Results 1  10
of
76
Parallel Collision Search with Cryptanalytic Applications
 Journal of Cryptology
, 1996
"... A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to ad ..."
Abstract

Cited by 159 (3 self)
 Add to MetaCart
(Show Context)
A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meetinthemiddle attacks such as a knownplaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most costeffective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA1, MDC2, and MDC4; and double encryption and threekey triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2 ) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a doubleDES key from 2 known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meetinthemiddle attack on doubleDES. Based on this attack, doubleDES offers only 17 more bits of security than singleDES.
Fast Hashing on the Pentium
 Advances in Cryptology, Proceedings Crypto'96, LNCS 1109
, 1996
"... With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4family of hash functions (MD4, MD5, SHA1, RIPEMD160) is to be fast on the 32bit Intel processors. This paper shows that carefully coded im ..."
Abstract

Cited by 43 (6 self)
 Add to MetaCart
With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4family of hash functions (MD4, MD5, SHA1, RIPEMD160) is to be fast on the 32bit Intel processors. This paper shows that carefully coded implementations of these hash functions are able to exploit the Pentium's superscalar architecture to its maximum e#ect: the performance with respect to execution on a nonparallel architecture increases by about 60%. This is an important result in view of the recent claims on the limited data bandwidth of these hash functions.
Applications of SAT solvers to cryptanalysis of hash functions
 In Theory and Applications of Satisfiability Testing 2006
, 2006
"... Several standard cryptographic hash functions were broken in 2005. Some essential building blocks of these attacks lend themselves well to automation by encoding them as CNF formulas, which are within reach of modern SAT solvers. In this paper we demonstrate effectiveness of this approach. In partic ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
(Show Context)
Several standard cryptographic hash functions were broken in 2005. Some essential building blocks of these attacks lend themselves well to automation by encoding them as CNF formulas, which are within reach of modern SAT solvers. In this paper we demonstrate effectiveness of this approach. In particular, we are able to generate full collisions for MD4 and MD5 given only the differential path and applying a (minimally modified) offtheshelf SAT solver. To the best of our knowledge, this is the first example of a SATsolveraided cryptanalysis of a nontrivial cryptographic primitive. We expect SAT solvers to find new applications as a validation and testing tool of practicing cryptanalysts. 1
Secure Names for BitStrings
 in ACM Conference on Computer and Communications Security
, 1997
"... The increasing use of digital documents, and the need to refer to them conveniently and unambiguously, raise an important question: can one "name" a digital document in a way that conveniently enables users to find it, and at the same time enables a user in possession of a document to be s ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
The increasing use of digital documents, and the need to refer to them conveniently and unambiguously, raise an important question: can one "name" a digital document in a way that conveniently enables users to find it, and at the same time enables a user in possession of a document to be sure that it is indeed the one that is referred to by the name? One crucial piece of a complete solution to this problem would be a method that provides a cryptographically verifiable label for any bitstring (for example, the content, in a particular format, of the document). This problem has become even more acute with the emergence of the WorldWide Web, where a document (whose only existence may be online) is now typically named by giving its URL, which is merely a pointer to its virtual location at a particular moment in time. Using a oneway hash function to call files by their hash values is cryptographically verifiable, but the resulting names are unwieldy, because of their length and randomn...
A New Class of Collision Attacks and its Application to DES
, 2003
"... Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new clas ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which uses side channel analysis to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We show that internal collisions can be caused in the SBoxes of DES in order to gain information about the secret keybits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions yielding 10.2 keybits. Moreover, we successfully applied the attack to a smart card processor.
Performance Analysis and Parallel Implementation of Dedicated
 Hash Functions on Pentium III”, IEICE Trans. Fundamentals, Vol.E86A, No.1
, 2003
"... Abstract. This paper shows an extensive software performance analysis of dedicated hash functions, particularly concentrating on Pentium III, which is a current dominant processor. The targeted hash functions are MD5, RIPEMD128160, SHA1256512 and Whirlpool, which fully cover currently used and ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper shows an extensive software performance analysis of dedicated hash functions, particularly concentrating on Pentium III, which is a current dominant processor. The targeted hash functions are MD5, RIPEMD128160, SHA1256512 and Whirlpool, which fully cover currently used and future promising hashing algorithms. We try to optimize hashing speed not only by carefully arranging pipeline scheduling but also by processing two or even three message blocks in parallel using MMX registers for 32bit oriented hash functions. Moreover we thoroughly utilize 64bit MMX instructions for maximizing performance of 64bit oriented hash functions, SHA512 and Whirlpool. To our best knowledge, this paper gives the first detailed measured performance analysis
SHA: A Design for Parallel Architectures?
 Advances in Cryptology, Proceedings Eurocrypt’97, LNCS 1233
, 1997
"... To enhance system performance computer architectures tend to incorporate an increasing number of parallel execution units. This paper shows that the new generation of MD4based customized hash functions (RIPEMD128, RIPEMD160, SHA1) contains much more software parallelism than any of these com ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
To enhance system performance computer architectures tend to incorporate an increasing number of parallel execution units. This paper shows that the new generation of MD4based customized hash functions (RIPEMD128, RIPEMD160, SHA1) contains much more software parallelism than any of these computer architectures is currently able to provide. It is conjectured that the parallelism found in SHA1 is a design principle. The critical path of SHA1 is twice as short as that of its closest contender RIPEMD160, but realizing it would require a 7way multipleissue architecture. It will also be shown that, due to the organization of RIPEMD160 in two independent lines, it will probably be easier for future architectures to exploit its software parallelism.
MD4 is Not OneWay
"... Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still b ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a oneway function. In this paper we show a partial pseudopreimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2 32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2 96, and we extend it to an attack on the full MD4 with complexity 2 102. As far as we know this is the first preimage attack on a member of the MD4 family.
Practical Attacks on Digital Signatures Using MD5 Message Digest
, 2004
"... We use the knowledge of the single MD5 collision published by Wang et al. [2] to show an example of a pair of binary selfextract packages with equal MD5 checksums, whereas resulting extracted contracts have fundamentally different meaning. Secondly, we demonstrate how an attacker could create c ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
We use the knowledge of the single MD5 collision published by Wang et al. [2] to show an example of a pair of binary selfextract packages with equal MD5 checksums, whereas resulting extracted contracts have fundamentally different meaning. Secondly, we demonstrate how an attacker could create custom pair of such packages containing files arbitrarily chosen by the attacker with equal MD5 sums where each of the package extracts different file. Once the algorithm for finding MD5 collisions is published, attack could be made even more effective as we explain further. Authors of [2] claim to know such algorithm for any MD5 initialization vector. A realworld scenario of such attack is outlined. Finally, we point out the consequences resulting from such attack for signature schemes based on MD5 message digest on an example using GPG.