Cryptanalysis of Tav-128 Hash Function
نویسندگان
چکیده
Many RFID protocols use cryptographic hash functions for their security. The resource constrained nature of RFID systems forces the use of light weight cryptographic algorithms. Tav-128 is one such 128-bit light weight hash function proposed by Peris-Lopez et al. for a low-cost RFID tag authentication protocol. Apart from some statistical tests for randomness by the designers themselves, Tav-128 has not undergone any other thorough security analysis. Based on these tests, the designers claimed that Tav-128 does not posses any trivial weaknesses. In this article, we carry out the first third party security analysis of Tav-128 and show that this hash function is neither collision resistant nor second preimage resistant. Firstly, we show a practical collision attack on Tav-128 having a complexity of 2 calls to the compression function and produce message pairs of arbitrary length which produce the same hash value under this hash function. We then show a second preimage attack on Tav-128 which succeeds with a complexity of 2 calls to the compression function. Finally, we study the constituent functions of Tav-128 and show that the concatenation of nonlinear functions A and B produces a 64-bit permutation from 32-bit messages. This could be a useful light weight primitive for future RFID protocols.
منابع مشابه
Attacking the Tav-128 Hash function
Many RFID protocols use cryptographic hash functions for their security. The resource constrained nature of RFID systems forces the use of light weight cryptographic algorithms. Tav-128 is one such light weight hash function proposed by Peris-Lopez et al. for an RFID authentication protocol. In this article we show that Tav-128 is not collision resistant. We show a practical collision attack ag...
متن کاملA Splice-and-Cut Cryptanalysis of the AES
Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key variant or upon 8-round attacks on the 256-bit key variant has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper we present a novel technique of block cipher cryptanalysis with bicliques, which leads to the following...
متن کاملOn the Collision Resistance of RIPEMD-160
In this article, the RIPEMD-160 hash function is studied in detail. To analyze the hash function, we have extended existing approaches and used recent results in cryptanalysis. While RIPEMD and RIPEMD-128 reduced to 3 rounds are vulnerable to the attack, it is not feasible for RIPEMD-160. Furthermore, we present an analytical attack on a round-reduced variant of the RIPEMD-160 hash function. To...
متن کاملCryptanalysis of the "Kindle" Cipher
In this paper we study a 128-bit-key cipher called PC1 which is used as part of the DRM system of the Amazon Kindle e-book reader. This is the first academic cryptanalysis of this cipher and it shows that PC1 is a very weak stream cipher, and can be practically broken in a known-plaintext and even in a ciphertext-only scenario. A hash function based on this cipher has also been proposed and is ...
متن کاملBiclique Cryptanalysis of Full Round AES-128 Based Hashing Modes
In this work, we revisit the security analysis of AES-128 instantiated hash modes. We use biclique cryptanalysis technique as our basis for the attack. The traditional biclique approach used for key recovery in AES (and preimage search in AES based compression function) cannot be applied directly to hash function settings due to restrictions imposed on message input due to padding. Under this c...
متن کامل