Xiaoyun Wang,Yiqun Lisa Yin,Hongbo Yu

DOI: https://doi.org/10.1007/11535218_2

2005-01-01

Abstract:In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

Wang Xiaoyun,Feng Dengguo,Yu Xiuyuan

DOI: https://doi.org/10.1360/122004-107

2005-01-01

Abstract:In this paper, we give a fast attack against hash function—HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto’92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message m, we just make some modifications about m, and the modified message m can collide with another message m′ only with probability 1/27, where m′=m+Δm, in which Δm is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.

Haiyan Yu,Xiaoyun Wang

2007-01-01

Abstract:In this paper, we present a new type of MultiCollision attack on the compression functions both of MD4 and 3-Pass HAVAL. For MD4, we utilize two feasible different collision differential paths to find a 4collision with 2 MD4 computations. For 3-Pass HAVAL, we present three near-collision differential paths to find a 8-NearCollision with 2 HAVAL computations.

Amit Kumar Chauhan,Abhishek Kumar,Somitra Kumar Sanadhya

DOI: https://doi.org/10.46586/tosc.v2021.i1.316-336

2021-03-19

IACR Transactions on Symmetric Cryptology

Abstract:Recently, Hosoyamada and Sasaki (EUROCRYPT 2020), and Xiaoyang Dong et al. (ASIACRYPT 2020) proposed quantum collision attacks against AES-like hashing modes AES-MMO and AES-MP. Their collision attacks are based on the quantum version of the rebound attack technique exploiting the differential trails whose probabilities are too low to be useful in the classical setting but large enough in the quantum setting. In this work, we present dedicated quantum free-start collision attacks on Hirose’s double block length compression function instantiated with AES-256, namely HCF-AES-256. The best publicly known classical attack against HCF-AES-256 covers up to 9 out of 14 rounds. We present a new 10-round differential trail for HCF-AES-256 with probability 2−160, and use it to find collisions with a quantum version of the rebound attack. Our attack succeeds with a time complexity of 285.11 and requires 216 qRAM in the quantum-attack setting, where an attacker can make only classical queries to the oracle and perform offline computations. We also present a quantum free-start collision attack on HCF-AES-256 with a time complexity of 286.07 which outperforms Chailloux, Naya-Plasencia, and Schrottenloher’s generic quantum collision attack (ASIACRYPT 2017) in a model when large qRAM is not available.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_17

2007-01-01

Abstract:In this paper, we present a new type of multi-collision attack on the compression functions of both MD4 and 3-Pass HAVAL. Different from Joux's multi-collision attack, our method focuses on the multi-collision of the compression function. For MD4, we utilize two different feasible collision differential paths to find a 4-collision with about 2 21 MD4 computations. For 3-Pass HAVAL, we can find a 4-collision with complexity about 2(30) and a 8-near-collision with complexity 2(9).

Nahiyan Alamgir,Saeed Nejati,Curtis Bright

2024-06-29

Abstract:Cryptographic hash functions play a crucial role in ensuring data security, generating fixed-length hashes from variable-length inputs. The hash function SHA-256 is trusted for data security due to its resilience after over twenty years of intense scrutiny. One of its critical properties is collision resistance, meaning that it is infeasible to find two different inputs with the same hash. Currently, the best SHA-256 collision attacks use differential cryptanalysis to find collisions in simplified versions of SHA-256 that are reduced to have fewer steps, making it feasible to find collisions. In this paper, we use a satisfiability (SAT) solver as a tool to search for step-reduced SHA-256 collisions, and dynamically guide the solver with the aid of a computer algebra system (CAS) used to detect inconsistencies and deduce information that the solver would otherwise not detect on its own. Our hybrid SAT + CAS solver significantly outperformed a pure SAT approach, enabling us to find collisions in step-reduced SHA-256 with significantly more steps. Using SAT + CAS, we find a 38-step collision of SHA-256 with a modified initialization vector -- something first found by a highly sophisticated search tool of Mendel, Nad, and Schläffer. Conversely, a pure SAT approach could find collisions for no more than 28 steps. However, our work only uses the SAT solver CaDiCaL and its programmatic interface IPASIR-UP.

