Attacks on Cryptographic Hash Functions and Advances Arvind K

Home , Fugue (hash function), Length extension attack, Secure Hash Algorithms

INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

Attacks on Cryptographic Hash Functions and Advances Arvind K. Sharma1, Dr.S.K. Mittal2, Dr.Sumit Mittal3

1,3 Department of Computer Applications (MMICT&BM) Maharishi Markandeshwar University, Mullana, Ambala (Haryana), India University School of Engineering & Technology2 Rayat Bahra University, Sahibzada Ajit Singh Nagar (Punjab), India Email: [email protected], [email protected], [email protected]

Abstract: −− Cryptographic Hash Functions have a distinct importance in the area of Network Security or Internet Security as compare to Symmetric and Public Key Encryption-Decryption techniques. Major issues primarily which resolved by any hash algorithm, are to manage the Integrity and Authenticity of messages which are to be transmitting between communicating parties and users with digital signatures. Hash function also utilized for fixed length secrect key generation in Symmetric and Public Key Cryptosystems. Different level of security provided by different algorithms depending on how difficult is to break them. The most well-known hash algorithms are MD4, MD5, SHA, JH, Skein, Grøstl, Blake, Hamsi, Fugue, Crush, Whirlpool, Tav etc. In this paper we are discussing importance of hash functions, hash functions widely used in networking, most importantly various Attacks applicable on hash functions and compression functions utilized by hash functions.

Keywords: Algorithms; Compression Function, Cipher; Stream; Block; Confidentiality; Integity; Authentication; Server; Message-Digest, Message-Block, Non-repudation;Differential;

Communication between at-least two parties using a network may uses Encryption-Decryption 1. Introduction techniques to maintain privacy. And for Security and Privacy in interconnected authentication purpose apart from Encryption- domain means to preserve the Confidentiality, Decryption techniques Hash Functions most Integrity and Authenticity of messages as well as widely used. The world is becoming more manages the Accountability and Authorization of interconnected with the help of Internet and new resources to be used. Security initializes with networking technologies and there is huge Authorization i.e. enterance to particular system amount of personal, military, commercial, and commonly with the help of pre-specified government information on networking credentials like username and password. infrastructures worldwide available. So it‟s Network Security consists of the Policies important to find out who is transmitting critical adopted or Rules specified by a Network data and who is receving, this will be take care Analysist, Administrator or Cyber Security by accountabilty policies managed by Experts to prevent and track unauthorized access administrator. But how to identify wheather data (i.e., with ACL, Logs, Firewalls) and received by one user is sent or e-mailed by valid modification in system and, denial of a computer user or the data received is actual one and not network and network resources. If a user manipulated (i.e., Non-Repudation, Integrity). authorized to do something still, a firewall forces All these issues resolved by proving the to access policies or rules such as what services authenticity of data and user with the help of are allowed to be accessed for that network user hash function individually or with digital and to that user w.r.t. current location, as some signatures scheme. As these systems quite services only to be accessed by authorized users helpful for us to manage various networking in intranet not on internet. So these policies are problems, still these are vulnerable to attacks too, okay to prevent unauthorized access to system, so in this paper we‟re importantly focusing on but this component may fail to check potentially attacks which can be applied to hash functions or harmful content such as computer Worms or compression functions and it‟s level of impact. Trojans being transmitted over the network. Organization of the Paper: The rest of the Anti-virus software or an Intrusion Detection paper is organized as follow. Section II describe System (IDS) help detect the Malware.

Volume 5, Issue 11, November 2018 89 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

