Cryptography Reference
In-Depth Information
18. De Canniere, C., Rechberger, C.: Preimages for reduced SHA-0 and SHA-1. In:
Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179-202. Springer, Heidel-
berg (2008); slides on preliminary results presented at ESC 2008 seminar,
19. Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preim-
age attacks: First results on full Tiger, and improved results on MD4 and SHA-2.
In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56-75. Springer, Hei-
delberg (2010); IACR Cryptology ePrint Archive: Report 2010/016,
20. Lamberger, M., Mendel, F.: Structural attacks on two SHA-3 candidates: Blender-
n
and DCH-
n
. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC
2009. LNCS, vol. 5735, pp. 68-78. Springer, Heidelberg (2009)
21. Joux, A., Lucks, S.: Improved generic algorithms for 3-collisions. In: Matsui, M.
(ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 347-363. Springer, Heidelberg
(2009)
22. Kelsey, J., Schneier, B.: Second preimages on
n
-bit hash functions for much
less than 2
n
work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494,
pp. 474-490. Springer, Heidelberg (2005)
A Output Tailoring of HAS-V
When the length of output is shorter than 320, the output tailoring shown in
Table 9 is applied, where
A
B
C
D
E
A
B
C
D
E
is a 320-bit
output of the HAS-V compression function, and sux [
u
v
]meansthebit-
string extracted from bit positions
v
to
u
and the rightmost bit is the 0th bit.
−
B Additional Attacks
This section describes the evidence why the attacks work correctly. The details
are very complicated so we did not include these results in the main body of the
paper.
B.1
Ecient Pseudo-preimage Conversion Using a
Partial-Multi-collision
This section describes an ecient conversion from pseudo-preimages to a preim-
age by combining the property of non-injective step functions with the idea of
multi-collisions proposed by Joux [16]. This method can be used for both of
modular-addition feed-forward and XOR feed-forward. Because the attack in
Section 3.2 can directly find preimages and has a lower level of complexity, the
impact of this attack for PKC98-Hash is limited. However, the attack would be
useful to learn the behavior of non-injective functions, and thus we explain the
attack.
The attack generates a preimage of 34 blocks. For given
H
34
, compute as
follows. The attack is also illustrated in Fig 5.
Search WWH ::
Custom Search