Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Blue Midnight WishDescription and Cryptanalysis
Dennis Hoppe
Bauhaus-University Weimar
13th May 2009
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 1 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 2 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 3 / 45
Cryptographic Hash Algorithm Competition
NIST has opened a public competition to develop a newcryptographic hash algorithm, which converts a variablelength message into a short “message digest” that can beused for digital signatures, message authentication andother applications. The competition is NIST’s response torecent advances in the cryptanalysis of hash functions. Thenew hash algorithm will be called “SHA-3” [..]
Among the SHA-3 submissions is Blue Midnight Wish, a hashfunction based on a block cipher (Gligoroski et al., 2008)
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 4 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 5 / 45
Hash functions based on block ciphers
Block ciphers
EK , DK : {0, 1}n → {0, 1}n
DK(EK(x)) = x, x ∈ {0, 1}nKey
Plaintext
Ciphertext
n-bit
k-bit
n-bit
E
Allow unique decryption, since the encryption function is one-to-one
Encryption function is a bijection, defining a permutation on n-bit
Each key K defines a different bijection
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 6 / 45
Hash functions based on block ciphers – cont’d
Block ciphers
Allow construction of hash functions, Hi = f(Xi, Hi−1)Motivation is minimization of design and implementation effort
Key K
Plaintext P
Ciphertext
E
Forward Feedback FF
C
P , K and FF can be chosen fromthe set {Xi, Hi−1, Xi ⊕Hi−1, V }43 = 64 different schemes
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 7 / 45
Hash functions based on block ciphers – cont’d
Secure schemes (Preneel et al., 1994)
Constructions of block ciphers to be used as building blocks in hashfunctions studied by means of a general model (64 schemes)
It is shown, that 12 of these schemes are secure
Nevertheless, in the general model, i.e. DES is used as the underlyingblock cipher, fixed points are possible for schemes 5 to 12
Name Function Expression Fixed pointsPGV1 E(Hi−1, Xi)⊕Xi -PGV2 E(Hi−1, Xi ⊕Hi−1)⊕Xi ⊕Hi−1 -PGV3 E(Hi−1, Xi)⊕Xi ⊕Hi−1 -
...PGV6 E(Xi, Xi ⊕Hi−1)⊕Xi ⊕Hi−1 Xi = K
Hi−1 = D(K, K)⊕K...
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 8 / 45
Hash functions based on block ciphers – cont’d
Secure schemes (Preneel et al., 1994)
Constructions of block ciphers to be used as building blocks in hashfunctions studied by means of a general model (64 schemes)
It is shown, that 12 of these schemes are secure
Nevertheless, in the general model, i.e. DES is used as the underlyingblock cipher, fixed points are possible for schemes 5 to 12
Name Function Expression Fixed pointsPGV1 E(Hi−1, Xi)⊕Xi -PGV2 E(Hi−1, Xi ⊕Hi−1)⊕Xi ⊕Hi−1 -PGV3 E(Hi−1, Xi)⊕Xi ⊕Hi−1 -
...PGV6 E(Xi, Xi ⊕Hi−1)⊕Xi ⊕Hi−1 Xi = K
Hi−1 = D(K, K)⊕K...
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 9 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 10 / 45
Description of Blue Midnight Wish
Introduction
Cryptographich hash function with output size of n-bits
32-bit version supports n ∈ {224, 256}64-bit version supports n ∈ {384, 512}
Applies a Double Pipe Design (Lucks, 2004)
Using a block cipher of 16 rounds as part of the compression function
Based on low primitive operations
Bitwise exclusive-ORAddition/substraction modulo 232 or 264
Shift operations to the left/right, denoted by SHLl(x) and SHLr(x)Rotations to the left, denoted as ROTLl(x)
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 11 / 45
Description of Blue Midnight Wish – cont’d
Input: Message M of length l bits and the size n of the HashOutput: A Hash of the message M of size n bit
1 Preprocessing
(a) Pad the message M (MD-Strengthening)(b) Parse the padded message into N, 2n-bit blocks, M (1),. . ., M (N)
(c) Set the initial value of the douple pipe to H(0)
2 Hash computation
FOR i = 1 to N DO(a) Q
(i)a = f0(M (i), H(i−1))
(b) Q(i)b = f1(M
(i), Q(i)a )
(c) H(i) = f2(M (i), Q(i)a , Q
(i)b )
END
3 The resulting hash are the least significant
n-bits from H(N), i.e. (H(N)8 || . . . ||H(N)15 )
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 12 / 45
Description of Blue Midnight Wish – cont’d
Wide-Pipe Strategy (Lucks, 2004)
f. . .
