Kazumaro Aoki,Jian Guo,Krystian Matusiewicz,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-10366-7_34

2009-01-01

Abstract:In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

Shiwei Chen,Ting Cui,Chenhui Jin,Congjun Wang

DOI: https://doi.org/10.1049/2024/1230891

2024-03-22

IET Information Security

Abstract:The exclusive-or (XOR) hash combiner is a classical hash function combiner, which is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In this work, we analyze the second preimage resistance of the XOR combiner underlying two different narrow-pipe hash functions with weak ideal compression functions. To control simultaneously the behavior of the two different hash functions, we develop a new structure called multicollision-and-double-diamond. Multicollision-and-double-diamond structure is constructed using the idea of meet-in-the-middle technique, combined with Joux’s multicollision and Chen’s inverse-diamond structure. Then based on the multicollision-and-double-diamond structure, we present a second preimage attack on the XOR hash combiner with the time complexity of about O 2 n + 1 2 n / 2 + n − l 2 n − l + n − k 2 n − k + 2 l + 1 + 2 k + 1 ) ( n is the size of the XOR hash combiner and l and k are respectively the depths of the two inverse-diamond structures), less than the ideal time complexity O 2 n , and memory of about O 2 k + 2 l .

computer science, information systems, theory & methods

Hongbo Yu,Gaoli Wang,Guoyan Zhang,Xiaoyun Wang

DOI: https://doi.org/10.1007/11599371_1

2005-01-01

Abstract:In Eurocrypt’05, Wang et al. presented new techniques to find collisions of Hash function MD4. The techniques are not only efficient to search for collisions, but also applicable to explore the second- preimage of MD4. About the second-preimage attack, they showed that a random message was a weak message with probability 2−122 and it only needed a one-time MD4 computation to find the second-preimage corresponding to the weak message. A weak message means that there exits a more efficient attack than the brute force attack to find its second-preimage. In this paper, we find another new collision differential path which can be used to find the second-preimage for more weak messages. For any random message, it is a weak message with probability 2−56, and it can be converted into a weak message by message modification techniques with about 227 MD4 computations. Furthermore, the original message is close to the resulting message (weak message), i.e, the Hamming weight of the difference for two messages is about 44.

Xiaoyun Wang,Xuejia Lai,Dengguo Feng,Hui Chen,Xiuyuan Yu

DOI: https://doi.org/10.1007/11426639_1

2005-01-01

Abstract:MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2− 2 to 2− 6, and the complexity of finding a collision doesn’t exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2− 122.The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.

Lingyue Qin,Jialiang Hua,Xiaoyang Dong,Hailun Yan,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-30634-1_6

2023-01-01

Abstract:The Meet-in-the-Middle (MitM) attack has been widely applied to preimage attacks on Merkle-Damgård (MD) hashing. In this paper, we introduce a generic framework of the MitM attack on sponge-based hashing. We find certain bit conditions can significantly reduce the diffusion of the unknown bits and lead to longer MitM characteristics. To find good or optimal configurations of MitM attacks, e.g., the bit conditions, the neutral sets, and the matching points, we introduce the bit-level MILP-based automatic tools on Keccak, Ascon and Xoodyak. To reduce the scale of bit-level models and make them solvable in reasonable time, a series of properties of the targeted hashing are considered in the modelling, such as the linear structure and CP-kernel for Keccak, the Boolean expression of Sbox for Ascon. Finally, we give an improved 4-round preimage attack on Keccak-512/SHA3, and break a nearly 10 years’ cryptanalysis record. We also give the first preimage attacks on 3-/4-round Ascon-XOF and 3-round Xoodyak-XOF.

Zhiyu Zhang,Siwei Sun,Caibing Wang,Lei Hu

DOI: https://doi.org/10.46586/tosc.v2023.i2.224-252

2023-06-16

IACR Transactions on Symmetric Cryptology

Abstract:At EUROCRYPT 2006, Kelsey and Kohno proposed the so-called chosen target forced-prefix (CTFP) preimage attack, where for any challenge prefix P, the attacker can generate a suffix S such that H(P∥S) = y for some hash value y published in advance by the attacker. Consequently, the attacker can pretend to predict some event represented by P she did not know before, and thus this type of attack is also known as the Nostradamus attack. At ASIACRYPT 2022, Benedikt et al. convert Kelsey et al.’s attack to a quantum one, reducing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). CTFP preimage attack is less investigated in the literature than (second-)preimage and collision attacks and lacks dedicated methods. In this paper, we propose the first dedicated Nostradamus attack based on the meet-in-the-middle (MITM) attack, and the MITM Nostradamus attack could be up to quadratically accelerated in the quantum setting. According to the recent works on MITM preimage attacks on AES-like hashing, we build an automatic tool to search for optimal MITM Nostradamus attacks and model the tradeoff between the offline and online phases. We apply our method to AES-MMO and Whirlpool, and obtain the first dedicated attack on round-reduced version of these hash functions. Our method and automatic tool are applicable to other AES-like hashings.

