Cryptanalysis of the CRUSH Hash Function
Lars Knudsen2007, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Iterated Halving has been suggested as a replacement to the Merkle-Damgård construction following attacks on the MDx family of hash functions. The core of the scheme is an iterated block cipher that provides keying and input material for future rounds. The CRUSH hash function provides a specific instantiation of the block cipher for Iterated Halving. In this paper, we identify structural problems with the scheme, and show that by using a bijective function, such as the block cipher used in CRUSH or the AES, we can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. We show that even if Iterated Halving is repaired, the construction has practical issues that means it is not suitable for general deployment. We conclude this paper with the somewhat obvious statement that CRUSH, and more generally Iterated Halving, should not be used.
Related papers
Cryptanalysis of an Iterated Halving-based hash function: CRUSH
IET Information Security, 2009
Iterated Halving has been suggested as a replacement to the Merkle -Damgård (MD) construction in 2004 anticipating the attacks on the MDx family of hash functions. The CRUSH hash function provides a specific instantiation of the block cipher for Iterated Halving. The authors identify structural problems with the scheme and show that they can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. In addition, these attacks can be used to differentiate CRUSH from a random oracle in O(1). The authors show that the complexity of finding a preimage in the unpadded CRUSH with the length encoding is negligible and extend this attack on CRUSH with the length encoding in cost O(2 32 ). This attack is a multi-preimage attack, since the attacker can produce a large number of messages for a given message digest for the cost of O(2 32 ). Hence, this attack can be used as a multi-collision and a multisecond-preimage as well. They show that if the attacker knows the last 64-bits of the message digest in advance, he can do the time-consuming part of the attack off-line. The authors show that even if Iterated Halving is repaired, the construction has practical issues that means it is not suitable for general deployment.
Cryptanalysis of CRUSH hash structure
IACR Cryptol. ePrint Arch., 2008
In this paper, we will present a cryptanalysis of CRUSH hash structure. Surprisingly, our attack could find pre-image for any desired length of internal message. Time complexity of this attack is completely negligible. We will show that the time complexity of finding a pre-image of any length is O(1). In this attack, an adversary could freely find a pre-image with the length of his own choice for any given message digits. We can also find second pre-image, collision, multi-collision in the same complexity with our attack. In this paper, we also introduce a stronger variant of the algorithm, and show that an adversary could still be able to produce collisions for this stronger variant of CRUSH hash structure with a time complexity less than a Birthday attack.
Cryptanalysis of CRUSH hash structure1
2007
In this paper, we will present a cryptanalysis of CRUSH hash structure. Surprisingly, our attack could find pre-image for any desired length of internal message. Time complexity of this attack is completely negligible. We will show that the time complexity of finding a pre-image of any length is O(1). In this attack, an adversary could freely find a pre-image with
Design and analysis of hash functions
2007
A function that compresses an arbitrarily large message into a fixed small size ‘message digest’ is known as a hash function. For the last two decades, many types of hash functions have been defined but, the most widely used in many of the cryptographic applications currently are hash functions based on block ciphers and the dedicated hash functions. Almost all the dedicated hash functions are generated using the Merkle-Damgard construction which is developed independently by Merkle and Damgard in 1989 [6, 7]. A hash function is said to be broken if an attacker is able to show that the design of the hash function violates at least one of its claimed security property. There are various types of attacking strategies found on hash functions, such as attacks based on the block ciphers, attacks depending on the algorithm, attacks independent of the algorithm, attacks based on signature schemes, and high level attacks. Besides this, in recent years, many structural weaknesses have been f...
Merkle-Damgaard Revisited: How to Construct a Hash Function
2005
The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgård transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.
Whirlwind: a new cryptographic hash function
Designs, Codes and Cryptography, 2010
A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6.
Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98
2002
In the conference PKC'98, Shin et al. proposed a dedicated hash function of the MD family. In this paper, we study the security of Shin's hash function. We analyze the property of the Boolean functions, the message expansion, and the data dependent rotations of the hash function. We propose a method for finding the collisions of the modified Shin's hash function and show that we can find collisions with probability 2 −30 .
New Second-Preimage Attacks on Hash Functions
Journal of Cryptology, 2015
In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle-Damgård-based iterative hash functions. Compared to the previously known long-message second-preimage attacks, our attack offers more flexibility in choosing the second-preimage message at the cost of a small computational overhead. More concretely, our attack allows the adversary to replace only a few blocks in the original * A preliminary version of this paper appeared in [2].
Vortex: A New Family of One-Way Hash Functions Based on AES Rounds and Carry-Less Multiplication
Lecture Notes in Computer Science
We present Vortex a new family of one way hash functions that can produce message digests of 256 bits. The main idea behind the design of these hash functions is that we use well known algorithms that can support very fast diffusion in a small number of steps. We also balance the cryptographic strength that comes from iterating block cipher rounds with SBox substitution and diffusion (like Whirlpool) against the need to have a lightweight implementation with as small number of rounds as possible. We use only 3 AES rounds as opposed to 10 since our goal is not to protect a secret symmetric key but to support perfect mixing of the bits of the input into the hash value. Three AES rounds are followed by our variant of Galois Field multiplication. This achieves cross-mixing between 128-bit sets. We present a set of qualitative arguments why we believe Vortex supports collision resistance and first pre-image resistance.
