Results 1  10
of
71
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 44 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
Herding hash functions and the Nostradamus attack
 of Lecture Notes in Computer Science
, 2006
"... Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that ..."
Abstract

Cited by 36 (6 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ardMerkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on realworld applications of hash functions. An important lesson from these results is that hash functions susceptible to collisionfinding attacks, especially bruteforce collisionfinding attacks, cannot in general be used to prove knowledge of a secret value. 1
MD4 is Not OneWay
"... Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still b ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a oneway function. In this paper we show a partial pseudopreimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2 32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2 96, and we extend it to an attack on the full MD4 with complexity 2 102. As far as we know this is the first preimage attack on a member of the MD4 family.
Hash Functions: From MerkleDamgård to Shoup
 EUROCRYPT
, 2001
"... In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these c ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these classes efficient (yielding short keys) composite schemes exist. Second, we prove that the schedule of the Shoup construction, which is the most efficient composition scheme for universal oneway hash functions known so far, is optimal.
Advanced MeetintheMiddle Preimage Attacks
 First Results on Full Tiger, and Improved Results on MD4 and SHA2. In ASIACRYPT’10, volume 6477 of Lecture Notes in Computer Science
, 2010
"... Abstract. We revisit narrowpipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our att ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit narrowpipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for secondpreimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using precomputation techniques, the time complexity for finding a new preimage or secondpreimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The secondpreimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meetinthemiddle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithmspecific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multitarget scenarios into the MITM framework, leading to faster preimages from pseudopreimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudopreimage, and (3) probabilistic initial structures, to reduce the attack time complexity. All the techniques developed await application to other hash functions. To illustrate this, we give as another example improved preimage attacks on SHA2 members.
M.: Indifferentiable security analysis of popular hash functions with prefixfree padding
 ASIACRYPT 2006. LNCS
, 2006
"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefixfree MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefixfree padding) which are indifferentiable from random oracle model in the ideal cipher model. 1
Automatic Search for RelatedKey Differential Characteristics in ByteOriented Block Ciphers: Application to AES, Camellia, Khazad and others
"... While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against relatedkey attacks is still very ad hoc. In this paper we ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against relatedkey attacks is still very ad hoc. In this paper we make a first step towards provable security of block ciphers against relatedkey attacks by presenting an efficient search tool for finding differential characteristics both in the state and in the key (note that due to similarities between block ciphers and hash functions such tool will be useful in analysis of hash functions as well). We use this tool to search for the best possible (in terms of the number of rounds) relatedkey differential characteristics in AES, byteCamellia, Khazad, FOX, and Anubis. We show the best relatedkey differential characteristics for 5, 11, and 14 rounds of AES128, AES192, and AES256 respectively. We use the optimal differential characteristics to design the best relatedkey and chosen key attacks on AES128 (7 out of 10 rounds), AES192 (full 12 rounds), byteCamellia (full 18 rounds) and Khazad (7 and 8 out of 8 rounds). We also show that ciphers FOX and Anubis have no relatedkey attacks on more than 45 rounds.
Collisions and other NonRandom Properties for StepReduced SHA256. Cryptology eprint Archive, April 2008. Available at http://eprint.iacr
"... Abstract. We study the security of stepreduced but otherwise unmodified SHA256. We show the first collision attacks on SHA256 reduced to 23 and 24 steps with complexities 2 18 and 2 28.5, respectively. We give example colliding message pairs for 23step and 24step SHA256. The best previous, rec ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We study the security of stepreduced but otherwise unmodified SHA256. We show the first collision attacks on SHA256 reduced to 23 and 24 steps with complexities 2 18 and 2 28.5, respectively. We give example colliding message pairs for 23step and 24step SHA256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24step reduced SHA512 with respective complexities of 2 44.9 and 2 53.0. Additionally, we show nonrandom behaviour of the SHA256 compression function in the form of freestart nearcollisions for up to 31 steps, which is 6 more steps than the recently obtained nonrandom behaviour in the form of a freestart nearcollision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA256. Keywords: SHA256, SHA512, hash functions, collisions, semifreestart collisions, freestart collisions, freestart nearcollisions.
Reconfigurable Trusted Computing in Hardware
 In ACM STC ’07
"... Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The Trusted Computing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Pl ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The Trusted Computing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Platform Module (TPM). However, actual TPMs are mostly available for workstations and servers nowadays and rather for specific domain applications and not primarily for embedded systems. Further, the TPM specifications are becoming monolithic and more complex while the applications demand a scalable and flexible usage of TPM functionalities. In this paper we propose a reconfigurable (hardware) architecture with TC functionalities where we focus on TPMs as proposed by the TCG specifically designed for embedded platforms. Our approach allows for (i) an efficient and scalable design and update of TPM functionalities, in particular for hardwarebased crypto engines and accelerators, (ii) establishing a minimal trusted computing base in hardware, (iii) including the TPM as well as its functionalities into the chain of trust that enables to bind sensitive data to the underlying reconfigurable hardware, and (iv) designing a manufacturer independent TPM. We discuss possible implementations based on current FPGAs and point out the associated challenges, in particular with respect to protection of the internal TPM state since it must not be subject to manipulation, replay, and cloning.
Security of Cyclic Double Block Length Hash Functions including AbreastDM
"... Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AE ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AES256, i.e. a block cipher with 128bit block length and 256bit key length, any adversary that asks less than 2 124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a nearoptimal collision resistance guarantee. We generalize our techniques used in the proof of AbreastDM to a huge class of double block length (DBL) hash functions that we will call cyclic. Using this generalized theorem we are able to derive several DBL constructions that lead to compression functions that even have a higher security guarantee and are more efficient than AbreastDM. Furthermore we give DBL constructions that have the highest security guarantee of all DBL compression functions currently known in literature. We also provide an analysis of preimage resistance for cyclic compression functions. Note that this work has been already presented at Dagstuhl ’09.