Hongbo Yu,Xiaoyun Wang,Aaram Yun,Sangwoo Park

DOI: https://doi.org/10.1007/11799313_7

2006-01-01

Abstract:HAVAL is a cryptographic hash function with variable digest size proposed by Zheng, Pieprzyk and Seberry in 1992. It has three variants, 3-, 4-, and 5-pass HAVAL. Previous results on HAVAL suggested only practical collision attacks for 3-pass HAVAL. In this paper, we present collision attacks for 4 and 5 pass HAVAL. For 4-pass HAVAL, we describe two practical attacks for finding 2-block collisions, one with 243 computations and the other with 236 computations. In addition, we show that collisions for 5-pass HAVAL can be found with about 2123 computations, which is the first attack more efficient than the birthday attack.

Yanru Xiao,Cong Wang,Xing Gao

DOI: https://doi.org/10.1109/cvpr42600.2020.00967

2020-01-01

Computer Vision and Pattern Recognition

Abstract:With the rapid growth of visual content, deep learning to hash is gaining popularity in the image retrieval community recently. Although it greatly facilitates search efficiency, privacy is also at risks when images on the web are retrieved at a large scale and exploited as a rich mine of personal information. An adversary can extract private images by querying similar images from the targeted category for any usable model. Existing methods based on image processing preserve privacy at a sacrifice of perceptual quality. In this paper, we propose a new mechanism based on adversarial examples to "stash'' private images in the deep hash space while maintaining perceptual similarity. We first find that a simple approach of hamming distance maximization is not robust against brute-force adversaries. Then we develop a new loss function by maximizing the hamming distance to not only the original category, but also the centers from all the classes, partitioned into clusters of various sizes. The extensive experiment shows that the proposed defense can harden the attacker's efforts by 2-7 orders of magnitude, without significant increase of computational overhead and perceptual degradation. We also demonstrate 30-60% transferability in hash space with a black-box setting. The code is available at: https://github.com/sugarruy/hashstash

Yanru Xiao,Cong Wang

DOI: https://doi.org/10.1109/CVPR46437.2021.00197

2021-01-01

Abstract:With the large multimedia content online, deep hashing has become a popular method for efficient image retrieval and storage. However, by inheriting the algorithmic back-end from softmax classification, these techniques are vulnerable to the well-known adversarial examples as well. The massive collection of online images into the database also opens up new attack vectors. Attackers can embed adversarial images into the database and target specific categories to be retrieved by user queries. In this paper, we start from an adversarial standpoint to explore and enhance the capacity of targeted black-box transferability attack for deep hashing. We motivate this work by a series of empirical studies to see the unique challenges in image retrieval. We study the relations between adversarial subspace and black-box transferability via utilizing random noise as a proxy. Then we develop a new attack that is simultaneously adversarial and robust to noise to enhance transferability. Our experimental results demonstrate about 1.2-3x improvements of black-box transferability compared with the state-of-the-art mechanisms.

Weike Zhang,Xiangwei Kong,Xingang You

DOI: https://doi.org/10.3321/j.issn:1001-0505.2007.z1.039

2007-01-01

Abstract:Secure hash vector index is generated using perceptual invariance of image DCT (discrete cosine transform) low-frequency coefficients to authenticate content of image which has been processed. A hash vector is generated for digital image using the technique of combining standardized DCT low-frequency coefficients matrix with key based random matrix. The proposed algorithm is shown to be unique, robust and secure. Experimental results indicate that the proposed algorithm is able to resist the content-preserving modifications, such as format change, moderate geometric and filtering distortions. One can only acquire hash value of image while having both pseudo-random generator and key. In addition, the proposed algorithm generates same or similar hash value for perceptual same images, length of the hash value is only about 400 bits, and the collision rate decreases to 10-8 level. The proposed robust and secure algorithm can be applied to digital image authentication and retrieval of large image database.

