Revision as of 10:16, 17 March 2008

1 Preimage attacks

The resistance of a hash function to collision and (second) preimage attacks depends in the first place on the length $n$ of the hash value. Regardless of how a hash function is designed, an adversary will always be able to find preimages or second preimages after trying out about 2ⁿ different messages. In case an adversary is given 2^k distinct target hashes, preimages can be found after trying about 2^n-k different messages. this is first described in the thesis of Merkle, pages 12-13.

2 Collision attacks

As independently observed by Merkle and Yuval in 1979, finding collisions requires a much smaller number of trials: about 2^n/2, as described subsequently. As a result, hash functions producing less than 160 bits of output are currently considered inherently insecure. Moreover, if the internal structure of a particular hash function allows collisions or preimages to be found more efficiently than what could be expected based on its hash length, then the function is considered to be broken.

Ralph C. Merkle - A Certified Digital Signature

CRYPTO 435:218-238,1989

http://link.springer.de/link/service/series/0558/bibs/0435/04350218.htm
Bibtex

Author : Ralph C. Merkle
Title : A Certified Digital Signature
In : CRYPTO -
Address :
Date : 1989

Jonathan J. Hoch, Adi Shamir - Breaking the ICE - Finding Multicollisions in Iterated Concatenated

and Expanded (ICE) Hash Functions

FSE 4047:179-194,2006

http://dx.doi.org/10.1007/11799313_12
Bibtex

Author : Jonathan J. Hoch, Adi Shamir
Title : Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions
In : FSE -
Address :
Date : 2006

2.1 The birthday attack

The birthday attack (also calledsquare-root attack) is a generic attack which considers a hash function as black box. Therefore, a birthday attack is successful for every hash function. For any message m we can compute the n-bit hash value y = h(m). Since at least a fraction 2^-n of the pairs (m,m*) satisfies h(m) = h(m*), one can expect to find a colliding message pair after trying about 2ⁿ, arbitrary message pairs. Nevertheless, it follows from the birthday paradox that one can check 2ⁿ pairs with only 2^n/2 evaluations of h. A birthday attack works as follows: 1. Pick any message m and compute h(m). 2. Update list L. Check if h(m) is in the list L. 2.1. if (h(m),m) is already in L, a colliding message pair has been found. 2.2 else save the pair (h(m),m) in the list L and go back to step 1. From the birthday paradox we know that we can expect to find a matching entry, after performing about 2^n/2 hash evaluations. Note that in a birthday attack an attacker has full control over the messages. Hence, as pointed out by Yuval, this method enables an attacker to construct meaningful collisions.

2.2 Parallel collision search

Paul C. van Oorschot, Michael J. Wiener - {Parallel Collision Search with Cryptanalytic Applications}

J. Cryptology 12(1):1-28,1999

http://link.springer.de/link/service/journals/00145/bibs/12n1p1.html
Bibtex

Author : Paul C. van Oorschot, Michael J. Wiener
Title : {Parallel Collision Search with Cryptanalytic Applications}
In : J. Cryptology -
Address :
Date : 1999

Michael J. Wiener - The Full Cost of Cryptanalytic Attacks

J. Cryptology 17(2):105-124,2004

http://dx.doi.org/10.1007/s00145-003-0213-5
Bibtex

Author : Michael J. Wiener
Title : The Full Cost of Cryptanalytic Attacks
In : J. Cryptology -
Address :
Date : 2004

3 Attacks in the quantum setting

Results of quantum complexity theorists as well as newly invented algorithms suggest that even with the power of hypothetic quantum computers applied against commonly used hash functions, no exponential improvement over classical computers is possible. Here we briefly discuss hash function related aspects of this work.

One of the celebrated results in quantum algorithms is Grover's from 1996: The search for a particular element in an unordered database of size r takes at most O(r^1/2), an actual algorithm is provided that uses xxx memory. Matching lower bounds exist for this problem as well (see Boyer et al. and Zalka). This algorithm is of wide interest as it does not rely on a particular structure of the elements in the search space.

This result has already direct implications on hash functions: There, the search for a preimage or a second preimage is at most as hard as a search in an unordered database, hence security against these types of generic attacks is lowered from 2ⁿ to 2^n/2 in the quantum setting.

