Difference between revisions of "SMASH"

From The ECRYPT Hash Function Website
(Second Preimage Attacks)
(Best Known Results)
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Spezification ==
+
== Specification ==
  
<!--
+
* digest size: 160 bits
+
* digest size: 256/512 bits
* max. message length: < 2<sup>64</sup> bits
+
* max. message length: < 2<sup>128</sup> / < 2<sup>256</sup>bits
* compression function: 512-bit message block, 160-bit chaining variable
+
* compression function: 256/512-bit message block, 256/512-bit chaining variable
 
* Specification:  
 
* Specification:  
-->
+
 
 +
<bibtex>
 +
@inproceedings{fseKnudsen05,
 +
  author    = {Lars R. Knudsen},
 +
  title    = {SMASH - A Cryptographic Hash Function},
 +
  pages    = {228-242},
 +
  url        = {http://dx.doi.org/10.1007/11502760_15},
 +
  editor    = {Henri Gilbert and Helena Handschuh},
 +
  booktitle = {FSE},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3557},
 +
  year      = {2005},
 +
  isbn      = {3-540-26541-4},
 +
  abstract  = {This paper presents a new hash function design, which is different from the popular designs of the MD4-family. Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as fast as SHA-256.},
 +
}
 +
</bibtex>
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 12: Line 28:
  
 
=== Best Known Results ===
 
=== Best Known Results ===
 
+
Practical collision and second preimage attacks. No preimage attacks.
 
----
 
----
  
Line 21: Line 37:
  
 
=== Collision Attacks ===
 
=== Collision Attacks ===
 +
<bibtex>
 +
@inproceedings{sacryptPramstallerRR05,
 +
  author    = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
 +
  title    = {Breaking a New Hash Function Design Strategy Called SMASH},
 +
  booktitle = {Selected Areas in Cryptography},
 +
  year      = {2005},
 +
  pages    = {233-244},
 +
  url        = {http://dx.doi.org/10.1007/11693383_16},
 +
  editor    = {Bart Preneel and Stafford E. Tavares},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3897},
 +
  isbn      = {3-540-33108-5},
 +
  abstract  = {We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.},
 +
}
 +
</bibtex>
  
 
----
 
----
Line 31: Line 63:
 
   title    = {Second Preimages for SMASH},
 
   title    = {Second Preimages for SMASH},
 
   booktitle = {CT-RSA},
 
   booktitle = {CT-RSA},
 +
  series    = {LNCS},
 
   year      = {2007},
 
   year      = {2007},
 
   pages    = {101-111},
 
   pages    = {101-111},
   ee        = {http:/dx.doi.org/10.1007/11967668_7},
+
   url      = {http://dx.doi.org/10.1007/11967668_7},
  
 
   abstract  = {This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.} }   
 
   abstract  = {This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.} }   

Latest revision as of 14:17, 27 March 2008

1 Specification

  • digest size: 256/512 bits
  • max. message length: < 2128 / < 2256bits
  • compression function: 256/512-bit message block, 256/512-bit chaining variable
  • Specification:

Lars R. Knudsen - SMASH - A Cryptographic Hash Function

FSE 3557:228-242,2005
http://dx.doi.org/10.1007/11502760_15
Bibtex
Author : Lars R. Knudsen
Title : SMASH - A Cryptographic Hash Function
In : FSE -
Address :
Date : 2005

2 Cryptanalysis

2.1 Best Known Results

Practical collision and second preimage attacks. No preimage attacks.


2.2 Generic Attacks


2.3 Collision Attacks

Norbert Pramstaller, Christian Rechberger, Vincent Rijmen - Breaking a New Hash Function Design Strategy Called SMASH

Selected Areas in Cryptography 3897:233-244,2005
http://dx.doi.org/10.1007/11693383_16
Bibtex
Author : Norbert Pramstaller, Christian Rechberger, Vincent Rijmen
Title : Breaking a New Hash Function Design Strategy Called SMASH
In : Selected Areas in Cryptography -
Address :
Date : 2005

2.4 Second Preimage Attacks

Mario Lamberger, Norbert Pramstaller, Christian Rechberger, Vincent Rijmen - Second Preimages for SMASH

CT-RSA pp. 101-111,2007
http://dx.doi.org/10.1007/11967668_7
Bibtex
Author : Mario Lamberger, Norbert Pramstaller, Christian Rechberger, Vincent Rijmen
Title : Second Preimages for SMASH
In : CT-RSA -
Address :
Date : 2007

2.5 Preimage Attacks


2.6 Others