Upload
others
View
16
Download
0
Embed Size (px)
Citation preview
Institute for Applied Information Processing and Communications (IAIK)
Differential Cryptanalysis of Hash Functions:How to find Collisions?
Martin Schlaffer
Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology, Austria
Albena 2011
Albena Hash Function Cryptanalysis I 1
Institute for Applied Information Processing and Communications (IAIK)
Outline
1 Motivation
2 Collision Attacks
3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1
4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl
5 Conclusion
Albena Hash Function Cryptanalysis I 2
Institute for Applied Information Processing and Communications (IAIK)
Outline
1 Motivation
2 Collision Attacks
3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1
4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl
5 Conclusion
Albena Hash Function Cryptanalysis I 3
Institute for Applied Information Processing and Communications (IAIK)
Motivation
Cryptanalysis of block ciphers: well understoodCryptanalysis of hash functions: not so much
hash functions were attacked like block ciphers
⇒ Attacks on MD-family by Wang et al. broke SHA-1
NIST SHA-3 competitionto find a successor of SHA-1to focus research on hash function cryptanalysis
Albena Hash Function Cryptanalysis I 4
Institute for Applied Information Processing and Communications (IAIK)
Cryptographic Hash Function
m
h
h(m)
Hash function h maps arbitrary length input m to n-bit output h(m)
Collision Resistance (2n/2)find m,m′ with m 6= m′ and h(m) = h(m′)
Second-Preimage Resistance (2n)given m, h(m) find m′ with m 6= m′ and h(m) = h(m′)
Preimage Resistance (2n)given h(m) find m
Albena Hash Function Cryptanalysis I 5
Institute for Applied Information Processing and Communications (IAIK)
Iterated Hash Function Construction
IV f
M1
wf
M2
wf
M3
wf
Mt
wg H(m)
n
Most hash functions use some kind of iterationcompression function foutput transformation gchaining value size w ≥ n
Strength depends on f , g, wsmaller w needs stronger f
Also building blocks are analyzed
Albena Hash Function Cryptanalysis I 6
Institute for Applied Information Processing and Communications (IAIK)
Outline
1 Motivation
2 Collision Attacks
3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1
4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl
5 Conclusion
Albena Hash Function Cryptanalysis I 7
Institute for Applied Information Processing and Communications (IAIK)
Collision Attacks
m
h
h(m)
m∗
h
h(m∗)=
6=
Find two different messages which result in the same hashvalue:
m 6= m∗ with h(m) = h(m∗)
birthday effect applies: 2n/2
Albena Hash Function Cryptanalysis I 8
Institute for Applied Information Processing and Communications (IAIK)
Collision Attacks (Differential View)
m
h
h(m)
m∗
h
h(m∗)−
− ∆m 6= 0
h
∆h(m) = 0=
=
Find two different messages which result in the same hash
m,∆m with ∆m 6= 0 and ∆h(m) = 0
Usually XOR differences are used:∆m = m ⊕m∗ and ∆h(m) = h(m)⊕ h(m∗)
Albena Hash Function Cryptanalysis I 9
Institute for Applied Information Processing and Communications (IAIK)
Outline
1 Motivation
2 Collision Attacks
3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1
4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl
5 Conclusion
Albena Hash Function Cryptanalysis I 10
Institute for Applied Information Processing and Communications (IAIK)
Differential Characteristic
∆m 6= 0
h
?
∆h(m) = 0
how to find m, ∆m?
find differential characteristic (trail, path)determines ∆mholds with high probability P
if P > 2−n/2:find colliding mby trying 1/P random messageswith complexity < 2n/2
⇒ how to improve complexity of attack?
⇒ how to find good differential characteristics?
Albena Hash Function Cryptanalysis I 11
Institute for Applied Information Processing and Communications (IAIK)
Differential Characteristic
∆m 6= 0
h
?
∆h(m) = 0
how to find m, ∆m?
find differential characteristic (trail, path)determines ∆mholds with high probability P
if P > 2−n/2:find colliding mby trying 1/P random messageswith complexity < 2n/2
⇒ how to improve complexity of attack?
⇒ how to find good differential characteristics?
Albena Hash Function Cryptanalysis I 11
Institute for Applied Information Processing and Communications (IAIK)
How to Improve Complexity of Attack?
∆m 6= 0
h
∆h(m) = 0
Good characteristic for block ciphers:optimizes probability
Good characteristic for hash functionsoptimizes probabilityminimizes effort to find m
How to find m?no secret key involvedwe can choose m according to characteristicresulting equations in first steps are easy(only a small part of the message involved)reduced costs at input of characteristic
⇒ characteristic with lower probability at input to gethigher probability towards end
Albena Hash Function Cryptanalysis I 12
Institute for Applied Information Processing and Communications (IAIK)
How to Improve Complexity of Attack?
