Slide Attacks on a Class of Hash Functions

This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for sponge-function like structures. As it turns out, certain constructions for hash-function-based MACs can be vulnerable to forgery and even to key recovery attacks. In other cases, we can at least distinguish a given hash function from a random oracle. To illustrate our results, we describe attacks against the Grindahl -256 and Grindahl -512 hash functions. To the best of our knowledge, this is the first cryptanalytic result on Grindahl -512. Furthermore, we point out a slide-based distinguisher attack on a slightly modified version of RadioGatun . We finally discuss simple countermeasures as a defense against slide attacks.

[1]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[2]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[3]  Markku-Juhani O. Saarinen Cryptanalysis of Block Ciphers Based on SHA-1 and MD5 , 2003, FSE.

[4]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[5]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[6]  Guido Bertoni,et al.  RadioGatún, a belt-and-mill hash function , 2006, IACR Cryptol. ePrint Arch..

[7]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[8]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[9]  Raphael C.-W. Phan,et al.  Sliding Properties of the DES Key Schedule and Potential Extensions to the Slide Attacks , 2002, ICISC.

[10]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[11]  Gilles Brassard,et al.  Advances in Cryptology — CRYPTO’ 89 Proceedings , 2001, Lecture Notes in Computer Science.

[12]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[13]  Lars R. Knudsen,et al.  The Grindahl Hash Functions , 2007, FSE.

[14]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[15]  Thomas Peyrin Cryptanalysis of Grindahl , 2007, ASIACRYPT.

[16]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[17]  Alex Biryukov,et al.  Fast Software Encryption: 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised Selected Papers , 2007, FSE 2007.

[18]  Eli Biham,et al.  Improved Slide Attacks , 2007, FSE.

[19]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[20]  Selçuk Kavut,et al.  Slide Attack on Spectr-H64 , 2002, INDOCRYPT.

[21]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[22]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[23]  Yu Sasaki,et al.  Password Recovery on Challenge and Response: Impossible Differential Attack on Hash Function , 2008, AFRICACRYPT.

[24]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[25]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[26]  Dmitry Khovratovich,et al.  Cryptanalysis of Hash Functions with Structures , 2009, Selected Areas in Cryptography.

[27]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[28]  Bart Preneel,et al.  On the Security of Two MAC Algorithms , 1996, EUROCRYPT.

[29]  Raphael C.-W. Phan,et al.  Advanced Slide Attacks Revisited: Realigning Slide on DES , 2005, Mycrypt.

[30]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[31]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[32]  Soichi Furuya,et al.  Slide Attacks with a Known-Plaintext Cryptanalysis , 2001, ICISC.