in brief about Hash Functions and, Properties of easy to generate a message code of given Hash Functions and their Varients, Section III message but hard to generate a message back describe Types of Attacks and it‟s impact on from given digest. The fifth requirement also Hash Functions, we are winding our work with known as Second pre-image resistance or conclusion and my future work with some new Collision resistance property guarantees that an techniques. And at end acknowledgement, alternative message hashing to the same code as References takes place. a given message cannot be found. 2. Cryptographic Hash Functions The term hash function has been used in computer science and it refers to a function that compresses a message of arbitrary lenght to a message of fixed length called Message Digest. However if it satisfies some additional requirements, then it can be used for cryptographic applications and then known as Cryptographic Hash functions. Cryptographic Hash functions are most important tool in the stream of Security and Cryptography and are Fig 2.1: Hash Function [24] used to achieve a number of security goals like authenticity, digital signatures, pseudo number There are various Hash functions exists in the generation, digital time stamping etc. Hash history and current market, many of them are Function may be of two types Keyed and Un- used continuely from a decade in order to Keyed. Keyed Hash Functions use secret key provide services after updations, because of there (Salt) for computing the digest and these are also well known security and other properties. We‟re known as MAC (Message Authentication Code) using these variants as per requirements and but in other we are not using any secret key. when need ariese such that, for systems like Secret key can be distributed in a secure way also where lower level of security required like: OTP to the parties. It‟ll be nice to use random key generation for few seconds, or for few minutes or generation system there, or take a help of well in wireless sensons services it‟s better to use MD known technologies like Kerberos, Radius or family based hash function or light weight hash Certificates.. functions like: Locha, Photon, Quark etc. which have small digest size, because these services are One-way Hash Function (OWHF) defined by frequent onces and expired after a certain time Merkle [3] is a hash function „H‟, that satisfies period (Timestamp) so, there is no need to go for the following requirements: those hash functions which have a very complex 1. H can be applied to Block of data of any structure to execute through, high power length. (any length means size of Block must consumption and large digest size. On the other be greater than size of Digest we conclude at hand where we required to store Passwords, the end). Keys, etc. for long period of time it‟s highly 2. H produces a fixed-length output i.e., recommended that we opt for highly secure hash Message Digest. functions like: SHA family, SHA-1, SHA-2, SHA-3, JH, Skein, Grøstl, Blake, Hamsi, Fugue, 3. Given H and x (any given input), it is easy to Crush, Whirlpool, Tav etc. As I already computer Message Digest H(x). discussed in detail about variou Hash Function in 4. Given H and H(x), it is computationally my previously published Research article [32] so infeasible to find x. here I just closed this section just with MD(x) and SHA only. 5. Given H and H(x), it is computationally infeasible to find x and x‟ such that H(x) = MD(x) H(x‟). Ivan Damgard [2] and Ralph Merkle [3] in The first three requirements are must for 1989 independently proposed the iterative practical applications of a hash function to technique for construction of collision resistant message authentication and digital signatures. hash function by using fixed length input The fourth requirement also known as pre-image compression function. Both give proof(s) in their resistance or one way property, states that it is researh papers [3], [2] that if there exists a fixed

Volume 5, Issue 11, November 2018 90 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