∆m 6= 0
h
∆h(m) = 0
Good characteristic for block ciphers:optimizes probability
Good characteristic for hash functionsoptimizes probabilityminimizes effort to find m
How to find m?no secret key involvedwe can choose m according to characteristicresulting equations in first steps are easy(only a small part of the message involved)reduced costs at input of characteristic
⇒ characteristic with lower probability at input to gethigher probability towards end
Albena Hash Function Cryptanalysis I 12
Institute for Applied Information Processing and Communications (IAIK)
How to Find Good Differential Characteristics?
block cipher based design:use characteristic of block cipher attack(also related key characteristics)
by hand:MD4, MD5, SHA-1 (Wang et al.)
(semi-) automatic tools:linearize hash function (coding tools)non-linear differential search
by design:well known best characteristics
Albena Hash Function Cryptanalysis I 13
Institute for Applied Information Processing and Communications (IAIK)
Example: SHA-1
high probability in second part (L)linearize hash function [RO05]search for linear differential characteristicusing low weight code search
connect with IV in first part (NL)low probabilitysearch for non-linear characteristic[WYY05, DR06]
message modificationeasy for first 16 steps (just invert equation)also possible for more steps (≤ 25)(advanced message modification)
Albena Hash Function Cryptanalysis I 14
Institute for Applied Information Processing and Communications (IAIK)
Finding Linear Characteristics
Message expansion is linearLinearize modular addition by XOR
no carry with probability 1/2Linearize Boolean function by XOR
holds with probability ∼ 1/2Probabilities are given for single bit differences
Albena Hash Function Cryptanalysis I 15
Institute for Applied Information Processing and Communications (IAIK)
Finding Linear Characteristics
Differences with low Hamming weight result in goodprobabilityFinding good linear characteristic corresponds to findinglow-weight code word in linear codeGood representation of hash function is importantOpen source tool to find low weight code words:http://www.iaik.tugraz.at/content/research/
krypto/codingtool/
Albena Hash Function Cryptanalysis I 16
Institute for Applied Information Processing and Communications (IAIK)
Finding Non-Linear Characteristics [DR06]
Using generalized conditions
Albena Hash Function Cryptanalysis I 17
Institute for Applied Information Processing and Communications (IAIK)
Finding Non-Linear Characteristics [DR06]
Determine message differenceand difference after step 16
using linear tool
Find propagation of differencesusing non-linear tool
Add conditions to control diff.no probability needed here
Find conforming message pairmessage mod. until step 25probabilistic for further steps
Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK)
Finding Non-Linear Characteristics [DR06]
Determine message differenceand difference after step 16
using linear tool
Find propagation of differencesusing non-linear tool
Add conditions to control diff.no probability needed here
Find conforming message pairmessage mod. until step 25probabilistic for further steps
Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK)
Finding Non-Linear Characteristics [DR06]
Determine message differenceand difference after step 16
using linear tool
Find propagation of differencesusing non-linear tool
Add conditions to control diff.no probability needed here
Find conforming message pairmessage mod. until step 25probabilistic for further steps
Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK)
Finding Non-Linear Characteristics [DR06]
Determine message differenceand difference after step 16
using linear tool
Find propagation of differencesusing non-linear tool
Add conditions to control diff.no probability needed here
Find conforming message pairmessage mod. until step 25probabilistic for further steps
Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK)
Message Modification
To improve complexity of attack in first few stepsup to 25 in the case of SHA-1
Many dedicated techniques have been published:advanced message modifications [WYY05]equation solving [SKPI07]neutral bits [BC04]boomerang/tunnels [JP07, Kli06]greedy approach [DMR07]
Resulting theoretical complexity for SHA-1: ∼ 263 [WYY05]
implementation overhead!
Albena Hash Function Cryptanalysis I 19
Institute for Applied Information Processing and Communications (IAIK)
Outline
1 Motivation
2 Collision Attacks
3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1
4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl
5 Conclusion
Albena Hash Function Cryptanalysis I 20
Institute for Applied Information Processing and Communications (IAIK)
The Rebound Attack [MRST09]
One more tool in the cryptanalysis of hash functionsInvented during the cryptanalysis of Whirlpool and Grøstl
AES-based designs allow a simple application of the ideaRelated work:
truncated differentialsinside-out techniquesmeet-in-the-middle techniquesmessage modification...
Has been applied to a wide range of hash functionsEcho, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister,Whirlpool, ...