Wang Xiaoyun,Feng Dengguo,Yu Xiuyuan

DOI: https://doi.org/10.1360/122004-107

2005-01-01

Abstract:In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Zhenzhen Bao,Xiaoyang Dong,Jian Guo,Zheng Li,Danping Shi,Siwei Sun,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-030-77870-5_27

2021-01-01

Abstract:The Meet-in-the-Middle (MITM) preimage attack is highly effective in breaking the preimage resistance of many hash functions, including but not limited to the full MD5, HAVAL, and Tiger, and reduced SHA-0/1/2. It was also shown to be a threat to hash functions built on block ciphers like AES by Sasaki in 2011. Recently, such attacks on AES hashing modes evolved from merely using the freedom of choosing the internal state to also exploiting the freedom of choosing the message state. However, detecting such attacks especially those evolved variants is difficult. In previous works, the search space of the configurations of such attacks is limited, such that manual analysis is practical, which results in sub-optimal solutions. In this paper, we remove artificial limitations in previous works, formulate the essential ideas of the construction of the attack in well-defined ways, and translate the problem of searching for the best attacks into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. The MILP models capture a large solution space of valid attacks; and the objectives of the MILP models are attack configurations with the minimized computational complexity. With such MILP models and using the off-the-shelf solver, it is efficient to search for the best attacks exhaustively. As a result, we obtain the first attacks against the full (5-round) and an extended (5.5-round) version of Haraka-512 v2, and 8-round AES-128 hashing modes, as well as improved attacks covering more rounds of Haraka-256 v2 and other members of AES and Rijndael hashing modes.

Haiyan Yu,Xiaoyun Wang

2007-01-01

Abstract:In this paper, we present a new type of MultiCollision attack on the compression functions both of MD4 and 3-Pass HAVAL. For MD4, we utilize two feasible different collision differential paths to find a 4collision with 2 MD4 computations. For 3-Pass HAVAL, we present three near-collision differential paths to find a 8-NearCollision with 2 HAVAL computations.

Le He,Xiaoen Lin,Hongbo Yu

DOI: https://doi.org/10.46586/tosc.v2021.i3.84-101

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:In this paper, we provide an improved method on preimage attacks of standard 3-round Keccak-224/256. Our method is based on the work by Li and Sun. Their strategy is to find a 2-block preimage instead of a 1-block one by constructing the first and second message blocks in two stages. Under this strategy, they design a new linear structure for 2-round Keccak-224/256 with 194 degrees of freedom left, which is able to construct the second message block with a complexity of 2(31)/2(62). However, the bottleneck of this strategy is that the first stage needs much more expense than the second one. Therefore, we improve the first stage by using two techniques. The first technique is constructing multi-block messages rather than one-block message in the first stage, which can reach a better inner state. The second technique is setting restricting equations more efficiently, which can work in 3-round Keccak-256. As a result, the complexity of finding a preimage for 3-round Keccak-224/256 can be decreased from 2(38)/2(81) to 2(32)/2(65).

Lingyue Qin,Jialiang Hua,Xiaoyang Dong,Hailun Yan,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-30634-1_6

2023-01-01

Abstract:The Meet-in-the-Middle (MitM) attack has been widely applied to preimage attacks on Merkle-Damgård (MD) hashing. In this paper, we introduce a generic framework of the MitM attack on sponge-based hashing. We find certain bit conditions can significantly reduce the diffusion of the unknown bits and lead to longer MitM characteristics. To find good or optimal configurations of MitM attacks, e.g., the bit conditions, the neutral sets, and the matching points, we introduce the bit-level MILP-based automatic tools on Keccak, Ascon and Xoodyak. To reduce the scale of bit-level models and make them solvable in reasonable time, a series of properties of the targeted hashing are considered in the modelling, such as the linear structure and CP-kernel for Keccak, the Boolean expression of Sbox for Ascon. Finally, we give an improved 4-round preimage attack on Keccak-512/SHA3, and break a nearly 10 years’ cryptanalysis record. We also give the first preimage attacks on 3-/4-round Ascon-XOF and 3-round Xoodyak-XOF.

Zhiyu Zhang,Siwei Sun,Caibing Wang,Lei Hu

DOI: https://doi.org/10.46586/tosc.v2023.i2.224-252

2023-06-16

IACR Transactions on Symmetric Cryptology

Abstract:At EUROCRYPT 2006, Kelsey and Kohno proposed the so-called chosen target forced-prefix (CTFP) preimage attack, where for any challenge prefix P, the attacker can generate a suffix S such that H(P∥S) = y for some hash value y published in advance by the attacker. Consequently, the attacker can pretend to predict some event represented by P she did not know before, and thus this type of attack is also known as the Nostradamus attack. At ASIACRYPT 2022, Benedikt et al. convert Kelsey et al.’s attack to a quantum one, reducing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). CTFP preimage attack is less investigated in the literature than (second-)preimage and collision attacks and lacks dedicated methods. In this paper, we propose the first dedicated Nostradamus attack based on the meet-in-the-middle (MITM) attack, and the MITM Nostradamus attack could be up to quadratically accelerated in the quantum setting. According to the recent works on MITM preimage attacks on AES-like hashing, we build an automatic tool to search for optimal MITM Nostradamus attacks and model the tradeoff between the offline and online phases. We apply our method to AES-MMO and Whirlpool, and obtain the first dedicated attack on round-reduced version of these hash functions. Our method and automatic tool are applicable to other AES-like hashings.

