Near-Collision Attack on the Compression Function of Dynamic SHA2
نویسندگان
چکیده
In this paper, we present a near-collision attack on the compression functions of Dynamic SHA2 for all the output sizes. For the Dynamic SHA2-224/256, the complexity is about 2 operations and for the Dynamic SHA2-384/512, the complexity is about 2. 1 Description of Dynamic SHA2 The Dynamic SHA-2 [1] is an iteration cryptographic hash function family which is built with the design components from SHA-2 family [2]. It provides the message digests of 224, 256, 384 and 512 bits. The fundamental building block of Dynamic SHA2-256 (Dynamic SHA2-512) is the compression function that takes 256-bit (512-bit) chaining value and 512-bit (1024-bit) message block and outputs a new 256-bit (512-bit) chaining value. For our purpose attack, we only describe the compression function of Dynamic SHA2 which includes three iterative parts. The first part includes only one round and mixs all the message words one time; the second iterative part includes 9 blank rounds and no message words are mixed, so it has no effect on our attack and we can neglect to describe it; and the third part includes 7 rounds and mixs the message words 7 times. The compression function of the Dynamic SHA2 can be described are as follows: 1. Input the 512-bit (resp. 1024-bit) messageW = (w0, w1, ..., w15), and initialize the eight chaining variables (a, b, c, d, e, f , g, h) with the (i− 1) hash value (a0, b0, c0, d0, e0, f0, g0, h0). 2. Step update: – The first iterative part COMP (a, b, c, d, e, f, g, h, w0, w1, w2, w3, w4, w5, w6, w7, 0) COMP (a, b, c, d, e, f, g, h, w8, w9, w10, w11, w12, w13, w14, w15, 0) – The second iterative part (No message words are mixed, we neglect to describe it). ? Supported by 973 Project(No.2007CB807902), 863 Project(No.2006AA01Z420) and the National Natural Science Foundation of China(NSFC Grant No.60803125)
منابع مشابه
Cryptanalysis of Dynamic SHA(2)
In this paper, we analyze the hash functions Dynamic SHA and Dynamic SHA2, which have been selected as first round candidates in the NIST hash function competition. These hash functions rely heavily on data-dependent rotations, similar to certain block ciphers, e.g., RC5. Our analysis suggests that in the case of hash functions, where the attacker has more control over the rotations, this appro...
متن کاملCryptanalysis of the Compression Function of SIMD
SIMD is one of the second round candidates of the SHA3 competition hosted by NIST. In this paper, we present some results on the compression function of SIMD 1.1 (the tweaked version) using the modular difference method. For SIMD-256, We give a free-start near collision attack on the compression function reduced to 20 steps with complexity 2−107. And for SIMD-512, we give a free-start near coll...
متن کاملRebound Distinguishers: Results on the Full Whirlpool Compression Function
Whirlpool is a hash function based on a block cipher that can be seen as a scaled up variant of the AES. The main difference is the (compared to AES) extremely conservative key schedule. In this work, we present a distinguishing attack on the full compression function of Whirlpool. We obtain this result by improving the rebound attack on reduced Whirlpool with two new techniques. First, the inb...
متن کاملNew Pseudo-Near-Collision Attack on Reduced-Round of Hamsi-256
Hamsi-256 is designed by Özgül Kücük and it has been a candidate Hash function for the second round of SHA-3. The compression function of Hamsi-256 maps a 256-bit chaining value and a 32-bit message to a new 256-bit chaining value. As hashing a message, Hamsi-256 operates 3-round except for the last message it operates 6-round. In this paper, we will give the pseudo-near-collision for 5-round H...
متن کاملSubspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function
In this work we present first results for the hash function of ECHO. We provide a subspace distinguisher for 5 rounds, near-collisions on 4.5 rounds and collisions for 4 out of 8 rounds of the ECHO-256 hash function. The complexities are 2 compression function calls for the distinguisher and near-collision attack, and 2 for the collision attack. The memory requirements are 2 for all attacks. Fu...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2009 شماره
صفحات -
تاریخ انتشار 2009