Cube attacks on cryptographic hash functions

Cryptographic hash functions are a vital part of our current computer systems. They are a core component of digital signatures, message authentication codes, file checksums, and many other protocols and security schemes. Recent attacks against well-established hash functions have led NIST to start an international competition to develop a new hashing standard to be named SHA-3. In this thesis, we provide cryptanalysis of some of the SHA-3 candidates. We do this using a new cryptanalytical technique introduced a few months ago called cube attacks. In addition to summarizing the technique, we build on it by providing a framework for estimating its potential effectiveness for cases too computationally expensive to test. We then show that cube attacks can not only be applied to keyed cryptosystems but also to hash functions by way of a partial preimage attack. We successfully apply this attack to reduced-round variants of the ESSENCE and Keccak SHA-3 candidates and provide a detailed analysis of how and why the cube attacks succeeded. We also discuss the limits of theoretically extending these attacks to higher rounds. Finally, we provide some preliminary results of applying cube attacks to other SHA-3 candidates.

[1]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[2]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[3]  Xiaoyun Wang,et al.  Colliding X.509 Certificates , 2005, IACR Cryptol. ePrint Arch..

[4]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[5]  John Black,et al.  A Study of the MD5 Attacks: Insights and Improvements , 2006, FSE.

[6]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[7]  Florian Mendel,et al.  Collisions for 70-Step SHA-1: On the Full Cost of Collision Search , 2007, Selected Areas in Cryptography.

[8]  Dan Kaminsky,et al.  MD5 To Be Considered Harmful Someday , 2004, IACR Cryptol. ePrint Arch..

[9]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[10]  D. Khovratovich,et al.  First Analysis of Keccak , 2009 .

[11]  Marc Stevens,et al.  On Collisions for MD5 , 2007 .

[12]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[13]  Jean-Philippe Aumasson On the pseudorandomness of Shabal ’ s keyed permutation , 2009 .

[14]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[15]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.

[16]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[17]  Arjen K. Lenstra,et al.  On the Possibility of Constructing Meaningful Hash Collisions for Public Keys , 2005, ACISP.

[18]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[19]  Dag Arne Osvik,et al.  MD5 considered harmful today, creating a rogue CA certificate , 2008 .

[20]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[21]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[22]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[23]  Hans Dobbertin Cryptanalysis of MD5 Compress , 1996 .

[24]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[25]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[26]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[27]  Ronald L. Rivest The MD 6 hash function A proposal to NIST for SHA-3 , 2008 .

[28]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.