Results 1  10
of
17
How to break MD5 and other hash functions
 In EUROCRYPT
, 2005
"... Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi freestart collision, in which the initial value of the has ..."
Abstract

Cited by 214 (5 self)
 Add to MetaCart
Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi freestart collision, in which the initial value of the hash function is replaced by a nonstandard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusiveor as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1
Parallel Collision Search with Cryptanalytic Applications
 Journal of Cryptology
, 1996
"... A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to ad ..."
Abstract

Cited by 145 (3 self)
 Add to MetaCart
A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meetinthemiddle attacks such as a knownplaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most costeffective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA1, MDC2, and MDC4; and double encryption and threekey triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2 ) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a doubleDES key from 2 known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meetinthemiddle attack on doubleDES. Based on this attack, doubleDES offers only 17 more bits of security than singleDES.
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 102 (5 self)
 Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 82 (8 self)
 Add to MetaCart
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
A failurefriendly design principle for hash functions
, 2005
"... Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security ..."
Abstract

Cited by 42 (5 self)
 Add to MetaCart
Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the widepipe hash, internally using a wbit compression function, and the doublepipe hash, with w = 2n and an nbit compression function used twice in parallel.
Cryptanalysis of MD5 Compress
 In Rump Session of EuroCrypt ’96
, 1996
"... the recent analysis of MD4like hash functions. 1 Using the term "collision of a compress function" we assume that the initial value is the same for both inputs, i.e. an initial value IV and two different inputs X and ~ X are given such that compress(IV ; X) = compress(IV ; ~ X): On the other ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
the recent analysis of MD4like hash functions. 1 Using the term "collision of a compress function" we assume that the initial value is the same for both inputs, i.e. an initial value IV and two different inputs X and ~ X are given such that compress(IV ; X) = compress(IV ; ~ X): On the other hand we use the term "pseudocollision" if two different initial values IV; ~ IV and (possibly identical) inputs X; ~ X are given such that compress(IV ; X) = compress( ~ IV ; ~ X): Pseudocollisions are of much less practical importance than collisions. Collision for the compress function of MD5. Use the following initial value
DPA on nBit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMACConstruction
 CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS  CHES 2004, SPRINGER, LNCS 3156
, 2004
"... Differential Power Analysis (DPA) has turned out to be an efficient method to attack the implementations of cryptographic algorithms and has been well studied for ciphers that incorporate a nonlinear substitution box as e.g. in DES. Other product ciphers and message authentication codes are based on ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Differential Power Analysis (DPA) has turned out to be an efficient method to attack the implementations of cryptographic algorithms and has been well studied for ciphers that incorporate a nonlinear substitution box as e.g. in DES. Other product ciphers and message authentication codes are based on the mixing of different algebraic groups and do not use lookup tables. Among these are IDEA, the AES finalist RC6 and HMACconstructions such as HMACSHA1 and HMACRIPEMD160. These algorithms restrict the use of the selection function to the Hamming weight and Hamming distance of intermediate data as the addresses used do not depend on cryptographic keys. Because of the linearity of the primitive operations secondary DPA signals arise. This article gives a deeper analysis of the characteristics of DPA results obtained on the basic group operations XOR, addition modulo 2 n and modular multiplication using multibit selection functions. The results shown are based both on simulation and experimental data. Experimental results are included for an AVR ATM163 microcontroller which demonstrate the application of DPA to an IDEA implementation.
Key Length
 CONTRIBUTION TO “THE HANDBOOK OF INFORMATION SECURITY"
, 2004
"... The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy sy ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy system compatibility issues, and vendors. From a theoretical point of view selecting key lengths is more involved. Understanding the relation between security and key lengths and the impact of anticipated and unexpected cryptanalytic progress, requires insight into the design of the cryptographic methods and the mathematics involved in the attempts at breaking them. In this chapter practical and theoretical aspects of key size selection are discussed.
A new dedicated 256bit hash function: FORK256
 FSE 2006, LNCS 4047, SpringerVerlag
, 2006
"... ..."