Branching Heuristics in Differential Collision Search with Applications to SHA-512

Eichlseder, Maria; Mendel, Florian; Schläffer, Martin

doi:10.1007/978-3-662-46706-0_24

Cited by 18 publications

(15 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, there are negligible memory requirements. Most importantly, combined with the use of automated techniques [MNS11,MNS13,EMS14] to solve the nonlinear differential characteristic for RIPEMD-160, improved SFS collision attacks for reduced RIPEMD-160 are obtained, as specified below.…”

Section: Our Contributionsmentioning

confidence: 99%

“…In a word, the differential characteristic located at X i (13 ≤ i ≤ 17) and X i (36 ≤ i ≤ t) should be as sparse as possible. Then, we can solve the nonlinear differential characteristic located at X i (18 ≤ i ≤ 35) with the use of automated techniques [MNS11,MNS13,EMS14]. The desirable discovered differential characteristics are displayed in Table 12, Table 13, Table 14 and Table 15 in Appendix A respectively.…”

Section: Differential Characteristicsmentioning

confidence: 99%

See 1 more Smart Citation

New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

Liu

Dobraunig

Mendel

et al. 2019

ToSC

Self Cite

View full text Add to dashboard Cite

RIPEMD-160 is a hash function published in 1996, which shares similarities with other hash functions designed in this time-period like MD4, MD5 and SHA-1. However, for RIPEMD-160, no (semi-free-start) collision attacks on the full number of steps are known. Hence, it is still used, e.g., to generate Bitcoin addresses together with SHA-256, and is an ISO/IEC standard. Due to its dual-stream structure, even semifree- start collision attacks starting from the first step only reach 36 steps, which were firstly shown by Mendel et al. at Asiacrypt 2013 and later improved by Liu, Mendel and Wang at Asiacrypt 2017. Both of the attacks are based on a similar freedom degree utilization technique as proposed by Landelle and Peyrin at Eurocrypt 2013. However, the best known semi-free-start collision attack on 36 steps of RIPEMD-160 presented at Asiacrypt 2017 still requires 255.1 time and 232 memory. Consequently, a practical semi-free-start collision attack for the first 36 steps of RIPEMD-160 still requires a significant amount of resources. Considering the structure of these previous semi-free-start collision attacks for 36 steps of RIPEMD-160, it seems hard to extend it to more steps. Thus, we develop a different semi-free-start collision attack framework for reduced RIPEMD-160 by carefully investigating the message expansion of RIPEMD-160. Our new framework has several advantages. First of all, it allows to extend the attacks to more steps. Second, the memory complexity of the attacks is negligible. Hence, we were able to mount semi-free-start collision attacks on 36 and 37 steps of RIPEMD-160 with practical time complexity 241 and 249 respectively. Additionally, we describe semi-free-start collision attacks on 38 and 40 (out of 80) steps of RIPEMD-160 with time complexity 252 and 274.6, respectively. To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160.

show abstract

Section: Our Contributionsmentioning

confidence: 99%

Section: Differential Characteristicsmentioning

confidence: 99%

New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

Liu

Dobraunig

Mendel

et al. 2019

ToSC

Self Cite

View full text Add to dashboard Cite

show abstract

“…In 2011, Mendel et al [38] extended it for SHA-256 which was further improved in their work in 2013 [39]. Eichlseder et al [19] improved upon the branching heuristics of this tool and applied it to SHA-512. Recently Stevens et al [49] presented a parallelized search implementation and found free-start collision on full SHA-1.…”

Section: Related Workmentioning

confidence: 99%

Adaptive Restart and CEGAR-Based Solver for Inverting Cryptographic Hash Functions

Nejati

Jia

Gebotys

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

SAT solvers are increasingly being used for cryptanalysis of hash functions and symmetric encryption schemes. Inspired by this trend, we present MapleCrypt which is a SAT solver-based cryptanalysis tool for inverting hash functions. We reduce the hash function inversion problem for fixed targets into the satisfiability problem for Boolean logic, and use MapleCrypt to construct preimages for these targets.MapleCrypt has two key features, namely, a multi-armed bandit based adaptive restart (MABR) policy and a counterexample-guided abstraction refinement (CEGAR) technique. The MABR technique uses reinforcement learning to adaptively choose between different restart policies during the run of the solver. The CEGAR technique abstracts away certain steps of the input hash function, replacing them with the identity function, and verifies whether the solution constructed by MapleCrypt indeed hashes to the previously fixed targets. If it is determined that the solution produced is spurious, the abstraction is refined until a correct inversion to the input hash target is produced. We show that the resultant system is faster for inverting the SHA-1 hash function than state-of-the-art inversion tools.

show abstract

“…The best known collision attacks on SHA-256 so far are semi-free-start collisions for 38 and collisions for 31 out of 64 steps by Mendel et al in [20]. Recently, Eichlseder et al presented semi-free-start collisions for SHA-512 on up to 38 steps in [8]. Compared with the preimage attacks, all these attacks have practical complexities.…”

Section: Introductionmentioning

confidence: 99%

Boomerang Attack on Step-Reduced SHA-512

Bai

2015

Information Security and Cryptology

View full text Add to dashboard Cite

Abstract. SHA-2 (SHA-224, SHA-256, SHA-384 and SHA-512) is hash function family issued by the National Institute of Standards and Technology (NIST) in 2002 and is widely used all over the world. In this work, we analyze the security of SHA-512 with respect to boomerang attack. Boomerang distinguisher on SHA-512 compression function reduced to 48 steps is proposed, with a practical complexity of 2 51 . A practical example of the distinguisher for 48-step SHA-512 is also given. As far as we know, it is the best practical attack on step-reduced SHA-512.

show abstract

Branching Heuristics in Differential Collision Search with Applications to SHA-512

Cited by 18 publications

References 29 publications

New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

New Semi-Free-Start Collision Attack Framework for Reduced RIPEMD-160

Adaptive Restart and CEGAR-Based Solver for Inverting Cryptographic Hash Functions

Boomerang Attack on Step-Reduced SHA-512

Contact Info

Product

Resources

About