Cryptography and Security,Discrete Mathematics,Logic in Computer Science,Symbolic Computation

Somitra Kumar Sanadhya,Palash Sarkar

DOI: https://doi.org/10.48550/arXiv.0803.1220

2008-03-08

Abstract:In this note, we provide the first 22-step collisions for SHA-256 and SHA-512. Detailed technique of generating these collisions will be provided in the next revision of this note.

Cryptography and Security

Xiaoyang Dong,Jian Guo,Shun Li,Phuong Pham,Tianyu Zhang

DOI: https://doi.org/10.46586/tosc.v2024.i1.158-187

2024-01-01

IACR Transactions on Symmetric Cryptology

Abstract:The Nostradamus attack was originally proposed as a security vulnerability for a hash function by Kelsey and Kohno at EUROCRYPT 2006. It requires the attacker to commit to a hash value y of an iterated hash function H. Subsequently, upon being provided with a message prefix P, the adversary’s task is to identify a suffix S such that H(P∥S) equals y. Kelsey and Kohno demonstrated a herding attack requiring O(√n · 22n/3) evaluations of the compression function of H, where n represents the output and state size of the hash, placing this attack between preimage attacks and collision searches in terms of complexity. At ASIACRYPT 2022, Benedikt et al. transform Kelsey and Kohno’s attack into a quantum variant, decreasing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). At ToSC 2023, Zhang et al. proposed the first dedicated Nostradamus attack on AES-like hashing in both classical and quantum settings. In this paper, we have made revisions to the multi-target technique incorporated into the meet-in-the-middle automatic search framework. This modification leads to a decrease in time complexity during the online linking phase, effectively reducing the overall attack time complexity in both classical and quantum scenarios. Specifically, we can achieve more rounds in the classical setting and reduce the time complexity for the same round in the quantum setting.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_11

2011-01-01

Abstract:SIMD is one of the second round candidates of the SHA-3 competition hosted by NIST. In this paper, we present the first attack for the compression function of the reduced SIMD-256 and the full SIMD-512 (the tweaked version) using the modular difference method. For SIMD256, we give a free-start near collision attack on the compression function reduced to 20 steps with complexity 2(116). And for SIMD-512, we give a free-start near collision attack on the 24-step compression function with complexity 2(235). Furthermore, we give a distinguisher attack for the full compression function of SIMD-512 with complexity 2(475). Our attacks are also applicable for the final compression function of SIMD.

Zongyue Wang,Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1016/j.ipl.2014.07.007

IF: 0.851

2014-01-01

Information Processing Letters

Abstract:GOST R 34.11-2012 is the new Russian hash function standard. This paper presents some cryptanalytic results on GOST R. Using the rebound attack technique, we achieve collision attacks on the reduced round compression function. Result on up to 9.5 rounds is proposed, the time complexity is 2^1^7^6 and the memory requirement is 2^1^2^8 bytes. Based on the 9.5-round collision result, a limited birthday distinguisher is presented. More over, a k-collision on 512-bit version of GOST R is constructed which shows the weakness of the structure used in GOST R.

Hongbo Yu,Xiaoyun Wang,Aaram Yun,Sangwoo Park

DOI: https://doi.org/10.1007/11799313_7

2006-01-01

Abstract:HAVAL is a cryptographic hash function with variable digest size proposed by Zheng, Pieprzyk and Seberry in 1992. It has three variants, 3-, 4-, and 5-pass HAVAL. Previous results on HAVAL suggested only practical collision attacks for 3-pass HAVAL. In this paper, we present collision attacks for 4 and 5 pass HAVAL. For 4-pass HAVAL, we describe two practical attacks for finding 2-block collisions, one with 243 computations and the other with 236 computations. In addition, we show that collisions for 5-pass HAVAL can be found with about 2123 computations, which is the first attack more efficient than the birthday attack.

