Attacks on JH, Grstl and SMASH Hash Functions

نویسندگان

  • Yiyuan Luo
  • Xuejia Lai
چکیده

JH and Grøstl hash functions are two of the five finalists in NIST SHA-3 competition. JH-s and Grøstl-s are based on a 2n bit compression function and the final output is truncated to s bits, where n is 512 and s can be 224,256,384 and 512. Previous security proofs show that JH-s and Grøstl-s are optimal collision resistance without length padding to the last block. In this paper we present collision and preimage attacks on JH-s and Grøstl-s without length padding to the last block. For collision attack on JH-s, after a 1 e 2 precomputing, the adversary needs 2 queries to the underlying compression function to find a new collision. For preimage attack on JH-s, after a 1 e 2 precomputing, the adversary needs 2 queries to the underlying compression function to find a new preimage. If s = 224, the attacker only needs 2 and 2 compression function queries to mount a new collision attack and preimage attack respectively. For Grøstl, the query complexity of our collision and preimage attack are one half of birthday collision attack and exhaustive preimage attack respectively. We also discuss how our attack works when the length is padded to the last message block. Our attacks exploit structure flaws in the design of JH and Grøstl. It is easily applied to MJH and SMASH and other generalizations since they have similar structure (we call it EvanMansour structure). At the same time the provable security of chopMD in the literature is challenged. Through our attack, it is easy to see that the chopMD mode used in JH or Grøstl does not improve its security.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Breaking the Even-Mansour Hash Function: Collision and Preimage Attacks on JH and Grøstl

The Even-Mansour structure and the chopMD mode are two widely-used strategies in hash function designs. They are adopted by many hash functions including two SHA-3 finalists, the JH hash function and the Grøstl hash function. The Even-Mansour structure combining the chopMD mode is supposed to enhance the security of hash functions against collision and preimage attacks, while our results show t...

متن کامل

Improved indifferentiability security bound for the JH mode

Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing NIST SHA-3 hash function competition. Despite several years of analysis, the indifferentiability security of th...

متن کامل

On the algebraic degree of some SHA-3 candidates

We present a study on the algebraic degree of iterated permutations seen as multivariate polynomials. Our main result shows that this degree depends on the algebraic degree of the inverse of the permutation which is iterated. It leads among others to an improvement of the bound on the degree presented in [6]. This result has some consequences in hash function analysis since several attacks or d...

متن کامل

How to Improve Rebound Attacks

Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a large number of cases that the complexities of existing att...

متن کامل

SMASH - A Cryptographic Hash Function

1 This paper presents a new hash function design, which is different from the popular designs of the MD4-family. Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IACR Cryptology ePrint Archive

دوره 2013  شماره 

صفحات  -

تاریخ انتشار 2013