Yanzhao Shen,Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/s11432-017-9119-6

2017-01-01

Science China Information Sciences

Abstract:SM3 is the Chinese hash standard and is standardized in GB/T 32905-2016 [1].As a hash function,it must fulfill three security requirements,collision resistance,preinage resistance,and second preimage resistance.During the ongoing evaluation,it is believed that whenever the hash function behaves differently from a random function,it is considered as the hash function's weakness.In recent years,the analysis has not only been limited to the classical security requirements,but also in the near-collision,boomerang distinguisher,and (semi-)free-start collision.Most of the previous preimage attacks on SM3 [2,3] are either without padding or padding is not present from the first step.The best boomerang attack on SM3 covers 37 steps [4,5].In this article,we focus on the preimage attack from the first step,with message padding.A preinage attack on 30-step SM3 is proposed.Furthermore,we improve the 37-step boomerang attack and extend it to the 38-step boomerang attack.A summary of the previous results and along with our owns is given in Table 1.

WANG Gao-li,SHEN Yan-zhao

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.02.006

2014-01-01

Abstract:The security of SM3 hash function was revaluated by using the meet-in-the-middle attack. The preimage and pseudo-collision attack on 29-step SM3 hash function (from the 1-st step) with padding was presented. The time com-plexities are 2254 and 2125 respectively. Therefore, the 29-step SM3 hash function is not immune to preimage and pseu-do-collision attack.

aleksandar kircanski,yanzhao shen,gaoli wang,amr m youssef

DOI: https://doi.org/10.1007/978-3-642-35999-6_20

2012-01-01

Abstract:SM3 is a hash function, designed by Xiaoyun Wang et al. and published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service system. The design of SM3 builds upon the design of the SHA-2 hash function, but introduces additional strengthening features. In this paper, we present boomerang distinguishers for the SM3 compression function reduced to 32 steps out of 64 steps with complexity 2 14.4, 33 steps with complexity 232.4, 34 steps with complexity 253.1 and 35 steps with complexity 2117.1. Examples of zero-sum quartets for the 32-step and 33-step SM3 compression function are provided. We also point out a slide-rotational property of SM3-XOR, which exists due to the fact that constants used in the steps are not independent. © 2013 Springer-Verlag Berlin Heidelberg.

Kazumaro Aoki,Jian Guo,Krystian Matusiewicz,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-10366-7_34

2009-01-01

Abstract:In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

Gaoli Wang,Yanzhao Shen

DOI: https://doi.org/10.1007/978-3-319-13257-0_6

2014-01-01

Abstract:The hash function HAS-160 is standardized by the Korean government and widely used in Korea, and the hash function RIPEMD-160 is a worldwide ISO/IEC standard. In this paper, by careful analysis of the two hash functions, we propose a pseudo-preimage attack on 71-step HAS-160 (no padding) with complexity 2158.13 and a preimage attack on 34-step RIPEMD-160 (with padding) with complexity 2158.91. Both of the attacks are from the first step. The improved results are derived from the differential meet-in-the-middle attack and biclique technique etc. As far as we know, they are the best pseudo-preimage and preimage attacks on step-reduced HAS-160 and RIPEMD-160 respectively in terms of the step number.

Dongxia Bai,Hongbo Yu,Gaoli Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-39059-3_17

2013-01-01

Abstract:The cryptographic hash function SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. It is based on the Merkle-Damgård design and is very similar to SHA-2 but includes some additional strengthening features. In this paper, we apply the boomerang attack to SM3 compression function, and present such distinguishers on up to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 293 compression function calls respectively. Especially, we are able to obtain the examples of the distinguishers on 34-step and 35-step on a PC due to their practical complexities. In addition, incompatible problems in the recent boomerang attack are pointed out. © 2013 Springer-Verlag.

