Difference between revisions of "Tiger"
From The ECRYPT Hash Function Website
m (Two Passes of Tiger Are Not One-Way) |
m (Preimage Attacks on Reduced Tiger and SHA-2) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 112: | Line 112: | ||
=== Preimage Attacks === | === Preimage Attacks === | ||
| + | |||
| + | <bibtex> | ||
| + | @INPROCEEDINGS{fseIsobeS09, | ||
| + | author = {Takanori Isobe and Kyoji Shibutani}, | ||
| + | title = {Preimage Attacks on Reduced Tiger and SHA-2}, | ||
| + | booktitle = {Fast Software Encryption}, | ||
| + | year = {2009}, | ||
| + | editor = {Dunkelman, Orr}, | ||
| + | volume = {5665}, | ||
| + | series = {LNCS}, | ||
| + | pages = {139-155}, | ||
| + | publisher = {Springer}, | ||
| + | url = {http://dx.doi.org/10.1007/978-3-642-03317-9} | ||
| + | abstract = {This paper shows new preimage attacks on reduced Tiger and SHA-2. | ||
| + | Indesteege and Preneel presented a preimage attack on Tiger reduced | ||
| + | to 13 rounds (out of 24) with a complexity of 2^{128.5}. Our new | ||
| + | preimage attack finds a one-block preimage of Tiger reduced to 16 | ||
| + | rounds with a complexity of 2^{161}. The proposed attack is based | ||
| + | on meet-in-the-middle attacks. It seems difficult to find “independent | ||
| + | words” of Tiger at first glance, since its key schedule function | ||
| + | is much more complicated than that of MD4 or MD5. However, we developed | ||
| + | techniques to find independent words efficiently by controlling its | ||
| + | internal variables. Surprisingly, the similar techniques can be applied | ||
| + | to SHA-2 including both SHA-256 and SHA-512. We present a one-block | ||
| + | preimage attack on SHA-256 and SHA-512 reduced to 24 (out of 64 and | ||
| + | 80) steps with a complexity of 2^{240} and 2^{480}, respectively. | ||
| + | To the best of our knowledge, our attack is the best known preimage | ||
| + | attack on reduced-round Tiger and our preimage attack on reduced-step | ||
| + | SHA-512 is the first result. Furthermore, our preimage attacks can | ||
| + | also be extended to second preimage attacks directly, because our | ||
| + | attacks can obtain random preimages from an arbitrary IV and an arbitrary | ||
| + | target.}, | ||
| + | } | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
| Line 128: | Line 162: | ||
In this article, we show a preimage attack on Tiger with two passes (16 rounds) with a complexity of about 2^174 compression function evaluations. Furthermore, we show how the attack can be extended to 17 rounds with a complexity of about 2^185. Even though the attacks are only slightly faster than brute force search, they present a step forward in the cryptanalysis of Tiger. | In this article, we show a preimage attack on Tiger with two passes (16 rounds) with a complexity of about 2^174 compression function evaluations. Furthermore, we show how the attack can be extended to 17 rounds with a complexity of about 2^185. Even though the attacks are only slightly faster than brute force search, they present a step forward in the cryptanalysis of Tiger. | ||
} | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{DBLP:conf/weworc/IndesteegeP07, | ||
| + | author = {Sebastiaan Indesteege and | ||
| + | Bart Preneel}, | ||
| + | title = {Preimages for Reduced-Round Tiger}, | ||
| + | year = {2007}, | ||
| + | pages = {90-99}, | ||
| + | url = {http://dx.doi.org/10.1007/978-3-540-88353-1_8}, | ||
| + | editor = {Stefan Lucks and | ||