How about collision attacks in the quantum setting? Here, the fact that many collisions exist and the problem is to find a single one indeed leads to (both asymptotically and for commonly used finite dimensions) faster algorithms. An actual quantum algorithm for the collision problem is due to Brassard, H{\o}yer, and Tapp from 1997. This combination of Grover's algorithm with the birthday effect yields a runtime of 2^n/3 for a hash function with n bit output size. The algorithm requires \Theta(n^1/3log n) classical bits of memory. To the best of the author's knowledge, no time/memory tradeoffs are known. Is this the best one can do? Nontrivial lower bounds for the collision problem were an open problem for some time. Only in 2001, Aaronson proved a query complexity of \Omega(n^1/5). Subsequent work of Shi improved this bound to \Omega(n^1/4) and finally to \Omega(n^{1/3</sup. As this constitutes a tight bound, indeed one can not do better than
Brassard~\etal. That is, given our current axiomatic assumptions
about the nature of quantum mechanics.}

The bottom line here is as follows. Ignoring practical problems with implementations of large, stable quantum computers, and still requiring a (what now became standard) 128-bit security level gives rise to the following minimal output sizes for hash functions. If only oneway-ness but not collision resistance is required then 256-bits would be enough, for collision resistance at least 384 bits are needed. Of course, these blackbox results might not be the end of the story, dedicated quantum cryptanalytic techniques have not been considered yet. Fast quantum algorithms to compute median and mean values by Grover, and other basic building blocks seem to be an interesting starting point.