Albena Hash Function Cryptanalysis I 21
Institute for Applied Information Processing and Communications (IAIK)
The Rebound Attack
Ebw Ein Efw
inboundoutbound outbound
Applies to block-cipher and permutation based designs:
E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw
Inbound phaseefficient meet-in-the-middle phase in Einaided by available degrees of freedom
Outbound phaseprobabilistic part in Ebw and Efwrepeat inbound phase if needed
Albena Hash Function Cryptanalysis I 22
Institute for Applied Information Processing and Communications (IAIK)
The Whirlpool Hash Function
Designed by Barretto and Rijmen in 2000 [BR00]evaluated by NESSIEstandardized by ISO/IEC 10118-3:2003
Iterative hash function based on the Merkle-Damgarddesign principle
message block, chaining values, hash size: 512 bit
IV f
M1
f
M2
f
M3
f
Mt
H(m)
Albena Hash Function Cryptanalysis I 23
Institute for Applied Information Processing and Communications (IAIK)
The Whirlpool Compression Function
Mj
Hj−1
Hjstate update
SB SC MR AK
key scheduleSB SC MR AC
512-bit hash value and using 512-bit message blocksBlock-cipher based design (AES)
Miyaguchi-Preneel mode with conservative key schedule
Albena Hash Function Cryptanalysis I 24
Institute for Applied Information Processing and Communications (IAIK)
The Whirlpool Round Transformations
The state update and the key schedule update an 8× 8state S and K of 64 bytes10 rounds eachAES like round transformation
ri = AK ◦MR ◦ SC ◦ SB
SubBytes ShiftColumns MixRows AddRoundKeyKi
S(x)
+
Albena Hash Function Cryptanalysis I 25
Institute for Applied Information Processing and Communications (IAIK)
Collision Attack on Whirlpool
Hj−1
Hjstate update
SB SC MR AK
key scheduleSB SC MR AC
Mj
∆Mj
1-block collision:fixed Hj−1 (to IV )f (Mj ,Hj−1) = f (M∗
j ,Hj−1), Mj 6= M∗j
Albena Hash Function Cryptanalysis I 26
Institute for Applied Information Processing and Communications (IAIK)
Collision Attack on Whirlpool
Hj−1
Hjstate update
SB SC MR AK
key scheduleSB SC MR AC
Mj
∆Mj
1-block collision:fixed Hj−1 (to IV )f (Mj ,Hj−1) = f (M∗
j ,Hj−1), Mj 6= M∗j
Albena Hash Function Cryptanalysis I 26
Institute for Applied Information Processing and Communications (IAIK)
Collision Attack on 4 Rounds
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAC
SBSCMRAC
S0 S1 S2 S3 S4
K0 K1 K2 K3 K4
M1
IV
H1
Differential trail with minimum number of active S-boxes81 for any 4-round trail (1→ 8→ 64→ 8)maximum differential probability: (2−5)81 = 2−405
How to find a message pair following the differential trail?
Albena Hash Function Cryptanalysis I 27
Institute for Applied Information Processing and Communications (IAIK)
Collision Attack on 4 Rounds
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAC
SBSCMRAC
S0 S1 S2 S3 S4
K0 K1 K2 K3 K4
M1
IV
H1
constant
Differential trail with minimum number of active S-boxes81 for any 4-round trail (1→ 8→ 64→ 8)maximum differential probability: (2−5)81 = 2−405
How to find a message pair following the differential trail?
Albena Hash Function Cryptanalysis I 27
Institute for Applied Information Processing and Communications (IAIK)
Collision Attack on 4 Rounds
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAC
SBSCMRAC
SBSCMRAC
SBSCMRAC
S0 S1 S2 S3 S4
K0 K1 K2 K3 K4
M1
IV
H1
constant
Differential trail with minimum number of active S-boxes81 for any 4-round trail (1→ 8→ 64→ 8)maximum differential probability: (2−5)81 = 2−405
How to find a message pair following the differential trail?
Albena Hash Function Cryptanalysis I 27
Institute for Applied Information Processing and Communications (IAIK)
First: Use Truncated Differences
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
M1 H1
byte-wise truncated differences: active / not activewe do not mind about actual differencessingle active byte at input and output is enoughprobabilistic in MixRows: 2−56 for 8→ 1
we can remove many restrictions (more freedom)hopefully less complexity of message search
Albena Hash Function Cryptanalysis I 28
Institute for Applied Information Processing and Communications (IAIK)
How to Find a Message Pair?
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
M1 H1
message modification?
inside out?meet in the middle?rebound!
Albena Hash Function Cryptanalysis I 29
Institute for Applied Information Processing and Communications (IAIK)
How to Find a Message Pair?
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
M1 H1
message modification?inside out?
meet in the middle?rebound!
Albena Hash Function Cryptanalysis I 29
Institute for Applied Information Processing and Communications (IAIK)
How to Find a Message Pair?
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
M1 H1
message modification?inside out?meet in the middle?
rebound!
Albena Hash Function Cryptanalysis I 29
Institute for Applied Information Processing and Communications (IAIK)
How to Find a Message Pair?
