Zhang-yi Wang,Huanguo Zhang,Zhongping Qin,Qingshu Meng

2006-01-01

Abstract:HAVAL is a cryptographic hash function proposed by Zheng et al. Van Rompay et al and Wang et al found collisions of full 3-Pass HAVAL. In this paper, we study the security of 4-Pass HAVAL. By analyzing the expanding of subtraction difference and differential characters of Boolean functions, we find collisions of full versions of 4-Pass HAVAL. The form of collisions is similar to the two-block collisions of MD5 proposed by Wang et al. With fixed carry method instead of multi-message modification, the computational complexity of the attack is about 230-232 for the first block and 227-229 for the second block. We use this method to find collisions of 4-Pass HAVAL in 3-4 hour on a common PC.

Hongbo Yu,Xiaoyun Wang,Aaram Yun,Sangwoo Park

DOI: https://doi.org/10.1007/11799313_7

2006-01-01

Abstract:HAVAL is a cryptographic hash function with variable digest size proposed by Zheng, Pieprzyk and Seberry in 1992. It has three variants, 3-, 4-, and 5-pass HAVAL. Previous results on HAVAL suggested only practical collision attacks for 3-pass HAVAL. In this paper, we present collision attacks for 4 and 5 pass HAVAL. For 4-pass HAVAL, we describe two practical attacks for finding 2-block collisions, one with 243 computations and the other with 236 computations. In addition, we show that collisions for 5-pass HAVAL can be found with about 2123 computations, which is the first attack more efficient than the birthday attack.

WANG Gao-li,PAN Qiao,YANG Mao-jiang

2009-01-01

Abstract:According to the properties of the function in the first pass and the order of the message words in HAVAL algorithm,a preimage attack on the compression function of the first 104-step HAVAL is proposed by using the exhaustive search method.The complexity of the attack is 2224 hash function valuations with the storage of 238 Bytes.However,the complexity of brute-force to find preimage is 2256.Analysis result has some new light on the evaluation of the security of HAVAL.

Gaoli Wang

DOI: https://doi.org/10.1007/978-3-642-25243-3_19

2011-01-01

Abstract:Extended MD4 is a hash function proposed by Rivest in 1990 with a 256-bit hash value. The compression function consists of two different and independent parallel lines called Left Line and Right Line, and each line has 48 steps. The initial values of Left Line and Right Line are denoted by IV0 and IV1 respectively. Dobbertin proposed a collision attack for the compression function of Extended MD4 with a complexity of about 2(40) under the condition that the value for IV0 = IV1 is prescribed. In this paper, we gave a collision attack on the full Extended MD4 with a complexity of about 2(37). Firstly, we propose a collision differential path for both lines by choosing a proper message difference, and deduce a set of sufficient conditions that ensure the differential path hold. Then by using some precise message modification techniques to improve the success probability of the attack, we find two-block collisions of Extended MD4 with less than 2(37) computations. This work provides a new reference to the collision analysis of other hash functions such as RIPEMD-160 etc. which consist of two lines.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Haiyan Yu,Xiaoyun Wang

2007-01-01

Abstract:In this paper, we present a new type of MultiCollision attack on the compression functions both of MD4 and 3-Pass HAVAL. For MD4, we utilize two feasible different collision differential paths to find a 4collision with 2 MD4 computations. For 3-Pass HAVAL, we present three near-collision differential paths to find a 8-NearCollision with 2 HAVAL computations.

Jin-min Zhong,Xue-jia Lai,Ming Duan

DOI: https://doi.org/10.1007/s12204-011-1215-3

2011-01-01

Abstract:HAVAL is a hash function proposed by Zheng et al. in 1992, including 3-, 4- and 5-pass versions. We improve pseudo-preimage and preimage attacks on 3-pass HAVAL at the complexity of 2172 and 2209.6, respectively, as compared to the previous best known results: 2192 and 2225 by Sasaki et al. in 2008. We extend the skip interval for partial-patching and apply the initial structure technique to find the better message chunks, and combine the indirect-partial-matching, partial-fixing and multi-neutral-word partial-fixing techniques to improve the attacks based on the meet-in-the-middle method. These are the best pseudo-preimage and preimage attacks on 3-pass HAVAL.