Lei Wang,Yu Sasaki,Wataru Komatsubara,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1587/transfun.e95.a.100

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.On RIPEMD, We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2(119). It can be converted to a second preimage attack on 47-step hash function with a complexity of 2(124.5). Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2(113) to 2(96).On RIPEMD-128, We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2(123). It can1 be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2(126.5).Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

Yanzhao Shen,Gaoli Wang

DOI: https://doi.org/10.3837/tiis.2018.02.011

2018-01-01

Abstract:The hash function RIPEMD-160 is a worldwide ISO/IEC standard and the hash function HAS-160 is the Korean hash standard and is widely used in Korea. On the basis of differential meet-in-the-middle attack and biclique technique, a preimage attack on 34-step RIPEMD-160 with message padding and a pseudo-preimage attack on 71-step HAS-160 without message padding are proposed. The former is the first preimage attack from the first step, the latter increases the best pseudo-preimage attack from the first step by 5 steps. Furthermore, we locate the linear spaces in another message words and exchange the bicliques construction process and the mask vector search process. A preimage attack on 35-step RIPEMD-160 and a preimage attack on 71-step HAS-160 are presented. Both of the attacks are from the intermediate step and satisfy the message padding. They improve the best preimage attacks from the intermediate step on step-reduced RIPEMD-160 and HAS-160 by 4 and 3 steps respectively. As far as we know, they are the best preimage and pseudo-preimage attacks on step-reduced RIPEMD-160 and HAS-160 respectively in terms of number of steps.

Lingyue Qin,Jialiang Hua,Xiaoyang Dong,Hailun Yan,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-30634-1_6

2023-01-01

Abstract:The Meet-in-the-Middle (MitM) attack has been widely applied to preimage attacks on Merkle-Damgård (MD) hashing. In this paper, we introduce a generic framework of the MitM attack on sponge-based hashing. We find certain bit conditions can significantly reduce the diffusion of the unknown bits and lead to longer MitM characteristics. To find good or optimal configurations of MitM attacks, e.g., the bit conditions, the neutral sets, and the matching points, we introduce the bit-level MILP-based automatic tools on Keccak, Ascon and Xoodyak. To reduce the scale of bit-level models and make them solvable in reasonable time, a series of properties of the targeted hashing are considered in the modelling, such as the linear structure and CP-kernel for Keccak, the Boolean expression of Sbox for Ascon. Finally, we give an improved 4-round preimage attack on Keccak-512/SHA3, and break a nearly 10 years’ cryptanalysis record. We also give the first preimage attacks on 3-/4-round Ascon-XOF and 3-round Xoodyak-XOF.

Gaoli Wang,Shaohui Wang

DOI: https://doi.org/10.1007/978-3-642-00843-6_24

2009-01-01

Abstract:RIPEMD is a cryptographic hash function devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988-1992). It consists of two parallel lines, and each line is identical to MD4 except for some internal constants. It has been broken by the collision attack, but no preimage attack was given. In this paper, we give a preimage attack on the compression function of the 26-step reduced RIPEMD with complexity 2110 compression function computations, and we extend the attack on the compression function to an attack on the 26-step reduced RIPEMD with complexity 2115.2 instead of 2128. Then we extend the attack on 26 steps to the attack on 29 steps with the same complexity. Moreover, we can reduce the complexity of the preimage attack on the full RIPEMD without the padding rule by 1 bit compared with the brute-force attack.

Lei Wang,Yu Sasaki,Wataru Komatsubara,Kazuo Ohta,Kazuo Sakiyama

DOI: https://doi.org/10.1007/978-3-642-19074-2_14

2011-01-01

Abstract:This paper uses new types of local collisions named one-message-word local collisions to construct meet-in-the-middle preimage attacks on two double-branch hash functions RIPEMD and RIPEMD-128, and obtains the following results.

Gao-Li Wang

DOI: https://doi.org/10.1007/s11390-013-1317-5

2013-01-01

Abstract:The cryptographic hash functions Extended MD4 and RIPEMD are double-branch hash functions, which consist of two parallel branches. Extended MD4 was proposed by Rivest in 1990, and RIPEMD was devised in the framework of the RIPE project (RACE Integrity Primitives Evaluation, 1988 ~ 1992). On the basis of differential analysis and meet-in-the-middle attack principle, this paper proposes a collision attack on the full Extended MD4 and a pseudo-preimage attack on the full RIPEMD respectively. The collision attack on Extended MD4 holds with a complexity of 237, and a collision instance is presented. The pseudo-preimage attack on RIPEMD holds with a complexity of 2125:4, which optimizes the complexity order for brute-force attack. The results in this study will also be beneficial to the analysis of other double-branch hash functions such as RIPEMD-160.