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
M1 H1
message modification?inside out?meet in the middle?rebound!
Albena Hash Function Cryptanalysis I 29
Institute for Applied Information Processing and Communications (IAIK)
Rebound Attack on 4 Rounds [MRST09]
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
M1 H1
outbound phase inbound phase outbound phase
Inbound phase(1) start with differences in round 2 and 3(2) match-in-the-middle at S-box using values of the state
Outbound phase(3) probabilistic propagation in MixRows in round 1 and 4(4) match one-byte difference of feed-forward
Albena Hash Function Cryptanalysis I 30
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
get values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−xx we get 2xx solutions for each row
we get ∼ 264 right pairs with complexity ∼ 28
Albena Hash Function Cryptanalysis I 31
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
differences
get values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−xx we get 2xx solutions for each row
we get ∼ 264 right pairs with complexity ∼ 28
Albena Hash Function Cryptanalysis I 31
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
differencesdifferences
get values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−xx we get 2xx solutions for each row
we get ∼ 264 right pairs with complexity ∼ 28
Albena Hash Function Cryptanalysis I 31
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
differencesdifferences match differences
get valuesget values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−xx we get 2xx solutions for each row
we get ∼ 264 right pairs with complexity ∼ 28
Albena Hash Function Cryptanalysis I 31
Institute for Applied Information Processing and Communications (IAIK)
Difference Distribution Table (Whirlpool)
in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 001 0 6 2 0 0 6 2 0 0 0 4 0 0 0 0 002 0 0 0 0 0 0 0 2 0 0 0 0 4 0 0 003 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 204 0 0 2 2 0 4 0 0 0 2 2 2 2 0 2 005 0 0 0 0 0 2 0 2 0 0 0 0 0 0 4 206 . 4 0 2 0 0 2 0 0 2 6 2 4 0 2 2 0 .07 . 0 2 2 0 0 2 0 0 4 0 2 0 2 0 2 0 .08 . 0 0 0 0 2 2 2 0 0 0 0 2 2 4 4 0 .09 8 0 0 0 2 4 2 2 0 0 0 0 0 2 0 20a 0 0 0 0 2 0 2 0 2 0 2 0 0 0 0 00b 8 2 2 2 2 0 0 0 0 2 2 2 2 2 0 40c 0 2 2 0 0 0 0 4 0 2 2 0 0 2 4 20d 0 2 2 0 0 2 4 4 0 0 2 2 0 0 0 20e 4 0 4 2 0 0 0 0 2 0 2 0 4 2 0 00f 0 2 0 0 0 2 0 0 0 0 0 0 2 0 2 2
. . .
Albena Hash Function Cryptanalysis I 32
Institute for Applied Information Processing and Communications (IAIK)
Match-in-the-Middle for Single S-box
Sbox∆a ∆b
Check for matching input/output differencesUsing Difference Distribution Table (DDT)
Sbox(x)⊕ Sbox(x ⊕∆a) = ∆b
Solve equation for all x and count the number of solutions:25880/65025 entries (with ∆a,∆b 6= 0) in DDT are nonzeromatch with probability 0.398we get either 2, 4, 6 or 8 values65280 values for 25880 possible differentials2.522 values (right pairs) on average
Albena Hash Function Cryptanalysis I 33
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
differencesdifferences
get values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)
with probability 2−10.6 we get 210.7 solutions for each row⇒ we get ∼ 28·10.7 right pairs with complexity < 216
Albena Hash Function Cryptanalysis I 34
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
differencesdifferences match differences
get valuesget values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−10.6 we get 210.7 solutions for each row
⇒ we get ∼ 28·10.7 right pairs with complexity < 216
Albena Hash Function Cryptanalysis I 34
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
?