| + | Ahmad-Reza Sadeghi and | ||
| + | Christopher Wolf}, | ||
| + | booktitle = {WEWoRC}, | ||
| + | publisher = {Springer}, | ||
| + | series = {LNCS}, | ||
| + | volume = {4945}, | ||
| + | abstract = {The cryptanalysis of the cryptographic hash function Tiger has, until now, focussed on finding collisions. In this paper we describe a preimage attack on the compression function of Tiger-12, i.e., Tiger reduced to 12 rounds out of 24, with a complexity of 2^63.5 compression function evaluations. We show how this can be used to construct second preimages with complexity 2^63.5 and first preimages with complexity 2^64.5 for Tiger-12. These attacks can also be extended to Tiger-13 at the expense of an additional factor of 2^64 in complexity. }, | ||
| + | } | ||
| + | |||
| + | |||
</bibtex> | </bibtex> | ||
Latest revision as of 15:10, 18 September 2009
Contents
1 Specification
- digest size: 192/160/128 bits
- max. message length: < 264 bits
- compression function: 512-bit message block, 192-bit chaining variable
- Specification: Tiger: A Fast New Cryptographic Hash Function
Ross J. Anderson, Eli Biham - TIGER: A Fast New Hash Function
- FSE 1039:89-97,1996
- http://dx.doi.org/10.1007/3-540-60865-6
BibtexAuthor : Ross J. Anderson, Eli Biham
Title : TIGER: A Fast New Hash Function
In : FSE -
Address :
Date : 1996
2 Cryptanalysis
2.1 Best Known Results
The best known attack is a 1-bit circular pseudo-near-collision for Tiger with a complexity of about 247 of Mendel and Rijmen. The best collision attack on Tiger was presented by Mendel et al. for Tiger reduced to 19 out of 24 rounds. The attack has a complexity of about 262.
2.2 Generic Attacks
2.3 Collision Attacks
Florian Mendel, Vincent Rijmen - Cryptanalysis of the Tiger Hash Function
- ASIACRYPT 4833:536-550,2007
- http://dx.doi.org/10.1007/978-3-540-76900-2_33
BibtexAuthor : Florian Mendel, Vincent Rijmen
Title : Cryptanalysis of the Tiger Hash Function
In : ASIACRYPT -
Address :
Date : 2007
Florian Mendel, Bart Preneel, Vincent Rijmen, Hirotaka Yoshida, Dai Watanabe - Update on Tiger
- INDOCRYPT 4329:63-79,2006
- http://dx.doi.org/10.1007/11941378_6
BibtexAuthor : Florian Mendel, Bart Preneel, Vincent Rijmen, Hirotaka Yoshida, Dai Watanabe
Title : Update on Tiger
In : INDOCRYPT -
Address :
Date : 2006
John Kelsey, Stefan Lucks - Collisions and Near-Collisions for Reduced-Round Tiger
- FSE 4047:111-125,2006
- http://dx.doi.org/10.1007/11799313_8
BibtexAuthor : John Kelsey, Stefan Lucks
Title : Collisions and Near-Collisions for Reduced-Round Tiger
In : FSE -
Address :
Date : 2006
2.4 Second Preimage Attacks
2.5 Preimage Attacks
Takanori Isobe, Kyoji Shibutani - Preimage Attacks on Reduced Tiger and SHA-2
- Fast Software Encryption 5665:139-155,2009
- http://dx.doi.org/10.1007/978-3-642-03317-9
BibtexAuthor : Takanori Isobe, Kyoji Shibutani
Title : Preimage Attacks on Reduced Tiger and SHA-2
In : Fast Software Encryption -
Address :
Date : 2009
Florian Mendel - Two Passes of Tiger Are Not One-Way
- AFRICACRYPT 5580:29-40,2009
- http://dx.doi.org/10.1007/978-3-642-02384-2_3
BibtexAuthor : Florian Mendel
Title : Two Passes of Tiger Are Not One-Way
In : AFRICACRYPT -
Address :
Date : 2009
Sebastiaan Indesteege, Bart Preneel - Preimages for Reduced-Round Tiger
- WEWoRC 4945:90-99,2007
- http://dx.doi.org/10.1007/978-3-540-88353-1_8
BibtexAuthor : Sebastiaan Indesteege, Bart Preneel
Title : Preimages for Reduced-Round Tiger
In : WEWoRC -
Address :
Date : 2007