Lei Wang,Yu Sasaki

DOI: https://doi.org/10.1587/transfun.e94.a.110

2011-01-01

Abstract:This paper evaluates the preimage resistance of the Tiger hash function. To our best knowledge, the maximum number of the attacked steps is 17 among previous preimage attacks on Tiger, where the full version has 24 steps. Our attack will extend the number of the attacked steps to 23. The main contribution is a pseudo-preimage attack on the compression function up to 23 steps with a complexity of 2181 following the meet-in-the-middle approach. This attack can be converted to a preimage attack on 23-step Tiger hash function with a complexity of 2(187.5). The memory requirement of our attack is 222 words. A Tiger digest has 192 bits. Therefore, our attacks are faster than the exhaustive search.

Lei Wang,Yu Sasaki

DOI: https://doi.org/10.1007/978-3-642-13858-4_7

2010-01-01

Abstract:This paper evaluates the preimage resistance of the Tiger hash function. We will propose a pseudo-preimage attack on its compression function up to 23 steps with a complexity of 2(181), which can be converted to a preimage attack on 23-step Tiger hash function with a complexity of 2(187.5). The memory requirement of these attacks is 2(22) words. Our pseudo-preimage attack on the Tiger compression function adopts the meet-in-the-middle approach. We will divide the computation of the Tiger compression function into two independent parts. This enables us to transform the target of finding a pseudo-preimage to another target of finding a collision between two independent sets of some internal state, which will reduce the complexity. In order to maximize the number of the attacked steps, we derived several properties or weaknesses in both the key schedule function and the step function of the Tiger compression function, which gives us more freedom to separate the Tiger compression function.

Jinmin Zhong,Xuejia Lai

2011-01-01

Journal of information science and engineering

Abstract:DHA-256 (Double Hash Algorithm) was proposed at the Cryptographic Hash Workshop hosted by NIST in November 2005. DHA-256 is a dedicated ha sh function with output length of 256 bits and 64 steps of operations designed to enhance SHA-256 security. In this paper, we show an attack on 35-step DHA-256. The attack finds pseudo-preimage and preimage of 35-step DHA-256 with the time complexity of 2 240 and 2 249 compression function operations, respectively, and 2 16 x 11 words memory. To the best of our knowledge, this is the first paper that analyzes the preimage resistance of DHA-256.

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.

Yu Sasaki,Wataru Komatsubara,Yasuhide Sakai,Lei Wang,Mitsugu Iwamoto,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.5220/0004521101110122

2013-01-01

Abstract:In this paper, we revisit previous meet-in-the-middle preimage attacks on hash functions. We firstly present a technical improvement for the existing local-collision and initial-structure techniques. With applying some equivalent transformation, we can significantly reduce the memory requirement from the original proposals. We then revisit the previous preimage attacks on MD5 and HAVAL with recent techniques. Consequently, we can improve the memory complexity of the previous preimage attack on full MD5 from 2(45) to 2(13) and on full 4-pass HAVAL from 2(64) to 2(32). Moreover, we extend the preimage attack on 5-pass HAVAL from 151 steps to 158 steps, and present the first preimage attack with a single block message for 3-pass HAVAL.

Norbert Pramstaller,Christian Rechberger,Vincent Rijmen

DOI: https://doi.org/10.1007/11693383_16

2006-01-01

Abstract:We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.

Limin Guo,Lihui Wang,Qing Li,Zhimin Zhang,Dan Liu,Weijun Shan

DOI: https://doi.org/10.2991/iset-15.2015.25

2015-01-01

Abstract:HMAC algorithm is one of the most famous keyed hash functions, and widely utilized. And SM3 is the only standard hash algorithm of China. However, most cryptographic algorithms implementations are vulnerable against side channel attacks. But specific side channel attacks on HMAC-SM3 have not been given so far. This paper presents a first-order DPA attack on HMAC-SM3. HMAC-SM3 hash algorithm is based on the mixing of different algebraic operations, such as XOR and addition modulo 2(32), thus the proposed DPA attack is mainly against these basic group operations. Experimental results are given by attacking an implementation of HMAC-SM3 in a smart card, which demonstrate the practicability of such attacks described in this paper.