Cryptography Reference
In-Depth Information
Table 7.
Intermediate Variables in the Last 2 Steps
A
j
B
j
C
j
D
j
E
j
A
j
B
j
C
j
D
j
E
j
w
j
w
j
j
98
C
≪2
100
D
≪2
100
E
100
E
100
C
≪2
100
D
≪2
100
E
100
E
100
x
y
X
4
Y
4
B
100
C
≪2
100
D
100
E
100
E
100
B
100
C
≪2
100
D
100
E
100
E
100
X
0
99
Y
0
A
100
B
100
C
100
D
100
E
100
A
100
B
100
C
100
D
100
E
100
100
1. For a given hash value and initial value
H
0
, compute
A
100
,
B
100
,
...
,
E
100
by reversely applying the feed-forward operation.
2. Compute
A
j
,
B
j
,
...
,
E
j
for
j
=98
,
99 as specified in Table 7, and
message words
X
0
,
Y
0
,
X
4
,and
Y
4
by solving the first assignment line for
w
j
in Eq. (3).
3. Set
Y
13
,
Y
14
,and
Y
15
as an appropriate padding rule for a 1-block message.
4. Set non-specified message words
X
j
and
Y
j
randomly, compute Steps 0 to
97, and confirm whether or not the output of Step 97
p
98
p
98
matches
C
≪
2
100
D
≪
2
100
C
≪
2
100
D
≪
2
100
E
100
E
100
∗
E
100
E
100
∗
The match will occur with the probability 2
−
256
, and we expect to find a
preimage in 2
256
.
Since the output tailoring function of HAS-V can easily be inverted, we can also
compute 1-block preimages of HAS-V-288 with the complexity of 2
256
.
4.2
A Pseudo-preimage Attack
Section 2.4 describes a pseudo-preimage attack in 2
160
. We further reduce the
complexity by combining the idea described in Section 4.1. Note that this attack
is a pseudo-preimage attack and thus the goal is finding a pair of
h
i
g
i
and
M
i
which generates a given hash value
h
i
+1
g
i
+1
(
g
i
can be given instead of being
chosen by the attacker). This attack uses the left half of Table 7.
g
i
+1
and right half of input
g
i
, compute
A
100
,
B
100
,
...
,
E
100
(only the left side) by reversely applying the feed-forward
operation, namely
g
i
+1
−
1. For given hash value
h
i
+1
g
i
.
2. Set
A
j
,
B
j
,
...
,
E
j
for
j
=98
,
99 as specified in Table 7, so that
A
100
,
B
100
,
...
,
E
100
can be achieved for any unfixed value
x
. Compute
X
0
and
X
4
using Eq. (3).
3. Set
Y
13
,
Y
14
,and
Y
15
as an appropriate padding rule for a 1-block message.
4. Generate non-specified message words
X
j
and
Y
j
randomly, and compute
the following.
p
0
←
g
i
,
p
j
+1
←
R
(
p
j
,w
j
)
for
j
=0
,
1
,...,
99
,
p
0
p
100
,
←
h
i
+1
−
p
j
+1
←
R
(
p
j
,w
j
)
for
j
=0
,
1
,...,
97
.
Search WWH ::
Custom Search