Norbert Pramstaller,Christian Rechberger,Vincent Rijmen

DOI: https://doi.org/10.1007/11693383_16

2006-01-01

Abstract:We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.

Xiaoyun Wang,Xuejia Lai,Dengguo Feng,Hui Chen,Xiuyuan Yu

DOI: https://doi.org/10.1007/11426639_1

2005-01-01

Abstract:MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2− 2 to 2− 6, and the complexity of finding a collision doesn’t exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2− 122.The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.

Xiaoyun Wang,Hongbo Yu

DOI: https://doi.org/10.1007/11426639_2

2005-01-01

Abstract:MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

Jie Liang,Xue-Jia Lai

DOI: https://doi.org/10.1007/s11390-007-9010-1

2007-01-01

Abstract:In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al . in the Conference EUROCRYPT 2005. We found that the derived conditions for the desired collision differential path were not sufficient to guarantee the path to hold and that some conditions could be modified to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in the attack algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique presented by Wang et al ., the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pentium4 1.70GHz CPU.

Gaoli Wang,Shaohui Wang

DOI: https://doi.org/10.1007/978-3-642-02384-2_1

2009-01-01

Abstract:HAVAL is a cryptographic hash function with variable hash value sizes proposed by Zheng, Pieprzyk and Seberry in 1992. It has 3, 4, or 5 passes, and each pass contains 32 steps. There was a collision attack on 5-pass HAVAL, but no second preimage attack. In this paper, we present a second preimage differential path for 5-pass HAVAL with probability 2*** 227 and exploit it to devise a second preimage attack on 5-pass HAVAL . Furthermore, we utilize the path to recover the partial key of HMAC/NMAC-5-pass HAVAL with 2235 oracle queries and 235 memory bytes.

Ronglin Hao,Bao Li,Bingke Ma,Ling Song

DOI: https://doi.org/10.7815/ijorcs.42.2014.079

2014-01-01

International Journal of Research in Computer Science

Abstract:The cryptographic hash function SHA-256 is one member of the SHA-2 hash family, which was proposed in 2000 and was standardized by NIST in 2002 as a successor of SHA-1. Although the differential fault attack on SHA-1compression function has been proposed, it seems hard to be directly adapted to SHA-256. In this paper, an efficient algebraic fault attack on SHA-256 compression function is proposed under the word-oriented random fault model. During the attack, an automatic tool STP is exploited, which constructs binary expressions for the word-based operations in SHA-256 compression function and then invokes a SAT solver to solve the equations. The simulation of the new attack needs about 65 fault injections to recover the chaining value and the input message block with about 200 seconds on average. Moreover, based on the attack on SHA-256 compression function, an almost universal forgery attack on HMAC-SHA-256 is presented. Our algebraic fault analysis is generic, automatic and can be applied to other ARX-based primitives..

Harshvardhan Tiwari,Dr. Krishna Asawa

DOI: https://doi.org/10.48550/arXiv.1003.1492

2010-03-08

Abstract:Cryptographic hash functions play a central role in cryptography. Hash functions were introduced in cryptology to provide message integrity and authentication. MD5, SHA1 and RIPEMD are among the most commonly used message digest algorithm. Recently proposed attacks on well known and widely used hash functions motivate a design of new stronger hash function. In this paper a new approach is presented that produces 192 bit message digest and uses a modified message expansion mechanism which generates more bit difference in each working variable to make the algorithm more secure. This hash function is collision resistant and assures a good compression and preimage resistance.