Congming Wei,Xiaoyang Dong,Willi Meier,Lingyue Qin,Ximing Fu

DOI: https://doi.org/10.1093/comjnl/bxac150

2023-01-01

Abstract:At FSE 2008, Leurent introduced the preimage attack on MD4 by exploiting differential trails. In this paper, we apply the differential-aided preimage attack to Keccak with the message modification techniques. Instead of directly finding the preimage, we exploit differential characteristics to modify the messages, so that the differences of their hashing values and the changes of given target can be controlled. By adding some constraints, a trail can be used to change one bit at a time and reduce the time complexity by a factor of 2. When the number of rounds increases, we introduce two-stage modification techniques to satisfy part of constraints as well. In order to solve other constraints, we also combine the linear-structure technique and accordingly give a preimage attack on 5-round Keccak[r = 1440, c = 160,l= 80].

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.

Lei Wang,Yu Sasaki,Wataru Komatsubara,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.1587/transfun.e95.a.100

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.On RIPEMD, We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2(119). It can be converted to a second preimage attack on 47-step hash function with a complexity of 2(124.5). Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2(113) to 2(96).On RIPEMD-128, We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2(123). It can1 be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2(126.5).Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Le He,Xiaoen Lin,Hongbo Yu

DOI: https://doi.org/10.46586/tosc.v2021.i3.84-101

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:In this paper, we provide an improved method on preimage attacks of standard 3-round Keccak-224/256. Our method is based on the work by Li and Sun. Their strategy is to find a 2-block preimage instead of a 1-block one by constructing the first and second message blocks in two stages. Under this strategy, they design a new linear structure for 2-round Keccak-224/256 with 194 degrees of freedom left, which is able to construct the second message block with a complexity of 2(31)/2(62). However, the bottleneck of this strategy is that the first stage needs much more expense than the second one. Therefore, we improve the first stage by using two techniques. The first technique is constructing multi-block messages rather than one-block message in the first stage, which can reach a better inner state. The second technique is setting restricting equations more efficiently, which can work in 3-round Keccak-256. As a result, the complexity of finding a preimage for 3-round Keccak-224/256 can be decreased from 2(38)/2(81) to 2(32)/2(65).

Jin-min Zhong,Xue-jia Lai,Ming Duan

DOI: https://doi.org/10.1007/s12204-011-1215-3

2011-01-01

Abstract:HAVAL is a hash function proposed by Zheng et al. in 1992, including 3-, 4- and 5-pass versions. We improve pseudo-preimage and preimage attacks on 3-pass HAVAL at the complexity of 2172 and 2209.6, respectively, as compared to the previous best known results: 2192 and 2225 by Sasaki et al. in 2008. We extend the skip interval for partial-patching and apply the initial structure technique to find the better message chunks, and combine the indirect-partial-matching, partial-fixing and multi-neutral-word partial-fixing techniques to improve the attacks based on the meet-in-the-middle method. These are the best pseudo-preimage and preimage attacks on 3-pass HAVAL.

bozhong liu,zheng gong,xiaohong chen,weidong qiu,dong zheng

DOI: https://doi.org/10.1109/ITAPP.2010.5566639

2010-01-01

Abstract:Hash functions are widely used in authentication. In this paper, the security of Lin et al.'s efficient block-cipher-based hash function is reviewed. By using Joux's multicollisions and Kelsey et al.'s expandable message techniques, we find the scheme is vulnerable to collision, preimage and second preimage attacks. Some modifications are recommended to avoid those security flaws in Lin et al.'s hash construction.