@@ Line 14: / Line 14: @@
 Yuval in 1979, finding collisions
 requires a much smaller number of trials: about 2<sup>n/2</sup>, as
-described subsequently in Sect.~\ref{sec:birth}. As a result, hash
+described subsequently. As a result, hash
 functions producing less than 160 bits of output are currently
 considered inherently insecure. Moreover, if the internal structure
@@ Line 70: / Line 70: @@
 The birthday attack (also called''square-root'' attack) is a generic attack which considers a
 hash function as black box. Therefore, a birthday attack is
-successful for every hash function. For any message $m$ we can
+successful for every hash function. For any message m we can
-compute the $n$-bit hash value $y = h(m)$. Since at least a fraction
+compute the n-bit hash value y = h(m). Since at least a fraction
-$2^{-n}$ of the pairs $(m,m^*)$ satisfies $h(m) = h(m^*)$, one can
+<sup>-n</sup> of the pairs (m,m*) satisfies h(m) = h(m*), one can
-expect to find a colliding message pair after trying about $2^n$
+expect to find a colliding message pair after trying about 2<sup>n</sup>,
-arbitrary message pairs, \cf~\eqref{eqn:collision}. Nevertheless, it
+arbitrary message pairs. Nevertheless, it
-follows from the birthday paradox that one can check $2^n$ pairs
+follows from the birthday paradox that one can check 2<sup>n</sup> pairs
-with only $2^{n/2}$ evaluations of $h$. A birthday attack works as
+with only 2<sup>n/2</sup> evaluations of h. A birthday attack works as
 follows:
-\begin{enumerate}
+. Pick any message m and compute h(m).
-  \item Pick any message $m$ and compute $h(m)$.
+. Update list L. Check if h(m) is in the list L.
-  \item Update list $L$ %Check if $h(m)$ is in the list $L$.
+.1.   if (h(m),m) is already in L, a colliding message pair has been found.
-    \begin{itemize}
+.2    else save the pair (h(m),m) in the list L and go back to step 1.
-        \item if $(h(m),m)$ is already in $L$, a colliding message pair has been found.
-        \item else save the pair $(h(m),m)$ in the list $L$ and go back to step 1.
-    \end{itemize}
-\end{enumerate}
 From the birthday paradox we know that we can expect to find a
-matching entry, after performing about $2^{n/2}$ hash evaluations.
+matching entry, after performing about 2<sup>n/2</sup> hash evaluations.
 Note that in a birthday attack an attacker has full control over the
-messages. Hence, as pointed out by Yuval~\cite{}, this method
+messages. Hence, as pointed out by Yuval, this method
 enables an attacker to construct meaningful collisions.
@@ Line 104: / Line 100: @@
    pages     = {1-28},
    url        = {http://link.springer.de/link/service/journals/00145/bibs/12n1p1.html},
-   abstract  = {A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meet-in-the-middle attacks such as a known-plaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA-1, MDC-2, and MDC-4; and double encryption and three-key triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in $GF(2^{155})$ thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a double-DES key from two known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meet-in-the-middle attack on double-DES. Based on this attack, double-DES offers only 17 more bits of security than single-DES.},
+   abstract  = {A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meet-in-the-middle attacks such as a known-plaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA-1, MDC-2, and MDC-4; and double encryption and three-key triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF2<sup>155</sup>) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a double-DES key from two known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meet-in-the-middle attack on double-DES. Based on this attack, double-DES offers only 17 more bits of security than single-DES.},
 }
 </bibtex>
@@ Line 130: / Line 126: @@
 One of the celebrated results in quantum algorithms is
-Grover's~\cite{Grover1996AFastQuantum} from 1996.
+Grover's from 1996: The search for a particular element in an unordered database of size
-%(building up on pioneering work of Deutsch, etc..~\cite{}):
+r takes at most O(r<sup>1/2</sup>), an actual algorithm is provided that
-The search for a particular element in an unordered database of size
-$r$ takes at most $O(r^{1/2})$, an actual algorithm is provided that
 uses xxx memory. Matching lower bounds exist for this problem as
-well~\cite{boyer98tight,zalka99GroversQuantumSearching}. This
+well (see Boyer et al. and Zalka). This
 algorithm is of wide interest as it does not rely on a particular
 structure of the elements in the search space.
@@ Line 142: / Line 136: @@
 There, the search for a preimage or a second preimage is at most as
 hard as a search in an unordered database, hence security against
-these types of generic attacks is lowered from $2^{n}$ to $2^{n/2}$
+these types of generic attacks is lowered from 2<sup>n</sup> to 2<sup>n/2</sup>
 in the quantum setting.
@@ Line 148: / Line 142: @@
 that many collisions exist and the problem is to find a single one
 indeed leads to (both asymptotically and for commonly used finite
-dimensions\todo{better wording than finite dim. needed!}) faster
+dimensions) faster
 algorithms. An actual quantum algorithm for the collision problem is
 due to Brassard, H{\o}yer, and
-Tapp~\cite{DBLP:conf/latin/BrassardHT98} from 1997. This combination
+Tapp from 1997. This combination
-of Grover's algorithm with the birthday effect yields a runtime of
+of Grover's algorithm with the birthday effect yields a runtime of 2<sup>n/3</sup> for a hash function with n bit output size. The
-$2^{n/3}$ for a hash function with $n$ bit output size. The
+algorithm requires \Theta(n<sup>1/3</sup>log n) classical bits of
-algorithm requires $\Theta(n^{1/3}$log $n)$ classical bits of
 memory. To the best of the author's knowledge, no time/memory
 tradeoffs are known. Is this the best one can do? Nontrivial lower
 bounds for the collision problem were an open problem for some time.
-Only in 2001, Aaronson~\cite{DBLP:conf/stoc/Aaronson02} proved a
+Only in 2001, Aaronson proved a
-query complexity of $\Omega(n^{1/5})$. Subsequent work of Shi
+query complexity of \Omega(n<sup>1/5</sup>). Subsequent work of Shi
-improved this bound to $\Omega(n^{1/4})$ and finally to
+improved this bound to \Omega(n<sup>1/4</sup>) and finally to
-$\Omega(n^{1/3})$(\cite{DBLP:conf/focs/Shi02,DBLP:journals/jacm/AaronsonS04}).
+\Omega(n<sup>1/3</sup. As this constitutes a tight bound, indeed one can not do better than
-As this constitutes a tight bound, indeed one can not do better than
 Brassard~\etal. That is, given our current axiomatic assumptions
 about the nature of quantum mechanics.
@@ Line 175: / Line 167: @@
 of the story, dedicated quantum cryptanalytic techniques have not
 been considered yet. Fast quantum algorithms to compute median and
-mean values~\cite{DBLP:conf/stoc/Grover98}, and other basic building
+mean values by Grover, and other basic building
 blocks seem to be an interesting starting point.

Difference between revisions of "GenericAttacksHash"

Revision as of 10:16, 17 March 2008

Contents

1 Preimage attacks

2 Collision attacks

2.1 The birthday attack

2.2 Parallel collision search

3 Attacks in the quantum setting

Navigation menu

Views

Personal tools

Navigation

Search

Tools