Multicollision Attack on a recently proposed hash function vMDC-2

Lecture Notes in Computer Science, 2007

Iterated Halving has been suggested as a replacement to the Merkle-Damgård construction following attacks on the MDx family of hash functions. The core of the scheme is an iterated block cipher that provides keying and input material for future rounds. The CRUSH hash function provides a specific instantiation of the block cipher for Iterated Halving. In this paper, we identify structural problems with the scheme, and show that by using a bijective function, such as the block cipher used in CRUSH or the AES, we can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. We show that even if Iterated Halving is repaired, the construction has practical issues that means it is not suitable for general deployment. We conclude this paper with the somewhat obvious statement that CRUSH, and more generally Iterated Halving, should not be used.

Proceedings of the International Conference on Security and Cryptography, 2011

The GOST hash function and more precisely GOST 34.11-94 is a cryptographic hash function and the official government standard of the Russian Federation. It is a key component in the national Russian digital signature standard. The GOST hash function is a 256-bit iterated hash function with an additional checksum computed over all input message blocks. Inside the GOST compression function, we find the standard GOST block cipher, which is an instantiation of the official Russian national encryption standard GOST 28147-89. In this paper we focus mostly on the problem of finding collisions on the GOST compression function. At Crypto 2008 a collision attack on the GOST compression function requiring 2 96 evaluations of this function was found. In this paper, we present a new collision attack on the GOST compression function which is fundamentally different and more general than the attack published at Crypto 2008. Our new attack is a blackbox attack which does not need any particular weakness to exist in the GOST block cipher, and works also if we replace GOST by another cipher with the same block and key size. Our attack is also slightly faster and we also show that the complexity of the previous attack can be slightly improved as well. Since GOST has an additional checksum computed over all blocks, it is not obvious how a collision attack on the GOST compression function can be extended to a collision attack on the hash function. In 2008 Gauravaram and Kelsey develop a technique to achieve this, in the case in which the checksum is linear or additive, using the Camion-Patarin-Wagner generalized birthday algorithm. Thus at Crypto 2008 the authors were also able to break the collision resistance of the complete GOST Hash function. Our attack is more generic and shows that the GOST compression function can be broken whatever is the underlying block cipher, but remains an attack on the compression function. It remains an open problem how and if this new attack can be extended to a collision attack on the full GOST hash function. 325 T. Courtois N. and Mourouzis T.. BLACK-BOX COLLISION ATTACKS ON THE COMPRESSION FUNCTION OF THE GOST HASH FUNCTION.

Lecture Notes in Computer Science, 2009

The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.

Lecture Notes in Computer Science, 2012

Hamsi-256 is a cryptographic hash functions submitted by Küçük to the NIST SHA-3 competition in 2008. It was selected by NIST as one of the 14 round 2 candidates in 2009. Even though Hamsi-256 did not make it to the final round in 2010 it is still an interesting target for cryptanalysts. Since Hamsi-256 has been proposed, it received a great deal of cryptanalysis. Besides the second-preimage attacks on the hash function, most cryptanalysis focused on non-random properties of the compression function or output transformation of Hamsi-256. Interestingly, the collision resistance of the hash or compression function got much less attention. In this paper, we present a collision attack on the Hamsi-256 compression function with a complexity of about 2 124.1 .

2007

A function that compresses an arbitrarily large message into a fixed small size ‘message digest’ is known as a hash function. For the last two decades, many types of hash functions have been defined but, the most widely used in many of the cryptographic applications currently are hash functions based on block ciphers and the dedicated hash functions. Almost all the dedicated hash functions are generated using the Merkle-Damgard construction which is developed independently by Merkle and Damgard in 1989 [6, 7]. A hash function is said to be broken if an attacker is able to show that the design of the hash function violates at least one of its claimed security property. There are various types of attacking strategies found on hash functions, such as attacks based on the block ciphers, attacks depending on the algorithm, attacks independent of the algorithm, attacks based on signature schemes, and high level attacks. Besides this, in recent years, many structural weaknesses have been f...

2002

In the conference PKC'98, Shin et al. proposed a dedicated hash function of the MD family. In this paper, we study the security of Shin's hash function. We analyze the property of the Boolean functions, the message expansion, and the data dependent rotations of the hash function. We propose a method for finding the collisions of the modified Shin's hash function and show that we can find collisions with probability 2 −30 .

2007

In this paper, we will present a cryptanalysis of CRUSH hash structure. Surprisingly, our attack could find pre-image for any desired length of internal message. Time complexity of this attack is completely negligible. We will show that the time complexity of finding a pre-image of any length is O(1). In this attack, an adversary could freely find a pre-image with the length of his own choice for any given message digits. We can also find second pre-image, collision, multi-collision in the same complexity with our attack. In this paper, we also introduce a stronger variant of the algorithm, and show that an adversary could still be able to produce collisions for this stronger variant of CRUSH hash structure with a time complexity less than a Birthday attack.

Lecture Notes in Computer Science, 1990

We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric block cipher algorithm. This hash-function can be considered as a extension of an already known one, which only provided n-bit hash-results. The difference is crucial, because a lot of symmetric block cipher algorithms use 64-bit blocks and recent works have shown that a 64-bit hash-result is greatly insufficient.

IEEE Transactions on Information Theory, 2002

This paper considers iterated hash functions. It proposes new constructions of fast and secure compression functions with -bit outputs for integers 1 based on error-correcting codes and secure compression functions with -bit outputs. This leads to simple and practical hash function constructions based on block ciphers such as Data Encryption Standard (DES), where the key size is slightly smaller than the block size; IDEA, where the key size is twice the block size; Advanced Encryption Standard (AES), with a variable key size; and to MD4-like hash functions. Under reasonable assumptions about the underlying compression function and/or block cipher, it is proved that the new hash functions are collision resistant. More precisely, a lower bound is shown on the number of operations to find a collision as a function of the strength of the underlying compression function. Moreover, some new attacks are presented that essentially match the presented lower bounds. The constructions allow for a large degree of internal parallelism. The limits of this approach are studied in relation to bounds derived in coding theory.

2006

We introduce VSH, very smooth hash, a new S-bit hash function that is provably collision-resistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an S-bit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the S-bit composite per Ω(S) message-bits (as opposed to O(logS) message-bits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024-bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048-bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as Cramer-Shoup) and designated-verifier signatures.