Preimages for Step-Reduced SHA-2

Abstract: Abstract. In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2 251.9 , 2 509 for finding pseudo-preimages and 2 254.9 , 2 511.5 compression function operations for full preimages. The memory requirements are modest, around 2 6 words for 43-… Show more

“…Next, if these are the only such vectors that occur in practice, then we have recovered z 1(30) , or the MSB of k 0 , with probability 1 when the time taken to execute (2) is at its minimum. This minimum time period would naturally be T const + T carry , with T const being the constant time component (i.e., the sum total of the execution times of the steps, of the Add()'s invoked for (2), that are independent of the respective x's and y's). With this, let us proceed to the second step of the initialization mode, viz.,…”

“…The problem with the cache memory is that, unlike the RAM, it is shared among users sharing a CPU. 2 Hence, if Bob and Eve are sharing a CPU and Eve is aware that Bob is about to encrypt, Eve may initiate her cache timing attack as follows. She first fills the cache memory with values of her choice and waits for Bob to run the encryption algorithm.…”

The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures

“…Next, if these are the only such vectors that occur in practice, then we have recovered z 1(30) , or the MSB of k 0 , with probability 1 when the time taken to execute (2) is at its minimum. This minimum time period would naturally be T const + T carry , with T const being the constant time component (i.e., the sum total of the execution times of the steps, of the Add()'s invoked for (2), that are independent of the respective x's and y's). With this, let us proceed to the second step of the initialization mode, viz.,…”

“…The problem with the cache memory is that, unlike the RAM, it is shared among users sharing a CPU. 2 Hence, if Bob and Eve are sharing a CPU and Eve is aware that Bob is about to encrypt, Eve may initiate her cache timing attack as follows. She first fills the cache memory with values of her choice and waits for Bob to run the encryption algorithm.…”

The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures

“…A straightforward attack on 6 rounds uses a biclique in rounds 2-4 of Skein and word S 1 of the output of the 6-round transformation as the matching variable v (Figure 4). However, we extend it by one round with the idea of the indirect partial matching [1]. Consider the state word S 0 after round 6 as a function of P i,j .…”

“…The message compensation procedure [1,16] instructs how to select message groups in the splice-and-cut attack in case of a strong, nonlinear message schedule. Existing applications are very ad-hoc and complicated.…”

“…While the first splice-and-cut attacks were quite simple, they quickly became more sophisticated as cryptanalysts tried to increase the number of rounds broken [1,24]. That number for the first attacks was determined by the length of chunks -two sections of a primitive each independent of its own set of key/message bits called neutral bits.…”

Bicliques for Permutations: Collision and Preimage Attacks in Stronger Settings

Post-quantum Digital Signature Scheme for Personal Data Security in Communication Network Systems