Cryptography and Security

Yu Sasaki,Wataru Komatsubara,Yasuhide Sakai,Lei Wang,Mitsugu Iwamoto,Kazuo Sakiyama,Kazuo Ohta

DOI: https://doi.org/10.5220/0004521101110122

2013-01-01

Abstract:In this paper, we revisit previous meet-in-the-middle preimage attacks on hash functions. We firstly present a technical improvement for the existing local-collision and initial-structure techniques. With applying some equivalent transformation, we can significantly reduce the memory requirement from the original proposals. We then revisit the previous preimage attacks on MD5 and HAVAL with recent techniques. Consequently, we can improve the memory complexity of the previous preimage attack on full MD5 from 2(45) to 2(13) and on full 4-pass HAVAL from 2(64) to 2(32). Moreover, we extend the preimage attack on 5-pass HAVAL from 151 steps to 158 steps, and present the first preimage attack with a single block message for 3-pass HAVAL.

Huafei Zhu,Lixin Ran,Yumin Wang

IF: 1.019

1999-01-01

Chinese Journal of Electronics

Abstract:Cryptographic hash functions are very important for cryptographic protocols such as signature scheme and message authentication. Based on the pioneer work of X. Lai et al., a new framework of hash algorithm is developed in this paper. In our hash scheme, an extra pseudorandom keystream generator is not needed which may be more conveniently for practical use. We have proved that the security of the new hash scheme is equivalent to that of feedback shift registers (FSRs) controlled by 2m - bit security keys.

Shenghui Su,Tao Xie,Shuwang Lu

DOI: https://doi.org/10.48550/arXiv.1408.5999

2017-04-30

Abstract:To examine the integrity and authenticity of an IP address efficiently and economically, this paper proposes a new non-Merkle-Damgard structural (non-MDS) hash function called JUNA that is based on a multivariate permutation problem and an anomalous subset product problem to which no subexponential time solutions are found so far. JUNA includes an initialization algorithm and a compression algorithm, and converts a short message of n bits which is regarded as only one block into a digest of m bits, where 80 <= m <= 232 and 80 <= m <= n <= 4096. The analysis and proof show that the new hash is one-way, weakly collision-free, and strongly collision-free, and its security against existent attacks such as birthday attack and meet-in-the- middle attack is to O(2 ^ m). Moreover, a detailed proof that the new hash function is resistant to the birthday attack is given. Compared with the Chaum-Heijst-Pfitzmann hash based on a discrete logarithm problem, the new hash is lightweight, and thus it opens a door to convenience for utilization of lightweight digital signing schemes.

Cryptography and Security

ZhangYi Wang,Huanguo Zhang,Zhongping Qin,Qiang Meng

2006-01-01

Abstract:The sufficient conditions for keeping desired differential path of MD5 was discussed. By analyzing the expanding of subtraction difference, differential characters of Boolean functions, and the differential characters of shift rotation, the sufficient conditions for keeping desired differential path could be obtained. From the differential characters of shift rotation, the lacked sufficient conditions were found. Then an algorithm that reduces the number of trials for finding collisions were presented. By restricting search space, search operation can be reduced to 2^34 for the first block and 2^30 for the second block. The whole attack on the MD5 can be accomplished within 20 hours using a PC with 1.6 G CPU.

Zhimin Li,Licheng Wang,Daofeng Li,Yixian Yang

2009-01-01

Abstract:NaSHA is a family of hash functions submitted by Markovski and Mileva as a SHA-3 candidate. In this paper, we present a collision attack on the hash function NaSHA for the output sizes 384-bit and 512-bit. This attack is based on the the weakness in the generate course of the state words and the fact that the quasigroup operation used in the compression function is only determined by partial state words. Its time complexity is about 2128 with negligible memory and its probability is more than (1− 2 264−1) 2 (A 12). This is currently by far the best known cryptanalysis result on this SHA-3 candidate.

Zhimin Li,Licheng Wang,Daofeng Li,Yixian Yang

DOI: https://doi.org/10.1109/ICNIT.2010.5508519

2010-01-01

Abstract:NaSHA is a family of hash functions submitted by Markovski and Mileva, it is accepted as one of the first SHA-3 round candidates. In this paper, we present a collision attack on NaSHA for the output sizes 384-bit and 512-bit. This attack is based on the the weakness in the generate course of the state words, and the fact that the quasigroup operation used in the compression function are determined by partial state words. The time complexity of this attack is about 2128 with negligible memory. This is currently by far the best known cryptanalysis result on this hash function.