Le He,Xiaoen Lin,Hongbo Yu

DOI: https://doi.org/10.46586/tosc.v2021.i1.217-238

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:This paper provides an improved preimage attack method on standard 4-round Keccak-224/256. The method is based on the work pioneered by Li and Sun, who design a linear structure of 2-round Keccak-224/256 with 194 degrees of freedom left. By partially linearizing 17 output bits through the last 2 rounds, they finally reach a complexity of 2207/2239 for searching a 4-round preimage. Yet under their strategy, those 17 bits are regarded as independent bits and the linearization costs a great amount of freedom. Inspired by their thoughts, we improve the partial linearization method where multiple output bits can reuse some common degrees of freedom. As a result, the complexity of preimage attack on 4-round Keccak-224/256 can be decreased to 2192/2218, which are both the best known theoretical preimage cryptanalysis so far. To support the theoretical analysis, we apply our strategy to a 64-bit partial preimage attack within practical complexity. It is remarkable that this partial linearization method can be directly applied if a better linear structure with more freedom left is proposed.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_11

2011-01-01

Abstract:SIMD is one of the second round candidates of the SHA-3 competition hosted by NIST. In this paper, we present the first attack for the compression function of the reduced SIMD-256 and the full SIMD-512 (the tweaked version) using the modular difference method. For SIMD256, we give a free-start near collision attack on the compression function reduced to 20 steps with complexity 2(116). And for SIMD-512, we give a free-start near collision attack on the 24-step compression function with complexity 2(235). Furthermore, we give a distinguisher attack for the full compression function of SIMD-512 with complexity 2(475). Our attacks are also applicable for the final compression function of SIMD.

Lei Wang,Kazuo Ohta,Noboru Kunihiro

DOI: https://doi.org/10.1587/transfun.e92.a.76

2009-01-01

Abstract:The most widely used hash functions from MD4 family have been broken, which lead to a public competition on designing new hash functions held by NIST. This paper focuses on one concept called near-collision resistance: computationally difficult to find a pair of messages with hash values differing in only few bits, which new hash functions should satisfy. In this paper, we will give a model of near-collisions on MD4, and apply it to attack protocols including HMAC/NMAC-MD4 and MD4(Password||Challenge). Our new outer-key recovery attacks on HMAC/NMAC-MD4 has a complexity of 272 online queries and 277 MD4 computations, while previous result was 288 online queries and 295 MD4 computations. Our attack on MD4(Password||Challenge) can recover 16 password characters with a complexity of 237 online queries and 221 MD4 computations, which is the first approach to attack such protocols.

Chengqing Li,Xianhui Shen,Sheng Liu

DOI: https://doi.org/10.1109/mmul.2024.3356494

IF: 3.4911

2024-01-01

IEEE Multimedia

Abstract:This paper conducts a security analysis of an image encryption algorithm that employs 2D Lag-Complex Logistic Map (LCLM) as a Pseudo-Random Number Generator (PRNG). This algorithm uses the sum of all pixel values in the plainimage as the initial value for the PRNG, thereby influencing the randomization of basic encryption operations. However, it is observed that certain factors lead to the generation of identical pseudo-random sequences for different plain images. Capitalizing on this vulnerability, we propose a chosen-plaintext attack strategy that effectively cracks the six encryption steps through a divide-and-conquer approach. By exploiting weaknesses inherent in the 2D-LCLM, the number of required chosen plain images is significantly reduced to 5 · log2(MN) + 95, where MN represents the total pixel count of the plain image.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Lifu Cheng,Youyou Zhao,Jinjiang Yang,Leibo Liu

DOI: https://doi.org/10.1088/1742-6596/1856/1/012054

2021-01-01

Journal of Physics Conference Series

Abstract:Abstract The implantation security of cryptographic algorithm is very important. This paper proposes a method to resist power consumption attack for lightweight cryptographic algorithms. Using bit permutation operation as a countermeasure, we ensure that the position of each data of the original intermediate value data has changed after the bit is permutated, which greatly increases the difficulty of the attack. SKINNY is taken as an example for evaluate the effect of the proposed countermeasure. The experiment results show that the key will not reveal over 100,000 energy traces by using the countermeasure.

Wang Xiaoyun,Feng Dengguo,Yu Xiuyuan

DOI: https://doi.org/10.1360/122004-107

2005-01-01

Abstract:In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Jinmin Zhong,Xuejia Lai

2011-01-01

Journal of information science and engineering

Abstract:DHA-256 (Double Hash Algorithm) was proposed at the Cryptographic Hash Workshop hosted by NIST in November 2005. DHA-256 is a dedicated ha sh function with output length of 256 bits and 64 steps of operations designed to enhance SHA-256 security. In this paper, we show an attack on 35-step DHA-256. The attack finds pseudo-preimage and preimage of 35-step DHA-256 with the time complexity of 2 240 and 2 249 compression function operations, respectively, and 2 16 x 11 words memory. To the best of our knowledge, this is the first paper that analyzes the preimage resistance of DHA-256.