. . .
T
H (0) H (1)
M (0) M (1) M (N-1)
H (N-1) H (N)
H (N)8..15
0 f1 f2 f0 f1 f2 f0 f1 f2
Internal chaining values have a size independent of the final hash
“Widen” the internal pipe from n bit to w ≥ 2n bitUse two compression functions
It is unlikely to find local collisions
Input values for each compression function
H(i) ≡ (H(i)0 || . . . ||H(i)15 ), 16× w-bit
M (i) ≡ (M (i)0 || . . . ||M(i)15 ), 16× w-bit
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 13 / 45
Description of Blue Midnight Wish – cont’d
Graphical Representation of Blue Midnight Wish
M (1)
H (0)Q (1)
f
f
0
1
f2
Pipe Extension Folding Pipe Extension
H (1)
M (2)
Q (2)f
f
0
1
. . .
Q(i) ≡ (Q(i)0 || . . . ||Q(i)31 ), 32× w-bit
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 14 / 45
Description of Blue Midnight Wish – cont’d
Graphical Representation of the compression function
M (i)
H (i-1) Q (i)f0 Q (i) H (i)f1a b f2
Q(i)a ≡ (Q(i)0 || . . . ||Q
(i)15 )
Q(i)b ≡ (Q
(i)16 || . . . ||Q
(i)31 )
Q(i) ≡ (Q(i)a , Q(i)b )
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 15 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 16 / 45
Design Properties of Blue Midnight Wish
Description of f0
f0 : {0, 1}4n → {0, 1}2n
f0(M (i), H(i−1)) = A2(A1(M (i) ⊕H(i−1))) = Q(i)a
Bijective transformation of M (i) ⊕H(i−1)
Produces the first half of the so-called “quadruple” pipe value Q(i)
Lemma (Excerpt from Lemma 6 in Gligoroski et al. (2008))
Every one bit difference in the vector M (i) or in the vector H(i−1) after
applying the function f0 diffuses into 5 words of the vector Q(i)a , and the
differences in those 5 words are minimum 1 or 2 bits difference, orminimum 3 or 4 bits difference.
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 17 / 45
Design Properties of Blue Midnight Wish – cont’d
Step 1 of the function f0, A1(M (i) ⊕H(i−1))Nonsingular matrix A1 of type (16,16), (ai,j) = {0, 1,−1}Matrix obtained by a (0, 1)-matrix A′1 by randomly negatesome values of “1”
The first row in A′1 is defined by the elements
(0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0)
Then, the product A′1 ×M (i) can be expressed as
A′1 = ROTR05(M (i)) + ROTR07(M (i))
+ ROTR10(M (i)) + ROTR13(M (i)) + ROTR14(M (i))
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 18 / 45
Design Properties of Blue Midnight Wish – cont’d
Step 1 of the function f0, A1(M (i) ⊕H(i−1))In other words we have
ROTR05(M (i)) = (M (i)11 , M(i)12 , . . . ,M
(i)9 , M
(i)10 )
ROTR07(M (i)) = (M (i)9 , M(i)10 , . . . ,M
(i)7 , M
(i)8 )
ROTR10(M (i)) = (M (i)6 , M(i)7 , . . . ,M
(i)4 , M
(i)5 )
ROTR13(M (i)) = (M (i)3 , M(i)4 , . . . ,M
(i)1 , M
(i)2 )
ROTR14(M (i)) = (M (i)2 , M(i)3 , . . . ,M
(i)0 , M
(i)1 )
and
A′1×M (i) = (M(i)11 +M
(i)12 + . . .+M
(i)9 +M
(i)10 +M
(i)9 +M
(i)10 + . . .+M
(i)1 )
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 19 / 45
Design Properties of Blue Midnight Wish – cont’d
Step 1 of the function f0, A1(M (i) ⊕H(i−1))
Lemma (Excerpt from Lemma 2 in Gligoroski et al. (2008))
The transformation A1 ×M (i) diffuses every one bit difference in thevector M (i) into at least 5 bit differences.
