New Preimage Attacks against Reduced SHA-1

This paper shows preimage attacks against reduced SHA-1 up to 57 steps. The best previous attack has been presented at CRYPTO 2009 and was for 48 steps finding a two-block preimage with incorrect padding at the cost of $$2^{159.3}$$ evaluations of the compression function. For the same variant our attacks find a one-block preimage at $$2^{150.6}$$ and a correctly padded two-block preimage at $$2^{151.1}$$ evaluations of the compression function. The improved results come out of a differential view on the meet-in-the-middle technique originally developed by Aoki and Sasaki. The new framework closely relates meet-in-the-middle attacks to differential cryptanalysis which turns out to be particularly useful for hash functions with linear message expansion and weak diffusion properties.

[1]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[2]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[3]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[4]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[5]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[6]  Yu Sasaki,et al.  Preimage Attacks on 3, 4, and 5-Pass HAVAL , 2008, ASIACRYPT.

[7]  Yu Sasaki,et al.  Preimage Attacks on Step-Reduced MD5 , 2008, ACISP.

[8]  Yu Sasaki,et al.  Finding Preimages of Tiger Up to 23 Steps , 2010, FSE.

[9]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[10]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[11]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[12]  Annett Baier Selected Areas in Cryptography , 2005, Lecture Notes in Computer Science.

[13]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[14]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[15]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[16]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[17]  David Chaum,et al.  Crytanalysis of DES with a Reduced Number of Rounds: Sequences of Linear Factors in Block Ciphers , 1985, CRYPTO.

[18]  D. Chaum,et al.  Cryptanalysis of DES with a reduced number of rounds , 1986, CRYPTO 1986.

[19]  Yu Sasaki,et al.  A Preimage Attack for 52-Step HAS-160 , 2009, ICISC.

[20]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[21]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[22]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.