 2-dimension sum and q-multi-second-order collision are considered. The partial 2-dimension sum is generated on 48 steps of RIPEMD-128 and 42 steps of RIPEMD-160, with a complexity of 235 and 236, respectively. Theoretically, 2-dimension sums are generated faster than the brute force attack up to 52 steps of RIPEMD-128 and 51 steps of RIPEMD-160, with a complexity of 2101 and 2158, respectively. The attacks on RIPEMD-128 can also be regarded as q-multi-second-order collision attacks. The practical attacks are implemented and generated examples are presented. We stress that our results do not impact to the security of full RIPEMD-128 and RIPEMD-160 hash functions.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e97.a.177

2013-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper presents differential-based distinguishers against double-branch compression functions and applies them to ISO standard hash functions RIPEMD-128 and RIPEMD-160. A double-branch compression function computes two branch functions to update a chaining variable and then merges their outputs. For such a compression function, we observe that second-order differential paths will be constructed by finding a sub-path in each branch independently. This leads to 4-sum attacks on 47 steps (out of 64 steps) of RIPEMD-128 and 40 steps (out of 80 steps) of RIPEMD-160. Then new properties called a (partial) 2-dimension sum and a q-multi-second-order collision are considered. The partial 2-dimension sum is generated on 48 steps of RIPEMD-128 and 42 steps of RIPEMD-160, with complexities of 2(35) and 2(36), respectively. Theoretically, the 2-dimension sum is generated faster than the brute force attack up to 52 steps of RIPEMD-128 and 51 steps of RIPEMD-160, with complexities of 2101 and 2(158), respectively. The results on RIPEMD-128 can also be viewed as q-multi-second-order collision attacks. The practical attacks have been implemented and examples are presented. We stress that our results do not impact to the security of full RIPEMD-128 and RIPEMD-160 hash functions.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_11

2011-01-01

Abstract:SIMD is one of the second round candidates of the SHA-3 competition hosted by NIST. In this paper, we present the first attack for the compression function of the reduced SIMD-256 and the full SIMD-512 (the tweaked version) using the modular difference method. For SIMD256, we give a free-start near collision attack on the compression function reduced to 20 steps with complexity 2(116). And for SIMD-512, we give a free-start near collision attack on the 24-step compression function with complexity 2(235). Furthermore, we give a distinguisher attack for the full compression function of SIMD-512 with complexity 2(475). Our attacks are also applicable for the final compression function of SIMD.