## Parallel Collision Search with Cryptanalytic Applications (1996)

### Cached

### Download Links

- [www.scs.carleton.ca]
- [cr.yp.to]
- [www.scs.carleton.ca]
- [people.scs.carleton.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | Journal of Cryptology |

Citations: | 146 - 3 self |

### BibTeX

@ARTICLE{Oorschot96parallelcollision,

author = {Paul C. Van Oorschot and Michael J. Wiener},

title = {Parallel Collision Search with Cryptanalytic Applications},

journal = {Journal of Cryptology},

year = {1996},

volume = {12},

pages = {1--28}

}

### Years of Citing Articles

### OpenURL

### Abstract

A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudo-random walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meet-in-the-middle attacks such as a known-plaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA-1, MDC-2, and MDC-4; and double encryption and three-key triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2 ) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a double-DES key from 2 known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meet-in-the-middle attack on double-DES. Based on this attack, double-DES offers only 17 more bits of security than singleDES.

### Citations

502 | Cryptography and Data Security - Denning - 1982 |

97 |
An implementation of elliptic curve cryptosystems over F(2155
- Agnew, Mullin, et al.
- 1993
(Show Context)
Citation Context ...yption and three-key triple encryption. Section 6 gives machine designs and determines the run-time for attacking three different cryptographic schemes: an elliptic curve cryptosystem over GF(2 155 ) =-=[1]-=-, the MD5 hash function [37], and double-encryption with DES [10]. Section 7 concludes the paper. 2. Previous Methods for Collision Search The new technique for efficiently parallelizing collision sea... |

59 |
Cryptanalysis of md4
- Dobbertin
(Show Context)
Citation Context ...ash function), but such collisions which are meaningful in practice (e.g., where the input messages may be largely or entirely selected by an attacker). Such collisions were found by Dobbertin in MD4 =-=[15]-=-. These methods apply to any hash function including MD5 [37], RIPEMD [5] and its successors RIPEMD-128 and RIPEMD-160 [16], SHA-1 [39], and MDC-2 and MDC-4 [30]. We first review how hash functions ar... |

51 |
An improved monte carlo factorization algorithm
- Brent
- 1980
(Show Context)
Citation Context ...f detecting a cycle. A simple approach to detecting a collision with Pollard’s rho method is to use Floyd’s cyclefinding algorithm [24, Section 3.1, ex. 6], which has been optimized somewhat by Brent =-=[7]-=-. Start with two sequences, one applying f twice per step and the other applying f once per step, and compare the outputs of the sequences after each step. The two sequences will eventually reach the ... |

36 |
Differential-linear cryptanalysis
- Langford, Hellman
- 1994
(Show Context)
Citation Context ...t exponents, and attacking a scheme for server-aided RSA computations. Other work on attacking multiple encryption includes the meet-in-the-middle attack on double-DES described by Diffie and Hellman =-=[13]-=- and generalized by Even and Goldreich [17], and attacks on two-key tripleencryption [29, 41]. In a general meet-in-the-middle attack, we have two functions, f 1 : D 1 → R and f 2 : D 2 → R, and we wi... |

26 |
RIPEMD-160, a strengthened version
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...ely selected by an attacker). Such collisions were found by Dobbertin in MD4 [15]. These methods apply to any hash function including MD5 [37], RIPEMD [5] and its successors RIPEMD-128 and RIPEMD-160 =-=[16]-=-, SHA-1 [39], and MDC-2 and MDC-4 [30]. We first review how hash functions are typically used in conjunction with digital signatures, and the classic attack of Yuval [45]. We then apply parallel colli... |

22 | is not a group
- Campbell, Wiener, et al.
- 1993
(Show Context)
Citation Context ...for attacking block ciphers [22], the work on rigorous time-space trade-offs by Fiat and Naor [18], the DES cycling experiments of Kaliski, Rivest, and Sherman [23], the proof that DES is not a group =-=[9]-=-, and the DES collisions found by Quisquater and Delescaille [35, 36]. The remainder of this paper is organized as follows. Section 2 reviews previous methods for collision search, and Section 3 motiv... |