Le He,Xiaoen Lin,Hongbo Yu

DOI: https://doi.org/10.46586/tosc.v2021.i1.217-238

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:This paper provides an improved preimage attack method on standard 4-round Keccak-224/256. The method is based on the work pioneered by Li and Sun, who design a linear structure of 2-round Keccak-224/256 with 194 degrees of freedom left. By partially linearizing 17 output bits through the last 2 rounds, they finally reach a complexity of 2207/2239 for searching a 4-round preimage. Yet under their strategy, those 17 bits are regarded as independent bits and the linearization costs a great amount of freedom. Inspired by their thoughts, we improve the partial linearization method where multiple output bits can reuse some common degrees of freedom. As a result, the complexity of preimage attack on 4-round Keccak-224/256 can be decreased to 2192/2218, which are both the best known theoretical preimage cryptanalysis so far. To support the theoretical analysis, we apply our strategy to a 64-bit partial preimage attack within practical complexity. It is remarkable that this partial linearization method can be directly applied if a better linear structure with more freedom left is proposed.

MeiLei Lv,Zheming Lu,Yun Long Huang

2011-01-01

Abstract:Perceptual image hashing has become an emerging solution for image indexing, authentication and watermarking. A perceptual image hash function maps a digital image into a fixed length binary string known as the hash value, which is invariant under changes to the image that is perceptually insignificant. In this paper, a multipurpose image hashing scheme based on Multi-Stage Vector Quantization (MSVQ) is proposed for both copyright protection and content authentication. The original gray-level image is first segmented into non-overlapping blocks. Each block is encoded by a two-stage vector quantizer to generate two indices, one for copyright protection and the other for content authentication. The obtained two index tables are then transformed into two binary images based on specific mapping functions. Finally, the authentication mark and permuted copyright logo are respectively XOR-ed with the two binary images to obtain final authentication and protection fingerprints. Compared with the existing DCTVQ based multipurpose hashing scheme, we provide two new mapping functions and our hashing process is much faster. Experimental results show the effectiveness of the proposed method.

Yanzhao Shen,Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/s11432-017-9119-6

2017-01-01

Science China Information Sciences

Abstract:SM3 is the Chinese hash standard and is standardized in GB/T 32905-2016 [1].As a hash function,it must fulfill three security requirements,collision resistance,preinage resistance,and second preimage resistance.During the ongoing evaluation,it is believed that whenever the hash function behaves differently from a random function,it is considered as the hash function's weakness.In recent years,the analysis has not only been limited to the classical security requirements,but also in the near-collision,boomerang distinguisher,and (semi-)free-start collision.Most of the previous preimage attacks on SM3 [2,3] are either without padding or padding is not present from the first step.The best boomerang attack on SM3 covers 37 steps [4,5].In this article,we focus on the preimage attack from the first step,with message padding.A preinage attack on 30-step SM3 is proposed.Furthermore,we improve the 37-step boomerang attack and extend it to the 38-step boomerang attack.A summary of the previous results and along with our owns is given in Table 1.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji,Jing Huang

DOI: https://doi.org/10.1016/j.jss.2012.11.007

IF: 3.5

2013-01-01

Journal of Systems and Software

Abstract:The side-channel cube attack (SCCA) is a powerful cryptanalysis technique that combines the side-channel and cube attack. This paper proposes several advanced techniques to improve the Hamming weight-based SCCA (HW-SCCA) on the block cipher PRESENT. The new techniques utilize non-linear equations and an iterative scheme to extract more information from leakage. The new attacks need only 2^8^.^9^5 chosen plaintexts to recover 72 key bits of PRESENT-80 and 2^9^.^7^8 chosen plaintexts to recover 121 key bits of PRESENT-128. To the best of our knowledge, these are the most efficient SCCAs on PRESENT-80/128. To show the feasibility of the proposed techniques, real attacks have been conducted on PRESENT on an 8-bit microcontroller, which are the first SCCAs on PRESENT on a real device. The proposed HW-SCCA can successfully break PRESENT implementations even if they have some countermeasures such as random delay and masking.