SSC2 S2 SSB
3 SMR3
MRAK SB SC
MR
differencesdifferences match differences
get valuesget values
(1) Start with arbitrary differences in state SMR3
linearly propagate all differences backward to SSB3
linearly propagate row-wise forward from SSC2 to S2
(2) Match-in-the-middle at SubBytes layercheck if differences can be connected (for each S-box)with probability 2−10.6 we get 210.7 solutions for each row
⇒ we get ∼ 28·10.7 right pairs with complexity < 216
Albena Hash Function Cryptanalysis I 34
Institute for Applied Information Processing and Communications (IAIK)
Outbound Phase
S0 S1 S2 S3 S4
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
outbound
2−56
inbound
average 1
outbound
2−56
(3) Propagate through MixRows of round 1 and round 4using truncated differences (active bytes: 8→ 1)probability: 2−56 in each direction
(4) Match difference in one active byte of feed-forward (2−8)
⇒ collision for 4 rounds of Whirlpool with complexity 2120
Albena Hash Function Cryptanalysis I 35
Institute for Applied Information Processing and Communications (IAIK)
Extending the Attack to 5 Rounds [LMR+09]
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
outbound
2−56
inbound
average 1
outbound
2−56
By adding one round in the inbound phase of the attack wecan extend the attack to 5 roundsThe outbound phase is identical to the attack on 4 rounds
probability: 2−120
⇒ Construct 2120 starting points in the inbound phase withaverage complexity 1
Albena Hash Function Cryptanalysis I 36
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
matchSSC
2 S2 SSB3 SMR
3
MRAKSC
SBMRAKSB
SCMR
differences
264 differences
differences match differences
(1) Start with arbitrary differences in state SMR3 and SSB
3
we need to propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB−MR− AK− SB)similar to 64-bit S-box (DDT has size 2128)
time-memory trade-off with time/memory 264
⇒ with complexity 264 we get at least 264 pairs
Albena Hash Function Cryptanalysis I 37
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
matchSSC
2 S2 SSB3 SMR
3
MRAKSC
SBMRAKSB
SCMR
differences
264 differences264 differences
differences match differences
264 values/differences
(1) Start with arbitrary differences in state SMR3 and SSB
3we need to propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB−MR− AK− SB)similar to 64-bit S-box (DDT has size 2128)time-memory trade-off with time/memory 264
⇒ with complexity 264 we get at least 264 pairs
Albena Hash Function Cryptanalysis I 37
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
3a
c0
e6
b9
5a
8c
08
c0
e8
85
0d
a2
b1
f8
16
4d
f4
50cc
b1
60
ed
27
34
90cc
01
63
20
85
51
96
d4
6d
0a
11
f4
b7
43
90
75
9a
70
96
1e
43
15
f1
1b
49
43
1e
cd
5a
de
f8
5e
43
e9
4d
bf
d5
2b
07
cd
c5
27
04
10
fc
f8
5e
ee eeee9fee2371c1cd
match
SSC2 S2 SSB
3 SMR3
MRAKSC
SBMRAKSB
SCMR
differences
264 differences264 differences
differences match differences
264 values/differences
(1) Start with arbitrary differences in state SMR3 and SSB
3we need to propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB−MR− AK− SB)similar to 64-bit S-box (DDT has size 2128)time-memory trade-off with time/memory 264
⇒ with complexity 264 we get at least 264 pairs
Albena Hash Function Cryptanalysis I 37
Institute for Applied Information Processing and Communications (IAIK)
From Collisions to Near-Collisions
S0 S1 S2 S3 S4 S5 S6 S7ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
1 2−56 average 1 2−56 1
Add one round at input and outputno additional complexityMixRows: 1→ 8 with probability 1
⇒ Near-collision attack for 7 roundstime complexity 2112 and 264 memory
Albena Hash Function Cryptanalysis I 38
Institute for Applied Information Processing and Communications (IAIK)
Compression Function Attacks
Hj−1
Hjstate update
SB SC MR AK
key scheduleSB SC MR AC
∆Mj
We can freely choose the chaining input Hj−1no differences in Hj−1semi-free-start (near-) collisions
Extend previous attacks by 2 roundsusing multiple inbound phases
Outbound phases of attacks stay the same
Albena Hash Function Cryptanalysis I 39
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
1st inbound phase connect 2nd inbound phase
Idea:use two independent inbound phases
connect them using 512-bit freedom of key input(S3 = SMR
2 ⊕ K3)A bit more tricky than that (3 key inputs involved)
connect rows independentlyfind 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Albena Hash Function Cryptanalysis I 40
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
1st inbound phase
connect 2nd inbound phase
Idea:use two independent inbound phases
connect them using 512-bit freedom of key input(S3 = SMR
2 ⊕ K3)A bit more tricky than that (3 key inputs involved)
connect rows independentlyfind 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Albena Hash Function Cryptanalysis I 40
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
1st inbound phase
connect
2nd inbound phase
Idea:use two independent inbound phases
connect them using 512-bit freedom of key input(S3 = SMR
2 ⊕ K3)A bit more tricky than that (3 key inputs involved)