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 20 / 45
Design Properties of Blue Midnight Wish – cont’d
Step 2 of the function f0, A2(A1(M (i) ⊕H(i−1)))A2 : {0, 1}16w → {0, 1}16w
Permutation should diffuse an one-bit difference in each word of Q(i)a
into k-bit differences, k ≥ 2Mapping A2 is defined by six logic functions si, 0 ≤ i ≤ 5(a) s0, . . . , s3 diffuse one-bit difference into 3-bit or 4-bit difference(b) s4 and s5 diffuse one-bit difference into 1-bit or 2-bit difference
s0(x) = SHR1(x)⊕ SHL3(x)⊕ROTL4(x)⊕ROTL19(x)s1(x) = · · ·s2(x) = · · ·s3(x) = · · ·s4(x) = SHR1(x)⊕ xs5(x) = SHR2(x)⊕ x
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 21 / 45
Design Properties of Blue Midnight Wish – cont’d
Description of f1
f1 : {0, 1}4n → {0, 1}2n
f1(M (i), Q(i)a ) = Q
(i)b
Uses two types of expansion functions to generate Q(i)b from Q
(i)a
f1 is a multi-permutation depending on a security parameter P ≤ 16P defines the number of “complex” rounds. Consequently, thenumber of “simple” rounds is 16− P . Per default, P = 14 is chosen.
16-round block cipher f1
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 22 / 45
Design Properties of Blue Midnight Wish – cont’d
Description of f1
A complex round called expand1() computes Q(i) based onQ
(i)(j−1), Q
(i)(j−2), . . . , Q
(i)(j−16), 16 ≤ j < 16 + P as follows:
W(i)j−16 = M
(i)(j−16) mod 16 + M
(i)(j−13) mod 16 −M
(i)(j−6) mod 16
K(i)j−16 = const
Q(i)j = s1(Q
(i)(j−16)) + s2(Q
(i)(j−15)) + s3(Q
(i)(j−14)) + s0(Q
(i)(j−13))
+ . . . + s0(Q(i)(j−1)) + W
(i)j−16 + K
(i)j−16
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 23 / 45
Design Properties of Blue Midnight Wish – cont’d
Description of f1
A simple round called expand2() computes Q(i) based onQ
(i)(j−1), Q
(i)(j−2), . . . , Q
(i)(j−16), 16 + P ≤ j < 32 as follows:
W(i)j−16 = M
(i)(j−16) mod 16 + M
(i)(j−13) mod 16 −M
(i)(j−6) mod 16
K(i)j−16 = const
Q(i)j = Q
(i)(j−16) + r1(Q
(i)(j−15)) + Q
(i)(j−14) + r2(Q
(i)(j−13)) + . . .
+ r7(Q(i)(j−3)) + s5(Q
(i)(j−2)) + s4(Q
(i)(j−1)) + W
(i)j−16 + K
(i)j−16
Uses simple rotations ri, 1 ≤ i ≤ 7, instead the more complex logicfunctions si
E.g. r1(x) = ROTL3(x) or r7(x) = ROTL27(x)
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 24 / 45
Design Properties of Blue Midnight Wish – cont’d
Description of f2
f2 : {0, 1}6n → {0, 1}2n
Technically this is the true compression function
48 words, M (i) and Q(i), are compressed down to 16 words H(i)
Computation is based on two constants XL, XH and low primitiveoperations
XL = Q(i)16 ⊕Q(i)17 ⊕ . . .⊕Q
(i)23
XH = XL⊕Q(i)24 ⊕Q(i)25 ⊕ . . .⊕Q
(i)31
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 25 / 45
Design Properties of Blue Midnight Wish – cont’d
Description of f2
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 26 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 27 / 45
Security Claims of Blue Midnight Wish
Cornerstones in the design of Blue Midnight Wish
Diffusion characteristics
Double pipe construction
Nonlinear expressions in the f2 function
Infeasability of finding collisions, preimages and second preimages
Design uses combinations of linear and nonlinear operations
f1 is a multi-permutation
Represent the overall design as a generalized PGV6 scheme
It is hard to change consistently all three inputs of f2 in such a way,that they will cancel out each other or lead to controllable changes
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 28 / 45
Security Claims of Blue Midnight Wish – cont’d
Generalized PGV6 scheme
PGV6 scheme: Hi = E(Mi, Mi ⊕Hi−1)⊕Mi ⊕Hi−1 (left)BMW scheme: Hi = f2(Mi, Hi−1, E(Mi, Mi ⊕Hi−1)) (right)
M
H
E
i-1
i
Hi
M
H
E
f
i-1
i
Hi
2
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 29 / 45
Security Claims of Blue Midnight Wish – cont’d
Generalized PGV6 scheme (Proof)
Hi = f2(Mi, Qa, Qb)(a) Qa describes the exclusive-OR part Mi ⊕Hi−1 due to the
definition Qa = f0(Mi, Hi−1) = A2(A1(Mi ⊕Hi−1))(b) Qb is defined as Qb = f1(Mi, Qa) = f1(Mi, f0(Mi, Hi−1)) and
