Results 1  10
of
47
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
Herding hash functions and the Nostradamus attack
 of Lecture Notes in Computer Science
, 2006
"... Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ardMerkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on realworld applications of hash functions. An important lesson from these results is that hash functions susceptible to collisionfinding attacks, especially bruteforce collisionfinding attacks, cannot in general be used to prove knowledge of a secret value. 1
Hash Functions: From MerkleDamgård to Shoup
 EUROCRYPT
, 2001
"... In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these c ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal oneway hash functions and collisionresistant functions. For some of these classes efficient (yielding short keys) composite schemes exist. Second, we prove that the schedule of the Shoup construction, which is the most efficient composition scheme for universal oneway hash functions known so far, is optimal.
M.: Indifferentiable security analysis of popular hash functions with prefixfree padding
 ASIACRYPT 2006. LNCS
, 2006
"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefixfree MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefixfree padding) which are indifferentiable from random oracle model in the ideal cipher model. 1
MD4 is Not OneWay
"... Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still b ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a oneway function. In this paper we show a partial pseudopreimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2 32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2 96, and we extend it to an attack on the full MD4 with complexity 2 102. As far as we know this is the first preimage attack on a member of the MD4 family.
Collisions and other NonRandom Properties for StepReduced SHA256. Cryptology eprint Archive, April 2008. Available at http://eprint.iacr
"... Abstract. We study the security of stepreduced but otherwise unmodified SHA256. We show the first collision attacks on SHA256 reduced to 23 and 24 steps with complexities 2 18 and 2 28.5, respectively. We give example colliding message pairs for 23step and 24step SHA256. The best previous, rec ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Abstract. We study the security of stepreduced but otherwise unmodified SHA256. We show the first collision attacks on SHA256 reduced to 23 and 24 steps with complexities 2 18 and 2 28.5, respectively. We give example colliding message pairs for 23step and 24step SHA256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24step reduced SHA512 with respective complexities of 2 44.9 and 2 53.0. Additionally, we show nonrandom behaviour of the SHA256 compression function in the form of freestart nearcollisions for up to 31 steps, which is 6 more steps than the recently obtained nonrandom behaviour in the form of a freestart nearcollision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA256. Keywords: SHA256, SHA512, hash functions, collisions, semifreestart collisions, freestart collisions, freestart nearcollisions.
Security of Cyclic Double Block Length Hash Functions including AbreastDM
"... Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AE ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AES256, i.e. a block cipher with 128bit block length and 256bit key length, any adversary that asks less than 2 124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a nearoptimal collision resistance guarantee. We generalize our techniques used in the proof of AbreastDM to a huge class of double block length (DBL) hash functions that we will call cyclic. Using this generalized theorem we are able to derive several DBL constructions that lead to compression functions that even have a higher security guarantee and are more efficient than AbreastDM. Furthermore we give DBL constructions that have the highest security guarantee of all DBL compression functions currently known in literature. We also provide an analysis of preimage resistance for cyclic compression functions. Note that this work has been already presented at Dagstuhl ’09.
Reconfigurable Trusted Computing in Hardware
 In ACM STC ’07
"... Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The Trusted Computing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Pl ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Trusted Computing (TC) is an emerging technology towards building trustworthy computing platforms. The Trusted Computing Group (TCG) has proposed several specifications to implement TC functionalities by extensions to common computing platforms, particularly the underlying hardware with a Trusted Platform Module (TPM). However, actual TPMs are mostly available for workstations and servers nowadays and rather for specific domain applications and not primarily for embedded systems. Further, the TPM specifications are becoming monolithic and more complex while the applications demand a scalable and flexible usage of TPM functionalities. In this paper we propose a reconfigurable (hardware) architecture with TC functionalities where we focus on TPMs as proposed by the TCG specifically designed for embedded platforms. Our approach allows for (i) an efficient and scalable design and update of TPM functionalities, in particular for hardwarebased crypto engines and accelerators, (ii) establishing a minimal trusted computing base in hardware, (iii) including the TPM as well as its functionalities into the chain of trust that enables to bind sensitive data to the underlying reconfigurable hardware, and (iv) designing a manufacturer independent TPM. We discuss possible implementations based on current FPGAs and point out the associated challenges, in particular with respect to protection of the internal TPM state since it must not be subject to manipulation, replay, and cloning.
SAFER K64: One Year Later
, 1995
"... this paper where we refer to the resultant cipher as SAFER K#128. Hereafter, we will say simply `SAFER' when our remarks apply to both SAFER K#64 and SAFER K#128. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
this paper where we refer to the resultant cipher as SAFER K#128. Hereafter, we will say simply `SAFER' when our remarks apply to both SAFER K#64 and SAFER K#128.
New Attacks on all Double Block Length Hash Functions of Hash Rate 1, including the ParallelDM
, 1995
"... . In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
. In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the ParallelDM presented at Crypto'93[3]. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences to the set of binary sequences of some fixed length. An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M1 ; M2 ; :::; Mn ), where M i is of length l, is hashed to the hash value H = Hn of length m by computing recursively H i = h(H i\Gamma1 ; M i ) i = 1; 2; :::; n; (1) where H0 is a specified initial value. The function...