connect rows independentlyfind 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Albena Hash Function Cryptanalysis I 40
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
1st inbound phase connect 2nd inbound phase
Idea:use two independent inbound phasesconnect them using 512-bit freedom of key input(S3 = SMR
2 ⊕ K3)
A bit more tricky than that (3 key inputs involved)connect rows independentlyfind 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Albena Hash Function Cryptanalysis I 40
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
1st inbound phase connect 2nd inbound phase
Idea:use two independent inbound phasesconnect them using 512-bit freedom of key input(S3 = SMR
2 ⊕ K3)A bit more tricky than that (3 key inputs involved)
connect rows independentlyfind 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Albena Hash Function Cryptanalysis I 40
Institute for Applied Information Processing and Communications (IAIK)
Inbound Phase
S0 S1 S2 S3 S4 S5
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
SBSCMRAK
1st inbound phase connect 2nd inbound phase
Idea:use two independent inbound phasesconnect them using 512-bit freedom of key input(S3 = SMR
2 ⊕ K3)A bit more tricky than that (3 key inputs involved)
connect rows independentlyfind 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Albena Hash Function Cryptanalysis I 40
Institute for Applied Information Processing and Communications (IAIK)
Summary of Results on Whirlpool
target roundscomputational memory
typecomplexity requirements
hash 5
.5
2184−s 2s collisionfunction 7
.5
2176−s 2s near-collision
compression7
.5
2184 264 collision
function9
.5
2176 264 near-collision
10 2188 264 distinguisher
Albena Hash Function Cryptanalysis I 41
Institute for Applied Information Processing and Communications (IAIK)
Summary of Results on Whirlpool
target roundscomputational memory
typecomplexity requirements
hash 5.5 2184−s 2s collisionfunction 7.5 2176−s 2s near-collision
compression7.5 2184 264 collision
function9.5 2176 264 near-collision
10 2188 264 distinguisher
Albena Hash Function Cryptanalysis I 41
Institute for Applied Information Processing and Communications (IAIK)
Summary of Results on Whirlpool
target roundscomputational memory
typecomplexity requirements
hash 5.5 2184−s 2s collisionfunction 7.5 2176−s 2s near-collision
compression7.5 2184 264 collision
function9.5 2176 264 near-collision10 2188 264 distinguisher
Albena Hash Function Cryptanalysis I 41
Institute for Applied Information Processing and Communications (IAIK)
Open Problems
∆Hj−1
Hjstate update
SB SC MR AK
key scheduleSB SC MR AC
∆Mj
Using differences also in the chaining inputCombination of:
related-key attacks on block cipherslocal collisionsrebound attack
Albena Hash Function Cryptanalysis I 42
Institute for Applied Information Processing and Communications (IAIK)
The SHA-3 Candidate Grøstl [GKM+11]
Hi−1 HiP
QMi
SHA-3 finalistAES-based hash functionPermutation based designDesigned by DTU (Denmark) and TU Graz (Austria)Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz,Florian Mendel, Christian Rechberger, Martin Schlaffer, SørenS. Thomsen
Albena Hash Function Cryptanalysis I 43
Institute for Applied Information Processing and Communications (IAIK)
Permutations P and Q of Grøstl
Q:
P:
0i1i2i3i4i5i6i7i
AddRoundConstant
fieidicibiai9i8iffffffffffffff
ffffffffffffff
ffffffffffffff
ffffffffffffff
ffffffffffffff
ffffffffffffff
ffffffffffffff
ffffffffffffff
S
SubBytes
S
ShiftRows MixColumns
AES like round transformations8× 8 state and 10 rounds for Grøstl-2568× 16 state and 14 rounds for Grøstl-512
Based on design principles of AESnot using AES as a direct building blockbetter diffusion, wider trails
Albena Hash Function Cryptanalysis I 44
Institute for Applied Information Processing and Communications (IAIK)
The Rebound Attack on Grøstl
P0 P1 P2 P3 P4 P5 P6 P7 P8
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
1 2−56 average 1 2−56 1 1
1) Construct optimal truncated differential pathby hand, well-knownhow to find right pairs?
2) Inbound phasethree rounds with average complexity 1using SuperBox time-memory trade-offs
3) Outbound phasehigh probability for sparse paths
⇒ find solutions with complexity 2112 and 264 memory
Albena Hash Function Cryptanalysis I 45
Institute for Applied Information Processing and Communications (IAIK)
The Rebound Attack on Grøstl
P0 P1 P2 P3 P4 P5 P6 P7 P8
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
1 2−56 average 1 2−56 1 1
1) Construct optimal truncated differential pathby hand, well-knownhow to find right pairs?
2) Inbound phasethree rounds with average complexity 1using SuperBox time-memory trade-offs
3) Outbound phasehigh probability for sparse paths
⇒ find solutions with complexity 2112 and 264 memory
Albena Hash Function Cryptanalysis I 45
Institute for Applied Information Processing and Communications (IAIK)
The Rebound Attack on Grøstl
P0 P1 P2 P3 P4 P5 P6 P7 P8
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
1 2−56 average 1 2−56 1 1
1) Construct optimal truncated differential pathby hand, well-knownhow to find right pairs?