17 |
Toward a theory of Pollard’s rho method
- Bach
- 1991
(Show Context)
Citation Context ...istic), with only negligible space requirements; it is thus preferable. The time complexity of the rho-method for factoring is also heuristic, but there is progress towards a rigourous result by Bach =-=[4]-=-. For groups with additional structure (such as GF(p)), the powerful index calculus techniques are far superior, but do not apply to arbitrary cyclic groups. The rhomethod is the best previous techniq... |

14 |
A fast elliptic curve cryptosystem
- Agnew, Mullin, et al.
- 1989
(Show Context)
Citation Context ...or a function evaluation. The elliptic curve system over GF(2 155 ) can be implemented in less than 1 mm 2 of silicon in 1.5 μm technology and can perform an addition in 13×155 clock cycles at 40 MHz =-=[1, 2]-=-. This gives t = 13×155 ⁄(40×10 6 ) seconds. About 75 of these cells plus input/output and logic to detect distinguished points could be put on a $20 chip. Based on a DES key search design [44], the o... |

14 |
Time-memoryprocessor trade-offs
- Amirazizi, Hellman
- 1988
(Show Context)
Citation Context ...ck time for many cryptographic schemes. Of interest to collision search is the work of Amirazizi and Hellman showing that “time-memory trade-offs offer no asymptotic advantage over exhaustive search” =-=[3]-=-, and that one must use multiple processors to take advantage of a large memory. For a fixed amount of resources, one can find the optimum time-memory-processor trade-off for mounting an attack. After... |

14 |
Factoring Integers Using SIMD Sieves
- Dixon, Lenstra
- 1994
(Show Context)
Citation Context ...challenge number and other factoring efforts (e.g. [26, 27]), the sieving process was distributed among a large number of workstations. Similar efforts have been undertaken on large parallel machines =-=[14, 19]-=-. In an exhaustive key search attack proposed for DES [44], a large number of inexpensive specialized processors were proposed to achieve a high degree of parallelism. In this paper, we provide a meth... |

11 |
An Introduction to Applied Probability
- Blake
- 1979
(Show Context)
Citation Context ...tion and mean 1 ⁄p for some probability p. Then Pr(X i = k) = p(1−p) k−1 and Pr(X i < k) = 1 − (1 − p) k−1 for k ≥ 1 and i = 1,2 (for an introduction to geometric probability distributions, see Blake =-=[6]-=- for example). Lemma 3. Let Y be the random variable equal to the maximum of X 1 and X 2 . Then E(Y) ≈ 1.5 ⁄p for p small. Proof. Pr(Y = k) = Pr(X 1 < k)⋅Pr(X 2 = k) + Pr(X 2 < k)⋅Pr(X 1 = k) + Pr(X 1... |

7 |
editors. Integrity Primitives for Secure Information Systems
- Bosselaers, Preneel
- 1995
(Show Context)
Citation Context ... where the input messages may be largely or entirely selected by an attacker). Such collisions were found by Dobbertin in MD4 [15]. These methods apply to any hash function including MD5 [37], RIPEMD =-=[5]-=- and its successors RIPEMD-128 and RIPEMD-160 [16], SHA-1 [39], and MDC-2 and MDC-4 [30]. We first review how hash functions are typically used in conjunction with digital signatures, and the classic ... |

1 |
Parallel algorithms for integer factorization”, London Mathematical Society Lecture Note Series vol
- Brent
- 1990
(Show Context)
Citation Context ...ween his two rho-methods. We would also like to thank Bart Preneel for his helpful suggestions, Burt Kaliski for discussions regarding multiple encryption, Kevin McCurley for alerting us to reference =-=[8]-=-, and Don Coppersmith for an observation about the algorithm for finding a large number of collisions which simplified its description and made it about 2 times faster. Appendix A: Expected Number of ... |