Mi can be seen as a key to the block cipher:
f1(Mi,A2(A1(Mi ⊕Hi−1))) ≡ E(Mi, Mi ⊕Hi−1)
Thus, f2 combines all three components Mi, Hi−1 andE(Mi, Mi ⊕Hi−1)Blue Midnight Wish can be represented as a generalized PGV6scheme, such that
Hi = f2(Mi, Hi−1, E(Mi, Mi ⊕Hi−1))
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 30 / 45
Security Claims of Blue Midnight Wish – cont’d
Approximation of additions and subtractions with exclusive-OR iscomputationally to expensive
Find values for which additions and subtractions behave likeexclusive-ORs
One would have a completely linear system for which collisions,preimages and second preimages can easily be found
Getting all additions to behave as exclusive-ORs is hard
Computing the differential properties of addition modulo 2n for twovariables is feasable (Lipmaa and Moriai, 2001)Blue Midnight Wish uses a complex system of additions andsubtractions with more than just two variables. An algorithm to solvethese equations has exponential complexity, i.e. O(2b×k), where b isthe bit length of the variables, and k is the number of equations.(Paul and Preneel, 2005)
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 31 / 45
Security Claims of Blue Midnight Wish – cont’d
Differential cryptanalysis is infeasable
Strong diffusion characteristics
Two different expansion functions in f1 require different differentials
Heavily usage of permutations
Theorem (Excerpt from Theorem 2 in Gligoroski et al. (2008))
When Mi or Hi−1 is fixed, f0(Mi, Hi−1) is a bijection.When Mi, Qa or Qb is fixed, f1(Mi, Qa) is a bijection (multi-permutation).When Mi and Qb are fixed, f2(Mi, Qa, Qb) is a bijection.When Qa and Qb are fixed, f2(Mi, Qa, Qb) is a bijection.
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 32 / 45
Security Claims of Blue Midnight Wish – cont’d
Further security claims
Designers are not aware of any weaknesses regarding the securityparameter P , even if P = 16 or P = 0 is chosen.BMW can be securely used in combination with a HMAC
Resistance against generic length extension attacks and multicollisionattacks due to the Wide-Pipe Design
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 33 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 34 / 45
Cryptanalysis of Blue Midnight Wish
Observations
The function f0(Mi, Hi−1) = Qa is easily invertibleGiven Mi and QaCompute Hi−1 = f−10 (Qa)⊕Mi
The function f1(Mi, Qb) = Qa is a multi-permutation, such thatGiven Qa and Qb =⇒Mi can be computedGiven Mi and Qb =⇒ Qa can be computed
Function f1 is a weak block cipher
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 35 / 45
Cryptanalysis of Blue Midnight Wish – cont’d
Function f1 is a weak block cipher
Applied block cipher f1 is distinguishable froman ideal random function
Monomial tests were used to evaluate the statisticalproperties of the cipher
An statistical measure is used to compute thedeviation from an ideal random Boolean function
It is shown, that the first word (32-bit/64-bit) is distinguishable (Q16)
Why is not the overall hash function weak?
Compensation by the double-pipe design
From Q17 on, all words in Qb are not distinguishable
Feedback function in the PGV6 scheme is a complex function, i.e. f2
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 36 / 45
Cryptanalysis of Blue Midnight Wish – cont’d
Known vulnerabilities
A near-collision attack on the Blue Midnight Wishcompression function (Thomsen, 2008)
Cryptanalysis of Blue Midnight Wish (Thomsen, 2009)
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 37 / 45
Cryptanalysis of Blue Midnight Wish – cont’d
A near-collision attack for the compression function
Since the chaining input H is only used in the input to thefunction f0, and here it is XORed with the message block Mbefore being used, it is easy to find collisions in f0: any pair of((H,M), (H ′, M ′)) of inputs of f0, such thatH ⊕M = H ′ ⊕M ′, collides. The output of f0 is used as theinput to both f1 and f2.