Keting Jia,Yvo Desmedt,Lidong Han,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-21518-6_14

2011-01-01

Abstract:In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about 2(64) iteration computations with 2(67) bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is 2(128) iteration computations with 2(132) bytes memory.It is noted that, we can find the pseudo-collision pairs and the pseudo-second images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases.

Congming Wei,Xiaoyang Dong,Willi Meier,Lingyue Qin,Ximing Fu

DOI: https://doi.org/10.1093/comjnl/bxac150

2023-01-01

Abstract:At FSE 2008, Leurent introduced the preimage attack on MD4 by exploiting differential trails. In this paper, we apply the differential-aided preimage attack to Keccak with the message modification techniques. Instead of directly finding the preimage, we exploit differential characteristics to modify the messages, so that the differences of their hashing values and the changes of given target can be controlled. By adding some constraints, a trail can be used to change one bit at a time and reduce the time complexity by a factor of 2. When the number of rounds increases, we introduce two-stage modification techniques to satisfy part of constraints as well. In order to solve other constraints, we also combine the linear-structure technique and accordingly give a preimage attack on 5-round Keccak[r = 1440, c = 160,l= 80].

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-00843-6_25

2009-01-01

Abstract:In this paper, we give the full key-recovery attacks on the HMAC/NMAC instantiated with 3 and 4-Pass HAVAL using our new differential paths. The complexity to recover the inner key is about 2103 MAC queries for the 3-Pass HAVAL and 2123 MAC queries for the 4-Pass HAVAL. The complexity to recover the outer key is about 269 MAC queries and 2198 offline computations for the 3-Pass HAVAL based HMAC/NMAC. For the 4-Pass HAVAL case, the number of MAC queries for outer key-recovery is about 2103 and the offline work is about 2180 4-Pass HAVAL computations.

Xiaoyang Dong,Jian Guo,Shun Li,Phuong Pham,Tianyu Zhang

DOI: https://doi.org/10.46586/tosc.v2024.i1.158-187

2024-01-01

IACR Transactions on Symmetric Cryptology

Abstract:The Nostradamus attack was originally proposed as a security vulnerability for a hash function by Kelsey and Kohno at EUROCRYPT 2006. It requires the attacker to commit to a hash value y of an iterated hash function H. Subsequently, upon being provided with a message prefix P, the adversary’s task is to identify a suffix S such that H(P∥S) equals y. Kelsey and Kohno demonstrated a herding attack requiring O(√n · 22n/3) evaluations of the compression function of H, where n represents the output and state size of the hash, placing this attack between preimage attacks and collision searches in terms of complexity. At ASIACRYPT 2022, Benedikt et al. transform Kelsey and Kohno’s attack into a quantum variant, decreasing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). At ToSC 2023, Zhang et al. proposed the first dedicated Nostradamus attack on AES-like hashing in both classical and quantum settings. In this paper, we have made revisions to the multi-target technique incorporated into the meet-in-the-middle automatic search framework. This modification leads to a decrease in time complexity during the online linking phase, effectively reducing the overall attack time complexity in both classical and quantum scenarios. Specifically, we can achieve more rounds in the classical setting and reduce the time complexity for the same round in the quantum setting.

Jialiang Hua,Xiaoyang Dong,Siwei Sun,Zhiyu Zhang,Lei Hu,Xiaoyun Wang

DOI: https://doi.org/10.46586/tosc.v2022.i2.63-91

2022-01-01

Abstract:At ASIACRYPT 2012, Sasaki et al. introduced the guess-and-determine approach to extend the meet-in-the-middle (MITM) preimage attack. At CRYPTO 2021, Dong et al. proposed a technique to derive the solution spaces of nonlinear constrained neutral words in the MITM preimage attack. In this paper, we try to combine these two techniques to further improve the MITM preimage attacks. Based on the previous MILP-based automatic tools for MITM attacks, we introduce new constraints due to the combination of guess-and-determine and nonlinearly constrained neutral words to build a new automatic model. As a proof of work, we apply it to the Russian national standard hash function Streebog, which is also an ISO standard. We find the first 8.5-round preimage attack on Streebog-512 compression function and the first 7.5-round preimage attack on Streebog-256 compression function. In addition, we give the 8.5-round preimage attack on Streebog-512 hash function. Our attacks extend the best previous attacks by one round. We also improve the time complexity of the 7.5-round preimage attack on Streebog-512 hash function and 6.5-round preimage attack on Streebog-256 hash function.