A 2nd-Preimage Attack on AURORA-512
نویسنده
چکیده
In this note, we present a 2nd-preimage attack on AURORA512, which is one of the candidates for SHA-3. Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more. In such a case, the attack complexity is approximately 2 AURORA-512 operations, which is less than the brute force attack on AURORA-512, namely, 2512−log2 9 ≈ 2. Our attack exploits some weakness in the mode of operation. keywords: AURORA, DMMD, 2nd-preimage, multi-collision 1 Description of AURORA-512 We briefly describe the specification of AURORA-512. Please refer to Ref. [1] for details. An input message is padded to be a multiple of 512 bits by the standard MD message padding, then, the padded message is divided into 512-bit message blocks (M0,M1, . . . , MN−1). In AURORA-512, compression functions Fk : {0, 1}256×{0, 1}512 → {0, 1}256 and Gk : {0, 1}256 × {0, 1}512 → {0, 1}256, two permutations MF : {0, 1}512 → {0, 1}512 and MFF : {0, 1}512 → {0, 1}512, and two initial 256-bit chaining values H 0 and H D 0 are defined . The algorithm to compute a hash value is as follows. 1. for k=0 to N − 1 { 2. H k+1 ← Fk(H k ,Mk). 3. H k+1 ← Gk(H k ,Mk). 4. If k mod 8 = 7 { 5. temp ← H k+1‖H k+1 6. H k+1‖H k+1 ← MF (temp). 7. } 8. } 9. Output MFF (H N‖H N ). 1 Fk and Fk′ are identical if k ≡ k′mod 8. Gk and Gk′ also follow the same rule. 2 Attack Description Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more, in which case it is approximately 2 AURORA-512 operations. Strictly speaking, the attack complexity depends on the output distribution of the compression function. We first assume that the output distribution is perfectly balanced, then discuss other cases later. The attack procedure for a 9-block message X0‖X1‖ · · · ‖X8 is as follows. The attack is also illustrated in Fig. 1
منابع مشابه
A Full Key Recovery Attack on HMAC-AURORA-512
In this note, we present a full key recovery attack on HMACAURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires 2 queries and the off-line complexity is 2 AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack ca...
متن کاملLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
This paper studies two types of attacks on the hash function Shabal. The first attack is a low-weight pseudo collision attack on Shabal. Since a pseudo collision attack is trivial for Shabal, we focus on a low-weight pseudo collision attack. It means that only low-weight difference in a chaining value is considered. By analyzing the difference propagation in the underlying permutation, we can c...
متن کاملPreimage Attacks on Reduced Tiger and SHA-2
This paper shows new preimage attacks on reduced Tiger and SHA-2. Indesteege and Preneel presented a preimage attack on Tiger reduced to 13 rounds (out of 24) with a complexity of 2. Our new preimage attack finds a one-block preimage of Tiger reduced to 16 rounds with a complexity of 2. The proposed attack is based on meet-in-themiddle attacks. It seems difficult to find “independent words” of ...
متن کامل(Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others
The Grøstl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grøstl hash function. We propose pseudo preimage attacks on Grøstl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10...
متن کامل(Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others (Extended Version)
The Grøstl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grøstl hash function. We propose pseudo preimage attacks on Grøstl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2009 شماره
صفحات -
تاریخ انتشار 2009