Cryptanalysis of Tweaked Versions of SMASH and Reparation
Pierre-alain Fouque2009, Selected Areas in Cryptography
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH-256 in c • 2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the ideal-cipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a non-trivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2-permutation based hash functions, as proved in [12].
Related papers
Cryptanalysis of the CRUSH Hash Function
Lecture Notes in Computer Science, 2007
Iterated Halving has been suggested as a replacement to the Merkle-Damgård construction following attacks on the MDx family of hash functions. The core of the scheme is an iterated block cipher that provides keying and input material for future rounds. The CRUSH hash function provides a specific instantiation of the block cipher for Iterated Halving. In this paper, we identify structural problems with the scheme, and show that by using a bijective function, such as the block cipher used in CRUSH or the AES, we can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. We show that even if Iterated Halving is repaired, the construction has practical issues that means it is not suitable for general deployment. We conclude this paper with the somewhat obvious statement that CRUSH, and more generally Iterated Halving, should not be used.
Analysis of the Hash Function Design Strategy Called SMASH
IEEE Transactions on Information Theory, 2000
The hash function design strategy SMASH was recently proposed as an alternative to the MD4 family of hash functions. It can be shown that the strategy leads to designs that are vulnerable to efficient collision and (second) preimage attacks. The mathematical structure of the SMASH description facilitates the description of the weakness and the resulting attacks, but also functions with less mathematical elegance may show similar weaknesses.
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Lecture Notes in Computer Science
We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three n-bit permutation calls that has collision security N 0.5 , where N = 2 n , and we describe 3n-bit to 2n-bit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63 .
Cryptanalysis of CRUSH hash structure
IACR Cryptol. ePrint Arch., 2008
In this paper, we will present a cryptanalysis of CRUSH hash structure. Surprisingly, our attack could find pre-image for any desired length of internal message. Time complexity of this attack is completely negligible. We will show that the time complexity of finding a pre-image of any length is O(1). In this attack, an adversary could freely find a pre-image with the length of his own choice for any given message digits. We can also find second pre-image, collision, multi-collision in the same complexity with our attack. In this paper, we also introduce a stronger variant of the algorithm, and show that an adversary could still be able to produce collisions for this stronger variant of CRUSH hash structure with a time complexity less than a Birthday attack.
Security/Efficiency Tradeoffs for Permutation-Based Hashing
Lecture Notes in Computer Science, 2008
We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. For collision-uniform, fixedpermutation-order compression functions, we show that any 2n-bit to n-bit construction will have unacceptable collision resistance it makes fewer than three n-bit permutation invocations, while a 3n-bit to 2nbit construction will have unacceptable security if it makes fewer than five. Collisions can be found in a rate-α fixed-permutation-order hashfunction built from n-bit permutations in about N 1−α queries, where N = 2 n . Our results provide guidance when trying to design or analyze practical permutation-based hash functions about the limits of what can possibly be done.
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks
Lecture Notes in Computer Science, 2018
Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and "local" substitution steps utilizing such S-boxes, with keyed and "global" permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve "beyond-birthday" (up to 2 2n/3 adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2 n . Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the tweakable block cipher provides security up to 2 2n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.
TWISTERπ - a framework for secure and fast hash functions
International Journal of Applied Cryptography, 2010
In this paper we present TWISTER π , a framework for hash functions. It is an improved version of TWISTER, a candidate of the NIST SHA-3 hash function competition. TWISTER π is built upon the ideas of wide pipe and sponge functions. The core of this framework is a-very easy to analyse-Twister-Round providing both extremely fast diffusion as well as collision-freeness for one internal Twister-Round. The total security level is claimed to be not below /2 2 n for collision attacks and 2 n for (2nd) pre-image attacks. TWISTER π instantiations are secure against all known generic attacks. We also propose two instances TWISTER π-n for hash output sizes n = 256 and n = 512. These instantiations are highly optimised for 64-bit architectures and run very fast in hardware and software, e.g TWISTER π-256 is faster than SHA2-256 on 64-bit platforms and TWISTER π-512 is faster than SHA2-512 on 32-bit platforms. Furthermore, TWISTER π scales very well on low-end platforms.
On the security of dedicated hash functions
1998
Cryptographic hash functions are an important building block for a wide range of applications such as the authentication of information, digital signatures and the protection of pass-phrases. The most popular hash functions are the custom designed iterative hash functions from the MD4 family. Over the years various results on the cryptanalysis of these functions have become available and this paper intends to summarize these results and their impact. We will describe attacks on MD4, MD5 and RIPEMD, and discuss the design and security of the hash functions SHA-1 and RIPEMD-160 which are included in the new standard ISO/IEC 10118-3.
Multicollision Attack on a recently proposed hash function vMDC-2
2016
In this paper, we describe an attack on a new double block length hash function which was proposed as a variant of MDC-2 and MDC-4. The vMDC-2 compression function is based on two calls to a block cipher that compresses a 3n-bit string to a 2n-bit one. This attack is based on the Joux's multicollision attack, where we show that an adversary wins finding collision game by requesting $2^{70}$ queries for $ n=128$-bit block cipher that is much less than the complexity of birthday attack.
The Security of Elastic Block Ciphers Against Key-Recovery Attacks
Lecture Notes in Computer Science, 2007
We analyze the security of elastic block ciphers against key-recovery attacks. An elastic version of a fixed-length block cipher is a variable-length block cipher that supports any block size in the range of one to two times the length of the original block. Our method for creating an elastic block cipher involves inserting the round function of the original cipher into a substitution-permutation network. In this paper, we form a polynomial-time reduction between the elastic and original versions of the cipher by exploiting the underlying network structure. We prove that the elastic version of a cipher is secure against a given key-recovery attack if the original cipher is secure against such an attack. Our analysis is based on the general structure of elastic block ciphers (i.e., the network's structure, the composition methods between rounds in the network and the keying methodology) and is independent of the specific cipher.