Yassine Hamoudi,Qipeng Liu,Makrand Sinha

2024-02-28

Abstract:Collision-resistant hashing, a fundamental primitive in modern cryptography, ensures that there is no efficient way to find distinct inputs that produce the same hash value. This property underpins the security of various cryptographic applications, making it crucial to understand its complexity. The complexity of this problem is well-understood in the classical setting and $\Theta(N^{1/2})$ queries are needed to find a collision. However, the advent of quantum computing has introduced new challenges since quantum adversaries $\unicode{x2013}$ equipped with the power of quantum queries $\unicode{x2013}$ can find collisions much more efficiently. Brassard, Höyer and Tapp and Aaronson and Shi established that full-scale quantum adversaries require $\Theta(N^{1/3})$ queries to find a collision, prompting a need for longer hash outputs, which impacts efficiency in terms of the key lengths needed for security. This paper explores the implications of quantum attacks in the Noisy-Intermediate Scale Quantum (NISQ) era. In this work, we investigate three different models for NISQ algorithms and achieve tight bounds for all of them: (1) A hybrid algorithm making adaptive quantum or classical queries but with a limited quantum query budget, or (2) A quantum algorithm with access to a noisy oracle, subject to a dephasing or depolarizing channel, or (3) A hybrid algorithm with an upper bound on its maximum quantum depth; i.e., a classical algorithm aided by low-depth quantum circuits. In fact, our results handle all regimes between NISQ and full-scale quantum computers. Previously, only results for the pre-image search problem were known for these models by Sun and Zheng, Rosmanis, Chen, Cotler, Huang and Li while nothing was known about the collision finding problem.

Quantum Physics,Computational Complexity,Cryptography and Security,Data Structures and Algorithms

Jiangshan Long,Changhai Ou,Zhu Wang,Shihui Zheng,Fei Yan,Fan Zhang,Siew-Kei Lam

2022-01-01

Abstract:The performance of Side-Channel Attacks (SCAs) decays rapidly when considering more sub-keys, making the full-key recovery a very challenging problem. Limited to independent collision information utilization, collision attacks establish the relationship among sub-keys but do not significantly slow down this trend. To solve it, we first exploit the samples from the previously attacked S-boxes to assist attacks on the targeted S-box under an assumption that similar leakage occurs in program loop or code reuse scenarios. The later considered S-boxes are easier to be recovered since more samples participate in this assist attack, which results in the “snowball” effect. We name this scheme as Snowball, which significantly slows down the attenuation rate of attack performance. We further introduce confusion coefficient into the collision attack to construct collision confusion coefficient, and deduce its relationship with correlation coefficient. Based on this relationship, we give two optimizations on our Snowball exploiting the “values” information and “rankings” information of collision correlation coefficients named Least Deviation from Pearson correlation coefficient (PLD) and Least Deviation from confusion coefficient (CLD). Experiments show that the above optimizations significantly improve the performance of our Snowball.

Zhiyu Zhang,Siwei Sun,Caibing Wang,Lei Hu

DOI: https://doi.org/10.46586/tosc.v2023.i2.224-252

2023-06-16

IACR Transactions on Symmetric Cryptology

Abstract:At EUROCRYPT 2006, Kelsey and Kohno proposed the so-called chosen target forced-prefix (CTFP) preimage attack, where for any challenge prefix P, the attacker can generate a suffix S such that H(P∥S) = y for some hash value y published in advance by the attacker. Consequently, the attacker can pretend to predict some event represented by P she did not know before, and thus this type of attack is also known as the Nostradamus attack. At ASIACRYPT 2022, Benedikt et al. convert Kelsey et al.’s attack to a quantum one, reducing the time complexity from O(√n · 22n/3) to O( 3√n · 23n/7). CTFP preimage attack is less investigated in the literature than (second-)preimage and collision attacks and lacks dedicated methods. In this paper, we propose the first dedicated Nostradamus attack based on the meet-in-the-middle (MITM) attack, and the MITM Nostradamus attack could be up to quadratically accelerated in the quantum setting. According to the recent works on MITM preimage attacks on AES-like hashing, we build an automatic tool to search for optimal MITM Nostradamus attacks and model the tradeoff between the offline and online phases. We apply our method to AES-MMO and Whirlpool, and obtain the first dedicated attack on round-reduced version of these hash functions. Our method and automatic tool are applicable to other AES-like hashings.

Hongbo Yu,Dongxia Bai

DOI: https://doi.org/10.1007/978-3-319-16745-9_18

2015-01-01

Abstract:SHA-2 (SHA-224, SHA-256, SHA-384 and SHA-512) is hash function family issued by the National Institute of Standards and Technology (NIST) in 2002 and is widely used all over the world. In this work, we analyze the security of SHA-512 with respect to boomerang attack. Boomerang distinguisher on SHA-512 compression function reduced to 48 steps is proposed, with a practical complexity of 2(51). A practical example of the distinguisher for 48-step SHA-512 is also given. As far as we know, it is the best practical attack on step-reduced SHA-512.

