Preimage Attacks against PKC98-Hash and HAS-V - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

- For Step 98, we want to ignore C 98 (= E 100 ). This can be achieved by

B 98 = E 98 (= D 97 ). Using the condition in Step 97, we have

⊕

D ≪ 2

100 = E 99

⊕

(8)

- For Step 99, we need to ignore D 99 (= E 100 ). This can be achieved by

B 99 = E 99 .Thatis,

C ≪ 2

100 = E 99 .

(9)

Focusing on Eq. (7), for all possible H D , we can only adjust the least significant

8bitsof D 100 at most. The adjustment is achieved by E [7 − 0] , and its value

determines the least significant 8 bits of E 100 . From Eqs. (8) and (9), we need

to satisfy

D ≪ 2

100 = C ≪ 2

⊕

100 .

(10)

D 100 =

(1+ D 100 )and D 100 = H D −

Rotating two bits, and substituting 1

⊕

−

D 0 −

E [7 − 0] and C 100 = H C −

C 0 −

E [15 − 8] ,wehave E [15 − 8] + E [7 − 0] =

D 0 +1. Since we can choose an arbitrary value for E 99 using

X 0 , the least significant 9 bits of Eq. (10) can almost always be satisfied using

E [15 − 8] and E [7 − 0] . This condition can cancel the influence of the following

computation in D 99[10 − 2] (= E 100[10 − 2] )and C 98[10 − 2] (= E 100[10 − 2] ). The

range we want to cancel is [7

C 0 −

H C + H D −

0] in E 100 , the shared bits we can cancel are

E 100[7 − 2] . Thus, we choose E 99 ←

−

C ≪ 2

100 , and adjust the least significant few

bits of D 100 .

When all bits in E and E are determined, all variables in Table 10 are deter-

mined. We choose E and E to satisfy the remaining and unsatisfied condition

B 99[7 − 2] = E 99[7 − 2] and B 98[7 − 2] = E 98[7 − 2] which comes from Eqs. (6) and

(8) as follows.

1. Fix E [15 − 8] randomly.

2. Compute C

E [15 − 8] ,and C 100 ←

C 0 .

←

H C −

−

3. Compute E 100[7 − 0] ←

( C ≪ 2

100 ) [7 − 0] to satisfy the part of Eq. (6), and

E 100[7 − 0] + E 0[7 − 9] (mod 2 8 ).

4. Compute D

E [7 − 0] ←

←

H D −

E [7 − 0] and D 100 ←

−

D 0 . Compute C 100[7 − 0] ←

D 100 ) [7 − 0] to satisfy the part of Eq. (8).

5. Compute C [7 − 0] ←

( 1

⊕

C 100[7 − 0] + C 0[7 − 0] (mod 2 8 )and E [15 − 8] ←

H C [7 − 0] −

C [7 − 0] (mod 2 8 ).

6. Choose E [31 − 16] , E [31 − 16] ,and E [7 − 0] randomly, and compute A , B ,

... , E . Note that some bits are already determined.

7. Compute the intermediate variables A j , B j , ... , E j for j =97 , 98 , 99 , 100,

and A j , B j , ... , E j for j =98 , 99 , 100. Note that some bits are already

determined.

8. Reversely compute the message words X 10 , X 4 , X 0 , Y 4 ,and Y 0 using Eq. (3).

We are now ready to write the detailed attack procedure.

1. Choose all message words that are not determined yet.

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home