2010
DOI: 10.1007/s00145-010-9063-0
|View full text |Cite
|
Sign up to set email alerts
|

Cryptanalysis of the Tillich–Zémor Hash Function

Abstract: Abstract. At CRYPTO '94, Tillich and Zémor proposed a family of hash functions, based on computing a suitable matrix product in groups of the form SL2(F2n ). We show how to construct collisions between palindromic bit strings of length 2n + 2 for Tillich and Zémor's construction. The approach also yields collisions for related proposals by Petit et al. from ICECS '08 and CT-RSA '09. It seems fair to consider our attack as practical: for parameters of interest, the colliding bit strings have a length of a few h… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
19
0

Year Published

2010
2010
2018
2018

Publication Types

Select...
6
2
1

Relationship

0
9

Authors

Journals

citations
Cited by 28 publications
(19 citation statements)
references
References 12 publications
0
19
0
Order By: Relevance
“…In order to have the palindrome collision we will make the following change in the generators [6]. [8], [9], satisfying a Euclidean algorithm sequence (in reverse order) where each quotient is either x or x+1. These sequences are often called maximal length sequences for the Euclidean algorithm or maximal length Euclidean sequences.…”
Section: Palindrome Collisionmentioning
confidence: 99%
“…In order to have the palindrome collision we will make the following change in the generators [6]. [8], [9], satisfying a Euclidean algorithm sequence (in reverse order) where each quotient is either x or x+1. These sequences are often called maximal length sequences for the Euclidean algorithm or maximal length Euclidean sequences.…”
Section: Palindrome Collisionmentioning
confidence: 99%
“…This particular hash function was successfully attacked in [6] and [11]; see also [8] for a more general attack approach. It should be pointed out though that the general attack in [8] works in super-polynomial time in the size of n; in particular, it becomes infeasible already for the value n = 131 suggested in [15].…”
Section: Introductionmentioning
confidence: 99%
“…It should be pointed out though that the general attack in [8] works in super-polynomial time in the size of n; in particular, it becomes infeasible already for the value n = 131 suggested in [15]. The attack in [6] is more special, targeted specifically at the hash function in [15] (in particular, they use a known result about a worst-case behavior of the Euclidean algorithm in F 2 [x]), and it does actually find short collisions for various irreducible polynomials p(x), including polynomials p(x) of a rather high degree, like n = 2039. Again, this attack is specific to (some pairs of) matrices over a Galois field of characteristic 2.…”
Section: Introductionmentioning
confidence: 99%
“…There needs to be some level of confidence to begin with, such assumptions need to be selected very carefully. Examples of "provably secure" functions based on false assumptions include the Zémor-Tillich, LPS and Morgenstern hash functions proposed in [40,11,31,33] and broken in [41,32,20]. This paper only deals with functions believed not to be completely broken.…”
Section: Introductionmentioning
confidence: 99%