Related papers
On the Security of Hash Functions Employing Blockcipher Postprocessing
Lecture Notes in Computer Science, 2011
Analyzing desired generic properties of hash functions is an important current area in cryptography. For example, in Eurocrypt 2009, Dodis, Ristenpart and Shrimpton [7] introduced the elegant notion of "Preimage Awareness" (PrA) of a hash function H P , and they showed that a PrA hash function followed by an output transformation modeled to be a FIL (fixed input length) random oracle is PRO (pseudorandom oracle) i.e. indifferentiable from a VIL (variable input length) random oracle. We observe that for recent practices in designing hash function (e.g. SHA-3 candidates) most output transformations are based on permutation(s) or blockcipher(s), which are not PRO. Thus, a natural question is how the notion of PrA can be employed directly with these types of more prevalent output transformations? We consider the Davies-Meyer's type output transformation OT (x) := E(x) ⊕ x where E is an ideal permutation. We prove that OT (H P (·)) is PRO if H P is PrA, preimage resistant and computable message aware (a related but not redundant notion, needed in the analysis that we introduce in the paper). The similar result is also obtained for 12 PGV output transformations. We also observe that some popular double block length output transformations can not be employed as output transformation.
2n-Bit Hash-Functions Using n-Bit Symmetric Block Cipher Algorithms
Lecture Notes in Computer Science, 1990
We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric block cipher algorithm. This hash-function can be considered as a extension of an already known one, which only provided n-bit hash-results. The difference is crucial, because a lot of symmetric block cipher algorithms use 64-bit blocks and recent works have shown that a 64-bit hash-result is greatly insufficient.
Cryptanalysis of CRUSH hash structure1
2007
In this paper, we will present a cryptanalysis of CRUSH hash structure. Surprisingly, our attack could find pre-image for any desired length of internal message. Time complexity of this attack is completely negligible. We will show that the time complexity of finding a pre-image of any length is O(1). In this attack, an adversary could freely find a pre-image with
XHX – A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing
Progress in Cryptology – LATINCRYPT 2017, 2019
Tweakable block ciphers are important primitives for designing cryptographic schemes with high security. In the absence of a standardized tweakable block cipher, constructions built from classical block ciphers remain an interesting research topic in both theory and practice. Motivated by Mennink's F [2] publication from 2015, Wang et al. proposed 32 optimally secure constructions at ASIACRYPT'16, all of which employ two calls to a classical block cipher each. Yet, those constructions were still limited to n-bit keys and n-bit tweaks. Thus, applications with more general key or tweak lengths still lack support. This work proposes the XHX family of tweakable block ciphers from a classical block cipher and a family of universal hash functions, which generalizes the constructions by Wang et al. First, we detail the generic XHX construction with three independently keyed calls to the hash function. Second, we show that we can derive the hash keys in efficient manner from the block cipher, where we generalize the constructions by Wang et al.; finally, we propose efficient instantiations for the used hash functions.
Design and analysis of hash functions
2007
A function that compresses an arbitrarily large message into a fixed small size ‘message digest’ is known as a hash function. For the last two decades, many types of hash functions have been defined but, the most widely used in many of the cryptographic applications currently are hash functions based on block ciphers and the dedicated hash functions. Almost all the dedicated hash functions are generated using the Merkle-Damgard construction which is developed independently by Merkle and Damgard in 1989 [6, 7]. A hash function is said to be broken if an attacker is able to show that the design of the hash function violates at least one of its claimed security property. There are various types of attacking strategies found on hash functions, such as attacks based on the block ciphers, attacks depending on the algorithm, attacks independent of the algorithm, attacks based on signature schemes, and high level attacks. Besides this, in recent years, many structural weaknesses have been f...
Cryptanalysis of an Iterated Halving-based hash function: CRUSH
IET Information Security, 2009
Iterated Halving has been suggested as a replacement to the Merkle -Damgård (MD) construction in 2004 anticipating the attacks on the MDx family of hash functions. The CRUSH hash function provides a specific instantiation of the block cipher for Iterated Halving. The authors identify structural problems with the scheme and show that they can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. In addition, these attacks can be used to differentiate CRUSH from a random oracle in O(1). The authors show that the complexity of finding a preimage in the unpadded CRUSH with the length encoding is negligible and extend this attack on CRUSH with the length encoding in cost O(2 32 ). This attack is a multi-preimage attack, since the attacker can produce a large number of messages for a given message digest for the cost of O(2 32 ). Hence, this attack can be used as a multi-collision and a multisecond-preimage as well. They show that if the attacker knows the last 64-bits of the message digest in advance, he can do the time-consuming part of the attack off-line. The authors show that even if Iterated Halving is repaired, the construction has practical issues that means it is not suitable for general deployment.
Hard and Easy Components of Collision Search in the Zémor-Tillich Hash Function: New Attacks and Reduced Variants with Equivalent Security
Lecture Notes in Computer Science, 2009
The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.
Attacks on double block length hash functions
Lecture Notes in Computer Science, 1994
Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general free-start attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized.
New attacks on all double block length hash functions of hash rate 1, including the Parallel-DM
Lecture Notes in Computer Science, 1995
In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the Parallel-DM presented at Crypto'93 3].
VSH, an Efficient and Provable Collision-Resistant Hash Function
2006
We introduce VSH, very smooth hash, a new S-bit hash function that is provably collision-resistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an S-bit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the S-bit composite per Ω(S) message-bits (as opposed to O(logS) message-bits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024-bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048-bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as Cramer-Shoup) and designated-verifier signatures.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.