length collision resistant compression function: f: and the block permutation is applied if additional {0,1}a X {0,1}b → {0,1}c then one can design a output is desired. Central to the Sponge variable length input collision resistant hash construction is capacity „c‟ of hash function and function H: {0,1}* → {0,1}n ,by repeatedly it can be adjusted based on security requirements. iterating that compression function. This scheme SHA-3 [10] final round candidate algorithm is now mostly called Merkle-Damgard Keccak [10] is a hash function based on Sponge construction. construction only and it sets a conservative c = 2n, where „n‟ is the size of the output hash. Now SHA in the next section we‟re proceeding with various SHA is called Secure Hash Algorithms, types of attack(s) possible on cryptographic hash which is most widely used hash function till date function and it‟s insider compression function. in many different places like: Software(s), Websites, OS, Servers, Banking Systems and in 3. Attack on Hash Functions Back-end Databases etc. It was first proposed by Uses of Hash Functions is well known to National Institute of Standard and Technology persons who‟re working in the area of (NIST), United States in late 1993. It based on Cryptography i.e., branch of Networking and the same design strategy as used by MD(x) Securiy, As Hash functions properly providing family and was published as (FIPS-180) in 1993 necessary security services from long ago w.r.t. [6-9]. A revised version was issued as (FIPS- requirements and it‟s not possible easily to crack 180-1) in 1995 and is generally known as SHA-1 it but still there are major issues existed which [6-9]. When revised version of SHA-1 was directly or indirectly helps cracker(s) to break the published no details of the weaknesses found in security of hash functions or compression SHA-0 (originally SHA) were provided [6-9]. In functions upto some extent. That particular 2002, NIST produced a revised version of the section fully dedicated to the various type of standard known as SHA-2 (FIPS-180-2) [6-9] attacks possible on different/simillar hash and defined three new versions of SHA-2 with functions. digest lengths of 256, 384 and 512 and known as SHA-256, SHA-384, and SHA-512 respectively. Brute Force Attack In October 2008, (FIPS-180-2) has been replaced Brute Force Attack is the only attack which by (FIPS-180-3) [6-9] and in new standard SHA- actually works on all cryptographic hash 224 has been added which is same as other SHA functions, it‟s the exhaustive search (for algorithm producing 224 bits of message digest. message) i.e., every possible way to traverse the All these SHA versions are based on the same algorithms with the help of output (digest) . As in principle of MD(x) and hash length has changed Cryptographic Encryption-Decryption systems and certain other improvements have been take this attack find the secret key, simillary here it places from one version to next. Apart from this finds actual message from which digest when NIST announced for invention of new genereated by the respective algorithm of desired SHA standard i.e., (SHA-3 which was originally length. For message digest of length „n‟ level of published in 2015 after completion of effors required by brute force to crack it are as competition which was commenced on follow: November 02, 2007 and ended on October 02, 2012), SHA-3 was proposed by G. Bertoniet. Pre-Image Attack [10] (Keccak) proposed sponge construction a Efforts required to succedes is 2n, i.e., new way to design hash functions apart from attacker evalutes has function „H( )‟ with the order strategy based upon MD(x), that map to the digest „(h)‟ of length „n‟ with every possible random oracle. The sponge construction operates input message („M‟) until find the digest „(h)‟ on a state of b = r + c bits, „r‟ is called bit-rate from inputed message. and „c‟ is capacity. Initially all the „b‟ bits of state are set to zero and message is padded and Second Pre-Image Attack divided into block of „r‟ bits each. Then sponge Efforts required to succedes is 2n, i.e., construction proceeds in two phases: Absorbing attacker evalutes hash function „H( )‟ with the phase and Squeezing Phase. In first phase input given message („M‟) and tries multiple messages is "absorbed" into the hash state at a given rate, i.e., („M‟)‟ != („M‟) to study the difference aries then an output hash is "squeezed" from it at the during computation. same rate. To absorb „r‟ bits of data, the data is XOR into the leading bits of the state, and the Collision Attack block permutation is applied. To squeeze, the first „r‟ bits of the state are produced as output,

Volume 5, Issue 11, November 2018 91 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

