Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256

Yu, Haiyan; Wang, Xiaoyun

doi:10.1007/978-3-642-02620-1_13

Cited by 7 publications

(6 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One may note the work announced at the rump session by Yu and Wang [10], which claimed to have found a non-randomness property of SHA-256 reduced to 39 steps. Since the non-randomness property is not included in the security requirements for SHA-3, we do not discuss it in this paper.…”

Section: Introductionmentioning

confidence: 99%

Preimages for Step-Reduced SHA-2

Aoki

Guo

Matusiewicz

et al. 2009

Lecture Notes in Computer Science

117

View full text Add to dashboard Cite

Abstract. In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2 251.9 , 2 509 for finding pseudo-preimages and 2 254.9 , 2 511.5 compression function operations for full preimages. The memory requirements are modest, around 2 6 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

show abstract

Section: Introductionmentioning

confidence: 99%

Preimages for Step-Reduced SHA-2

Aoki

Guo

Matusiewicz

et al. 2009

Lecture Notes in Computer Science

117

View full text Add to dashboard Cite

show abstract

“…In this attack framework, the number of queries principally cannot be below 2 n/2 because the birthday attack is used. With the techniques of [17], a series of distinguishing-H attacks on LPMAC were presented against SHA-1, SHA-256, and the RIPEMDfamily [18,19,3,20]. The attack results are summarized in Table 1.…”

Section: Oursmentioning

confidence: 99%

“…Wang et al [17] solved these problems by using the birthday attack to generate a specific difference of an intermediate chaining variables and efficiently detect it only by changing the next message block. Previous distinguishing-H attacks on LPMAC [18,19,3,20] used the similar idea as [17]. As long as the birthday attack is used to generate an intermediate difference, the attack complexity is between 2 n/2 and 2 n .…”

Section: Summary Of Previous Analyses On Mac Algorithmsmentioning

confidence: 99%

Cryptanalyses on a Merkle-Damgård Based MAC — Almost Universal Forgery and Distinguishing-<i>H</i> Attacks

Sasaki

2014

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

This paper presents two types of cryptanalysis on a Merkle-Damgård hash based MAC, which computes a MAC value of a message M by Hash(K M ) with a shared key K and the message length . This construction is often called LPMAC. Firstly, we present a distinguishing-H attack against LPMAC instantiating any narrow-pipe Merkle-Damgård hash function with O(2 n/2 ) queries, which indicates the incorrectness of the widely believed assumption that LPMAC instantiating a secure hash function should resist the distinguishing-H attack up to 2 n queries. In fact, all of the previous distinguishing-H attacks considered dedicated attacks depending on the underlying hash algorithm, and most of the cases, reduced rounds were attacked with a complexity between 2 n/2 and 2 n . Because it works in generic, our attack updates these results, namely full rounds are attacked with O(2 n/2 ) complexity. Secondly, we show that an even stronger attack, which is a powerful form of an almost universal forgery attack, can be performed on LPMAC. In this setting, attackers can modify the first several message-blocks of a given message and aim to recover an internal state and forge the MAC value. For any narrowpipe Merkle-Damgård hash function, our attack can be performed with O(2 n/2 ) queries. These results show that the length prepending scheme is not enough to achieve a secure MAC.

show abstract

“…However, the work of Wang et al [1,2] has shown weaknesses that allow collisions to be computed for these hash functions much faster than by brute force. And Wang et al [3][4][5] have also analyzed the security of modification detection code (MDC) based on these hash functions in detail. Hence there is a rather pressing need to design new hash functions as of today (cf.…”

Section: Introductionmentioning

confidence: 99%

Design theory and method of multivariate hash function

Wang

Zhang

et al. 2010

Sci. China Inf. Sci.

View full text Add to dashboard Cite

This paper proposes a novel hash algorithm whose security is based on the multivariate nonlinear polynomial equations of NP-hard problem over a finite field and combines with HAIFA iterative framework. Over the current widely used hash algorithms, the new algorithm has the following advantages: its security is based on a recognized difficult mathematical problem; the hash length can be changed freely; its design can be automated such that users may construct specific hash function meeting the actual needs. Furthermore, we discuss the security, efficiency and performance of the new algorithm. Under some related difficult mathematical assumptions and theoretical analysis, the new algorithm is proven practical by the experiment results, and capable of achieving security of an ideal hash function by choosing suitable parameters. In addition, it can also be used as a pseudo-random number generator for the good randomness of its output.

show abstract

Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256

Cited by 7 publications

References 24 publications

Preimages for Step-Reduced SHA-2

Preimages for Step-Reduced SHA-2

Cryptanalyses on a Merkle-Damgård Based MAC — Almost Universal Forgery and Distinguishing-<i>H</i> Attacks

Design theory and method of multivariate hash function

Contact Info

Product

Resources

About