2) Inbound phasethree rounds with average complexity 1using SuperBox time-memory trade-offs
3) Outbound phasehigh probability for sparse paths
⇒ find solutions with complexity 2112 and 264 memory
Albena Hash Function Cryptanalysis I 45
Institute for Applied Information Processing and Communications (IAIK)
The Rebound Attack on Grøstl
P0 P1 P2 P3 P4 P5 P6 P7 P8
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
1 2−56 average 1 2−56 1 1
1) Construct optimal truncated differential pathby hand, well-knownhow to find right pairs?
2) Inbound phasethree rounds with average complexity 1using SuperBox time-memory trade-offs
3) Outbound phasehigh probability for sparse paths
⇒ find solutions with complexity 2112 and 264 memory
Albena Hash Function Cryptanalysis I 45
Institute for Applied Information Processing and Communications (IAIK)
Relatively Simple Analysis of Grøstl
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
ACSBSHMB
Q0
P0
Q1
P1
Q2
P2
Q3
P3IV
M1
H1
256average 1 28
Easy to construct truncated differential pathsoptimal use of available freedom (message)
Results for Grøstl-256, Grøstl-512hash function collisions for 3 rounds (of 10,14)compression function collisions for 6 rounds (of 10,14)
Albena Hash Function Cryptanalysis I 46
Institute for Applied Information Processing and Communications (IAIK)
Summary for Rebound Attack on Grøstl
Lots of cryptanalysis (mostly on Grøstl-0)[MPRS09, Pey10, SLW+10, MRST09, MRST10, ITP10]
No multiple inbound phases possible
No key-schedule input (no related-key attacks)
Provable resistance against standard differential attacks
Using (powerful) truncated differentialsstill only 3 out of 10 rounds can be attacked
Albena Hash Function Cryptanalysis I 47
Institute for Applied Information Processing and Communications (IAIK)
Summary of Rebound Attacks
Basic principle not that difficultefficient inbound phaseprobabilistic outbound phase
Difficulty in constructing and merging inbound phasesfinding good and sparse truncated differential pathsefficient way to use available freedom for merge
Albena Hash Function Cryptanalysis I 48
Institute for Applied Information Processing and Communications (IAIK)
Other Rebound Attacks
ECHO:big state but rather sparse truncated differential paths
JH:4-bit S-boxes, multiple inbound phases
Lane:2x inbound for Lane-256, 3x inbound for LANE-512
Luffa:4-bit S-boxes, find differential path first, then values
Skein:rotational rebound attack
http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo
Albena Hash Function Cryptanalysis I 49
Institute for Applied Information Processing and Communications (IAIK)
Outline
1 Motivation
2 Collision Attacks
3 Differential Cryptanalysis of Hash FunctionsApplication to SHA-1
4 The Rebound AttackApplication to WhirlpoolApplication to Grøstl
5 Conclusion
Albena Hash Function Cryptanalysis I 50
Institute for Applied Information Processing and Communications (IAIK)
More Freedom in Attacking Hash Functions
... than in attacks on block ciphers
AES-based designs (Whirlpool Grøstl):3 rounds in the middle with (average) complexity 11.5 rounds at the beginning
ARX-based designs (SHA-1):up to 25 steps at the beginning with message modification
Albena Hash Function Cryptanalysis I 51
Institute for Applied Information Processing and Communications (IAIK)
Conclusion
Differential cryptanalysispowerful tool in analyzing hash functionsmany hash functions broken using DCsparse (truncated) differential characteristics needed
AES based designs:best truncated differential path can be used(with small modifications)rebound attack to find differences and valuessimultaneously
ARX based designs:unknown if good characteristics exist(semi-)automatic tools needed (linear,nonlinear)still some work to do for ARX based SHA-3 finalists
Albena Hash Function Cryptanalysis I 52
Institute for Applied Information Processing and Communications (IAIK)
Thank you for your Attention!
Questions?
Albena Hash Function Cryptanalysis I 53
Institute for Applied Information Processing and Communications (IAIK)
References I
[BC04] Eli Biham and Rafi Chen.Near-Collisions of SHA-0.In Matthew K. Franklin, editor, CRYPTO, volume 3152 of LNCS, pages290–305. Springer, 2004.
[BR00] Paulo S. L. M. Barreto and Vincent Rijmen.The WHIRLPOOL Hashing Function.Submitted to NESSIE, September 2000, revised May 2003, 2000.Available online:http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html.
[DMR07] Christophe De Canniere, Florian Mendel, and Christian Rechberger.Collisions for 70-Step SHA-1: On the Full Cost of Collision Search.In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, SelectedAreas in Cryptography, volume 4876 of LNCS, pages 56–73. Springer,2007.
Albena Hash Function Cryptanalysis I 54
Institute for Applied Information Processing and Communications (IAIK)
References II
[DR06] Christophe De Canniere and Christian Rechberger.Finding SHA-1 Characteristics: General Results and Applications.In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 ofLNCS, pages 1–20. Springer, 2006.