Evaluation On Recent Committed Crypt Analysis Hash Function
2008
This paper describes the study of cryptographic hash functions, one of the most important classes of primitives used in recent techniques in cryptography. The main aim is the development of recent crypt analysis hash function. We present different approaches to defining security properties more formally and present basic attack on hash function. We recall Merkle-Damgard security properties of iterated hash function. The Main aim of this paper is the development of recent techniques applicable to crypt Analysis hash function, mainly from SHA family. Recent proposed attacks an MD5 & SHA motivate a new hash function design. It is designed not only to have higher security but also to be faster than SHA-256. The performance of the new hash function is at least 30% better than that of SHA-256 in software. And it is secure against any known cryptographic attacks on hash functions.
Related topics
Related papers
Revisiting Dedicated and Block Cipher based Hash Functions
Abstract: A hash function maps a variable length input into a fixed length output. The hash functions that are used in the information security related applications are referred as cryptographic hash functions. Hash functions are being used as building blocks of many complex cryptographic mechanisms and protocols. Construction of a hash function consists of two components. First component is a compression function and the second component is a domain extender.
Analysis of the Hash Function Design Strategy Called SMASH
IEEE Transactions on Information Theory, 2000
The hash function design strategy SMASH was recently proposed as an alternative to the MD4 family of hash functions. It can be shown that the strategy leads to designs that are vulnerable to efficient collision and (second) preimage attacks. The mathematical structure of the SMASH description facilitates the description of the weakness and the resulting attacks, but also functions with less mathematical elegance may show similar weaknesses.
Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction
Lecture Notes in Computer Science, 2006
Recently multi-block collision attacks (MBCA) were found on the Merkle-Damgård (MD)-structure based hash functions MD5, SHA-0 and SHA-1. In this paper, we introduce a new cryptographic construction called 3C devised by enhancing the MD construction. We show that the 3C construction is at least as secure as the MD construction against single-block and multi-block collision attacks. This is the first result of this kind showing a generic construction which is at least as resistant as MD against MBCA. To further improve the resistance of the design against MBCA, we propose the 3C+ design as an enhancement of 3C. Both these constructions are very simple adjustments to the MD construction and are immune to the straight forward extension attacks that apply to the MD hash function. We also show that 3C resists some known generic attacks that work on the MD construction. Finally, we compare the security and efficiency features of 3C with other MD based proposals.
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Lecture Notes in Computer Science
We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three n-bit permutation calls that has collision security N 0.5 , where N = 2 n , and we describe 3n-bit to 2n-bit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63 .
On the security of dedicated hash functions
1998
Cryptographic hash functions are an important building block for a wide range of applications such as the authentication of information, digital signatures and the protection of pass-phrases. The most popular hash functions are the custom designed iterative hash functions from the MD4 family. Over the years various results on the cryptanalysis of these functions have become available and this paper intends to summarize these results and their impact. We will describe attacks on MD4, MD5 and RIPEMD, and discuss the design and security of the hash functions SHA-1 and RIPEMD-160 which are included in the new standard ISO/IEC 10118-3.
Multicollision Attack on a recently proposed hash function vMDC-2
2016
In this paper, we describe an attack on a new double block length hash function which was proposed as a variant of MDC-2 and MDC-4. The vMDC-2 compression function is based on two calls to a block cipher that compresses a 3n-bit string to a 2n-bit one. This attack is based on the Joux's multicollision attack, where we show that an adversary wins finding collision game by requesting $2^{70}$ queries for $ n=128$-bit block cipher that is much less than the complexity of birthday attack.
Cryptanalysis of Tweaked Versions of SMASH and Reparation
Selected Areas in Cryptography, 2009
In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH-256 in c • 2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the ideal-cipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a non-trivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2-permutation based hash functions, as proved in [12].
The Hash Function "Fugue
IACR Cryptology ePrint Archive, 2014
We describe Fugue, a hash function supporting inputs of length upto 2 64 -1 bits and hash outputs of length upto 512 bits. Notably, Fugue is not based on a compression function. Rather, it is directly a hash function that support variable-length input. The starting point for Fugue is the hash function Grindahl, but it extends that design to protect against the kinds of attacks that were developed for Grindahl, as well as earlier hash functions like SHA-1. A key enhancement is the design of a much stronger round function which replaces the AES round function of Grindahl, using better codes (over longer words) than the AES 4 × 4 MDS matrix. Also, Fugue makes judicious use of this new round function on a much larger internal state. The design of Fugue is proof-oriented: the various components are designed in such a way as to allow proofs of security. As a result, we can prove that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack. Although the proof is computer assisted, the assistance is limited to computing ranks of various matrices.
New attacks on all double block length hash functions of hash rate 1, including the Parallel-DM
Lecture Notes in Computer Science, 1995
In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the Parallel-DM presented at Crypto'93 3].
Attacks on double block length hash functions
Lecture Notes in Computer Science, 1994
Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general free-start attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.