Finding Second Preimages of Short Messages for Hamsi-256

Fuhr, Thomas

doi:10.1007/978-3-642-17373-8_2

Cited by 10 publications

(33 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the direct attack seems to be worse than Fuhr's attack [2] , it can be the basis for substantial improvements. In this section we consider the generalized problem of finding a pseudo preimage, defined as a pair of a message block and chaining valueM i ,h i−1 such that F(M i ,h i−1 ) = h * i for a given value h * i .…”

Section: Improving the Direct Attack By Using Pseudo Preimagesmentioning

confidence: 96%

“…Our improved attack exploits the very interesting observations made by Thomas Fuhr in section 3 of [2]. For a given message block M , we select our variables from the state that precedes the first Sbox layer as follows: Let x (j) denote the j th bit of the 32-bit word x.…”

Section: Improving the Direct Attack By Using Pseudo Preimagesmentioning

confidence: 99%

“…However, these results do not break the core security properties of a hash function. More recently, Thomas Fuhr introduced the first real attack on Hamsi-256 [2]. The attack exploits linear relations between some input bits and output bits of the compression function in order to find pseudo preimages for the compression function of Hamsi-256 (a pseudo preimage of an arbitrary chaining value h * i under the compression function F is a message blockM i and a chaining valueh i−1 such that F(M i ,h i−1 ) = h * i ).…”

Section: Introductionmentioning

confidence: 99%

“…For longer messages, we develop another attack which is faster than the Kelsey and Schneier attack by a factor which is between 6 and 4 for all messages of practical size (i.e., up to 4 gigabytes). Our short message attack exploits some of the observations made in [2] regarding the Hamsi Sbox, but uses them in a completely different way to obtain better results: While Fuhr solved linear equations in order to speed up the search for pseudo preimages, our attacks use fast polynomial enumeration algorithms to quickly discard compression function inputs which cannot possibly yield the desired output.…”

Section: Introductionmentioning

confidence: 99%

“…The complexity of interpolating and solving such a system is faster than exhaustive search (which requires 2 7 or 2 8 function evaluations) only by a small factor. In the second stage, [2] can not obtain any linear equations and proceeds by performing an exhaustive search, which makes the attack faster than Kelsey and Schneier's attack only for very short messages. Another reason why our attack is faster is that in the first stage we also exploit the weak diffusion of the input variables into some of the output bits.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

An Improved Algebraic Attack on Hamsi-256

Dinur

Shamir

2011

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. Hamsi is one of the 14 second-stage candidates in NIST's SHA-3 competition. The only previous attack on this hash function was a very marginal attack on its 256-bit version published by Thomas Fuhr at Asiacrypt 2010, which is better than generic attacks only for very short messages of fewer than 100 32-bit blocks, and is only 26 times faster than a straightforward exhaustive search attack. In this paper we describe a different algebraic attack which is less marginal: It is better than the best known generic attack for all practical message sizes (up to 4 gigabytes), and it outperforms exhaustive search by a factor of at least 512. The attack is based on the observation that in order to discard a possible second preimage, it suffices to show that one of its hashed output bits is wrong. Since the output bits of the compression function of Hamsi-256 can be described by low degree polynomials, it is actually faster to compute a small number of output bits by a fast polynomial evaluation technique rather than via the official algorithm.

show abstract

Section: Improving the Direct Attack By Using Pseudo Preimagesmentioning

confidence: 96%

Section: Improving the Direct Attack By Using Pseudo Preimagesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Improved Algebraic Attack on Hamsi-256

Dinur

Shamir

2011

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

Collision Attack on the Hamsi-256 Compression Function

Lamberger

Mendel

Rijmen

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Hamsi-256 is a cryptographic hash functions submitted by Küçük to the NIST SHA-3 competition in 2008. It was selected by NIST as one of the 14 round 2 candidates in 2009. Even though Hamsi-256 did not make it to the final round in 2010 it is still an interesting target for cryptanalysts. Since Hamsi-256 has been proposed, it received a great deal of cryptanalysis. Besides the second-preimage attacks on the hash function, most cryptanalysis focused on non-random properties of the compression function or output transformation of Hamsi-256. Interestingly, the collision resistance of the hash or compression function got much less attention. In this paper, we present a collision attack on the Hamsi-256 compression function with a complexity of about 2 124.1 .

show abstract

A New Criterion for Avoiding the Propagation of Linear Relations Through an Sbox

Boura

Canteaut

2014

Fast Software Encryption

View full text Add to dashboard Cite

In several cryptographic primitives, Sboxes of small size are used to provide nonlinearity. After several iterations, all the output bits of the primitive are ideally supposed to depend in a nonlinear way on all of the input variables. However, in some cases, it is possible to find some output bits that depend in an affine way on a small number of input bits if the other input bits are fixed to a well-chosen value. Such situations are for example exploited in cube attacks or in attacks like the one presented by Fuhr against the hash function Hamsi. Here, we define a new property for nonlinear Sboxes, named (v, w)-linearity, which means that 2 w components of an Sbox are affine on all cosets of a v-dimensional subspace. This property is related to the generalization of the so-called Maiorana-McFarland construction for Boolean functions. We show that this concept quantifies the ability of an Sbox to propagate affine relations. As a proof of concept, we exploit this new notion for analyzing and slightly improving Fuhr's attack against Hamsi and we show that its success strongly depends on the (v, w)-linearity of the involved Sbox.

show abstract

Finding Second Preimages of Short Messages for Hamsi-256

Cited by 10 publications

References 6 publications

An Improved Algebraic Attack on Hamsi-256

An Improved Algebraic Attack on Hamsi-256

Collision Attack on the Hamsi-256 Compression Function

A New Criterion for Avoiding the Propagation of Linear Relations Through an Sbox

Contact Info

Product

Resources

About