[GKM+11] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, FlorianMendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen.Grøstl – a SHA-3 candidate.Submission to NIST (Round 3), January 2011.Available online: http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/submissions_rnd3.html.
[ITP10] Kota Ideguchi, Elmar Tischhauser, and Bart Preneel.Improved Collision Attacks on the Reduced-Round Grøstl Hash Function.In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic,editors, ISC, volume 6531 of LNCS, pages 1–16. Springer, 2010.
Albena Hash Function Cryptanalysis I 55
Institute for Applied Information Processing and Communications (IAIK)
References III
[JF11] Jeremy Jean and Pierre-Alain Fouque.Practical Near-Collisions and Collisions on Round-Reduced ECHO-256Compression Function.In Fast Software Encryption, 2011.To appear.
[JP07] Antoine Joux and Thomas Peyrin.Hash Functions and the (Amplified) Boomerang Attack.In Alfred Menezes, editor, CRYPTO, volume 4622 of LNCS, pages244–263. Springer, 2007.
[Kli06] Vlastimil Klima.Tunnels in Hash Functions: MD5 Collisions Within a Minute.Cryptology ePrint Archive, Report 2006/105, 2006.http://eprint.iacr.org/.
Albena Hash Function Cryptanalysis I 56
Institute for Applied Information Processing and Communications (IAIK)
References IV
[KNPRS10] Dmitry Khovratovich, Marıa Naya-Plasencia, Andrea Rock, and MartinSchlaffer.Cryptanalysis of Luffa v2 Components.In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, SelectedAreas in Cryptography, volume 6544 of LNCS, pages 388–409. Springer,2010.
[LMR+09] Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen,and Martin Schlaffer.Rebound Distinguishers: Results on the Full Whirlpool CompressionFunction.In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages126–143. Springer, 2009.
[MNPN+09] Krystian Matusiewicz, Marıa Naya-Plasencia, Ivica Nikolic, Yu Sasaki,and Martin Schlaffer.Rebound Attack on the Full Lane Compression Function.In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages106–125. Springer, 2009.
Albena Hash Function Cryptanalysis I 57
Institute for Applied Information Processing and Communications (IAIK)
References V
[MPRS09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and MartinSchlaffer.Improved Cryptanalysis of the Reduced Grøstl Compression Function,ECHO Permutation and AES Block Cipher.In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini,editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages16–35. Springer, 2009.
[MRS09] Florian Mendel, Christian Rechberger, and Martin Schlaffer.Cryptanalysis of Twister.In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and DamienVergnaud, editors, ACNS, volume 5536 of LNCS, pages 342–353, 2009.
[MRST09] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S.Thomsen.The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl.In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages 260–276.Springer, 2009.
Albena Hash Function Cryptanalysis I 58
Institute for Applied Information Processing and Communications (IAIK)
References VI
[MRST10] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S.Thomsen.Rebound Attacks on the Reduced Grøstl Hash Function.In Josef Pieprzyk, editor, CT-RSA, volume 5985 of LNCS, pages350–365. Springer, 2010.
[Pey10] Thomas Peyrin.Improved Differential Attacks for ECHO and Grøstl.In Tal Rabin, editor, CRYPTO, volume 6223 of LNCS, pages 370–392.Springer, 2010.
[RO05] Vincent Rijmen and Elisabeth Oswald.Update on SHA-1.In Alfred Menezes, editor, CT-RSA, volume 3376 of LNCS, pages 58–71.Springer, 2005.
Albena Hash Function Cryptanalysis I 59
Institute for Applied Information Processing and Communications (IAIK)
References VII
[Sch10] Martin Schlaffer.Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function.In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, SelectedAreas in Cryptography, volume 6544 of LNCS, pages 369–387. Springer,2010.
[SKPI07] Makoto Sugita, Mitsuru Kawazoe, Ludovic Perret, and Hideki Imai.Algebraic Cryptanalysis of 58-Round SHA-1.In Alex Biryukov, editor, FSE, volume 4593 of LNCS, pages 349–365.Springer, 2007.
[SLW+10] Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta.Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl.In Masayuki Abe, editor, ASIACRYPT, volume 6477 of LNCS, pages38–55. Springer, 2010.
Albena Hash Function Cryptanalysis I 60
Institute for Applied Information Processing and Communications (IAIK)
References VIII
[WFW09] Shuang Wu, Dengguo Feng, and Wenling Wu.Cryptanalysis of the LANE Hash Function.In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini,editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages126–140. Springer, 2009.
[WYY05] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu.Finding Collisions in the Full SHA-1.In Victor Shoup, editor, CRYPTO, volume 3621 of LNCS, pages 17–36.Springer, 2005.
Albena Hash Function Cryptanalysis I 61