Idea: Cancel differences out in the sum of the three message words byflipping the most significant bit of the words Mi, 0 ≤ i ≤ 14. This hasthe effect, that for all i from 16 to 30 differences in the messagewords cancel out. Only a difference in Q31 remains.
H = 0, Mi = 0 with 0 ≤ i ≤ 14, and M15 = c1c2
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 38 / 45
Cryptanalysis of Blue Midnight Wish – cont’d
A near-collision attack for the compression function
Results
256-bit output: only differencesfor 14 bit
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 39 / 45
Cryptanalysis of Blue Midnight Wish – cont’d
Cryptanalysis of the compression function
Free-start collisions in O(23n8
+1)
Free-start (second) preimages in O(23n4
+1)
Idea: Fixing any input of the compression function f2to a certain value can simplify the computation within f2
Qb = 0Qa = 0 and Qb = 0
It [..] seems difficult to extend the pseudo-attacks to real attackson the hash function.
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 40 / 45
Cryptanalysis of Blue Midnight Wish – cont’d
Fix Qi, 0 ≤ i ≤ 31 to a certain value to simplify the function f2Example: Qi = 0 for 16 ≤ i ≤ 32It follows, that XL = 0, XH = 0 and
H(i)0 = M
(i)0 + Q
(i)0
H(i)1 = M
(i)1 + Q
(i)1
...
H(i)8 = ROTL
9(H(i)4 ) + M(i)8 + Q
(i)8
...
H(i)15 = ROTL
16(H(i)3 ) + M(i)15 + Q
(i)15
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 41 / 45
Agenda
1 Cryptographic Hash Algorithm Competition
2 Hashfunctions based on block ciphers
3 Blue Midnight WishDescriptionDesign PropertiesSecurity Claims
4 Cryptanalysis of Blue Midnight Wish
5 Conclusions
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 42 / 45
Conclusions
Blue Midnight Wish
Provides good diffusion characteristics
Uses a double pipe construction
Very fast hash computation
Some weaknesses in the compression function
Currently, only limited attacks
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 43 / 45
Conclusions
SHA-2 will soon retire,because NIST is learning and SHA-1 is burning.
SHA-2 will soon retire,no we didn’t light it but we tried to fight it.
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 44 / 45
Referenzen
[Gligoroski et al. 2008] Gligoroski, Danilo ; Klima, Vlastimil ; Knapskog, S ; El-Hadedy, Mohamed: Blue Midnight Wish.(2008).http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf
[Lipmaa and Moriai 2001] Lipmaa, H ; Moriai, S: Efficient Algorithms for Computing Differential Properties of Addition. In:Fast Software Encryption 2355 (2001), S. 336–350
[Lucks 2004] Lucks, Stefan: Design principles for iterated hash functions. In: IACR eprint archive (2004), Jan.http://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdf
[Paul and Preneel 2005] Paul, Souradyuti ; Preneel, Bart: Solving Systems of Differential Equations of Addition. In: ACISP,2005, S. 75–88
[Preneel et al. 1994] Preneel, B ; Govaerts, R ; Vandewalle, J: Hash functions based on block ciphers: A syntheticapproach. In: LECTURE NOTES IN COMPUTER SCIENCE (1994), Jan.http://www.springerlink.com/index/adq9luqrkkxmgk03.pdf
[Thomsen 2008] Thomsen, SS: A near-collision attack on the Blue Midnight Wish compression function. (2008).http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf
[Thomsen 2009] Thomsen, SS: Pseudo-cryptanalysis of Blue Midnight Wish. (2009), Apr, 1–7.http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf
Dennis Hoppe (BUW) Blue Midnight Wish 13th May 2009 45 / 45
http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdfhttp://mirror.cr.yp.to/eprint.iacr.org/2004/253.pdfhttp://www.springerlink.com/index/adq9luqrkkxmgk03.pdfhttp://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdfhttp://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf
AgendaCryptographic Hash Algorithm CompetitionHashfunctions based on block ciphersBlue Midnight WishCryptanalysis of Blue Midnight WishConclusionsLiteratur