Second-Preimage Analysis of Reduced SHA-1
نویسنده
چکیده
Many applications using cryptographic hash functions do not require collision resistance, but some kind of preimage resistance. That’s also the reason why the widely used SHA-1 continues to be recommended in all applications except digital signatures after 2010. Recent work on preimage and second preimage attacks on reduced SHA-1 succeeding up to 48 out of 80 steps (with results barely below the 2 time complexity of brute-force search) suggest that there is plenty of security margin left. In this paper we show that the security margin is actually somewhat lower, when only second preimages are the goal. We do this by giving two examples, using known differential properties of SHA-1. First, we reduce the complexity of a 2nd-preimage shortcut attack on 34-step SHA-1 from an impractically high complexity to practical complexity. Next, we show a property for up to 61 steps of the SHA-1 compression function that violates some variant of a natural second preimage resistance assumption, adding 13 steps to previously best known results.
منابع مشابه
Preimage Attacks on Reduced Tiger and SHA-2
This paper shows new preimage attacks on reduced Tiger and SHA-2. Indesteege and Preneel presented a preimage attack on Tiger reduced to 13 rounds (out of 24) with a complexity of 2. Our new preimage attack finds a one-block preimage of Tiger reduced to 16 rounds with a complexity of 2. The proposed attack is based on meet-in-themiddle attacks. It seems difficult to find “independent words” of ...
متن کاملNote on Distinguishing, Forgery, and Second Preimage Attacks on HMAC-SHA-1 and a Method to Reduce the Key Entropy of NMAC
The first distinguishing, forgery and second preimage attacks on step-reduced HMAC-SHA-1 have recently been presented by Kim et al. In this note we report on ongoing work to improve their data complexity and present new attacks on HMAC-SHA-1 covering more steps. Additionally, we show how a collision-based technique can be used to reduce the key entropy of NMAC-SHA-1. Finally we comment on the a...
متن کاملAdvanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2
We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2 for finding preimages, and 2 for second-preimages. Both have memory requirement of orde...
متن کاملMeet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1
Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against...
متن کاملImproved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl
Abstract. Grøstl is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we use many techniques to improve the pseudo preimage attack on Grøstl hash function, such as subspace preimage attack and guess-and-determine technique. We present improved pseudo preimage attacks on 5-round Grøstl-256 and 8-round Grøstl-512 respectively. The complexity of the a...
متن کامل