Keting Jia,Yvo Desmedt,Lidong Han,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-21518-6_14

2011-01-01

Abstract:In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudo-collisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about 2(64) iteration computations with 2(67) bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is 2(128) iteration computations with 2(132) bytes memory.It is noted that, we can find the pseudo-collision pairs and the pseudo-second images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases.

Seungjun Baek,Sehee Cho,Jongsung Kim

DOI: https://doi.org/10.1007/s11128-022-03499-5

IF: 1.965

2022-04-27

Quantum Information Processing

Abstract:Recently, Hosoyamada and Sasaki (Eurocrypt'20) proposed dedicated quantum collision attacks on AES-MMO and AES-MP and revealed that a differential trail that is not available in the classical setting due to a low probability can be utilized in the quantum settings. Their works encouraged cryptographers to actively perform security analysis of concrete hash functions in the quantum settings, which had not received much attention before. Xiaoyang Dong et al. (Asiacrypt'20) proposed improved dedicated quantum collision attacks on AES-MMO and AES-MP, and Chauhan et al. (ToSC'21) proposed quantum rebound attacks on the double-block-length hash function Hirose instantiated with 10-round reduced AES-256. In this paper, we propose a quantum collision attack on the Davies–Meyer (DM) hash function instantiated with full-round AES-256. We construct a new chosen-key differential trail for AES-256 based on the trail of Biryukov et al. proposed in 2009 and use it to find collisions of the full AES-256-based DM in a quantum setting. We also present quantum free-start collision attacks on the Hirose and MJH hash functions instantiated with full-round AES-256. These attacks are significant in that they are the first algorithms to find full-round (free-start) collisions. In particular, in the case of Hirose-AES-256, our attacks can cover a larger number of constant c than previously proposed attacks and also cover more rounds.

physics, multidisciplinary,quantum science & technology, mathematical

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Yanzhao Shen,Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/s11432-017-9119-6

2017-01-01

Science China Information Sciences

Abstract:SM3 is the Chinese hash standard and is standardized in GB/T 32905-2016 [1].As a hash function,it must fulfill three security requirements,collision resistance,preinage resistance,and second preimage resistance.During the ongoing evaluation,it is believed that whenever the hash function behaves differently from a random function,it is considered as the hash function's weakness.In recent years,the analysis has not only been limited to the classical security requirements,but also in the near-collision,boomerang distinguisher,and (semi-)free-start collision.Most of the previous preimage attacks on SM3 [2,3] are either without padding or padding is not present from the first step.The best boomerang attack on SM3 covers 37 steps [4,5].In this article,we focus on the preimage attack from the first step,with message padding.A preinage attack on 30-step SM3 is proposed.Furthermore,we improve the 37-step boomerang attack and extend it to the 38-step boomerang attack.A summary of the previous results and along with our owns is given in Table 1.

Xiaoyang Dong,Jian Guo,Shun Li,Phuong Pham

DOI: https://doi.org/10.1007/978-3-031-15802-5_4

2022-01-01

Abstract:The rebound attack was introduced by Mendel et al. at FSE 2009 to fulfill a heavy middle round of a differential path for free, utilizing the degree of freedom from states. The inbound phase was extended to 2 rounds by the Super-Sbox technique invented by Lamberger et al. at ASIACRYPT 2009 and Gilbert and Peyrin at FSE 2010. In ASIACRYPT 2010, Sasaki et al. further reduced the requirement of memory by introducing the non-full-active Super-Sbox. In this paper, we further develop this line of research by introducing Super-Inbound, which is able to connect multiple 1-round or 2-round (non-full-active) Super-Sbox inbound phases by utilizing fully the degrees of freedom from both states and key, yet without the use of large memory. This essentially extends the inbound phase by up to 3 rounds. We applied this technique to find classic or quantum collisions on several AES-like hash functions, and improved the attacked round number by 1 to 5 in targets including AES-128 and SKINNY hashing modes, Saturnin-Hash, and Gr Ost 1-512. To demonstrate the correctness of our attacks, the semi-free-start collision on 6-round AES-128-MMO/MP with estimated time complexity 2(24) in classical setting was implemented and an example pair was found instantly on a standard PC.