Here in this attack efforts required to evaluations of the derived polynomials assuming succedes is half of others like 2n/2, i.e., attacker „p‟ is of degree „d‟. with the given message („M‟) and tries to find The cube attack can be seen as an extension to multiple messages i.e., („M‟)‟ != („M‟) from Algebraic Differential Attack and Higher Order which same digest (h) i.e., H(M‟) = H(M) will be Differentials. The main idea in all these attacks is deliverded of desired length „n‟. There is slite difference in Second Pre-Image and Collision to generate a sufficient number of plain-texts and Attack, even though these perfomed in same sum up the corresponding cipher-texts to obtain manner. some properties that will ease the attack. Birthday Attack (Birthday Pardox) Cryptanalytical Attack Birthday Attack is more specifically used for The Cryptanalysis of Security & finding collision in cryptographic hash functions. Cryptographic Hash Functions actually focuses Working of this attack is straighforward given on understanding the structure of hash function below: and compression function (which used inside for compressing the block of message(s)) of hash Let „h‟ be an n-bit (digest size) hash function function, works iteratively. Because of fixed with Input Legitimate message (m1) and digest size as compare to variable length message forgery message (m2). So the Output will be collision must be there, however due to security (m‟1), (m‟2) resulting from minor modifications of hash functions they‟re infeasible to find but of (m1) and (m2) with H(m‟1) = H(m‟2). So, can be find more easier than pre-image and second pre-image. Cryptanalysis attack further  Generate „N‟ = 2n/2 minor modifications (m‟1) classified in two parts [12] Generic Attack and of (m1). Specific Attacks, about these types I already  Computer Hash of each such message(s) and discssed in my previous papers so, I‟m diving store the hash result(s). into attack.  Generate minor modifications (m‟2) of (m2), computing H(m‟2) for each and checking for Length Extension Attack matches with any H(m‟1) from the previous Length Extension Attack is well known by step, continue until match is found. the name of „Padding Attack‟ and, is known A match can be expected after about „N‟ weakness of Merkle Damgard constructions [2]. candidates of ( m‟2). Given h = H(M) where (h is digest, M is Message and H is Hash Function), it is straight- Cube Attack forward to calculate M and h, such that h = Many Cryptographic Systems are based on H(M||M‟) (even for un-known M but with known the concept of polynomial equations which are length of M). This particular attack actually not un-related and arbitrary, and these equations based on making use of H(M) as an internal hash studied in algebraic cryptanalysis. The Cube for calculating H(M||M‟). Gauravram in his Attack [41] is an algorithm for solving these thesis [12] classified it further in two types i.e. equations. Actually in this attack algorithm is Type:A extension attack and Type:B extension considered as Black Box that evaluate a attack. The category wise separation made with polynomial „p‟ over GF(2) of n + m input bits respect to whether the original plaintext message (bits) contains the length padding (extension) or i.e., (x1, x2,…..xn), (v1, v2,….vm), where xi is secret key bits and v is plain-text or IV bits. not. By utilizing length extension attack it is j possible, from only with hash of a actual The Cube attack is composed of two phases: message and it‟s length, to conclude hash of Preprocessing Phase: Many maxterms with longer message(s) that starts with the initial independent superpoly are find by attacker after message and include the padding required for the setting the values of all variables and uses of initial message in order to reach multiple of black box. This phase is not key dependent and block size(s). performed just once for each cryptographic Joux Multicollision Attack scheme. Joux [33] provided the detail about Multi- Online Phase: In this phase attacker evaluate the Collision Attack on Iterated hash function. Joux superpoly‟s by setting the values of public in his study interpretate minutely that, finding variables „m‟ and find linear combination of key multi-collisions, i.e. „r-tuples‟ of message(s) that bits, after seting „n‟ secret variable to unknown all hash to exactly same value, is not too values. This phase requires at most 2d−1 complex than finding ordinary collisions, i.e.

Volume 5, Issue 11, November 2018 92 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

(pairs of messages with same hash at the end complexity is determined by the inverse of the while computing), even for extremely large probability of a differential trail, yet in this values of „r‟. Without vagueness, absolutley the context „best‟ means having the maximum ratio of complexities in such attacks is differential probability, The maximum approximately equal to the logarithm of „r‟ i.e. differential probability (MDP) is the maximum (constructing 2d – collision(s) cost, d times much value of the differential probabilities over all effort requires building ordinary 2-collision(s)). pairs of non-zero input and output differences.

Particulary supposition here is that collision MDP(f) = max ∆a≠0, ∆b DP(f)(∆a, ∆b) (3.1) finding algorithm(s) previously exists and, these algorithms obtains collision for the compression Boomerang Attack function when call made to it. Initially the Boomerang attack was introduced [36] in attacker make a call to this collision finding order to reduced the complexity of Differential algorithm on particular compression function Cryptanalysis. In this attack for analysis instead with the Initial State (or vector of fixed length) of using just one long differential characteristic „H0‟ and as a result algorithm returns two with low probability we‟re using two short messages „M1‟ and „N1‟ such that f(H0(M1)) ≠ differential characteristics with high probability. f(H0(N1)) = H1. Iteratively then the attacker calls For this purpose, the block cipher „E‟ is treated this algorithm with state „H1‟ and algorithm as a cascade of two sub-ciphers „E0‟ and „E1‟ returns two message blocks „M2‟ and „N2‟ such (i.e, E = E1 ◦ E0). The boomerang attack can be that f(H1(M2)) ≠ f(H1(N2)) = H2. Again with applied to internal function and reduced round continuous iterative process „H2‟ is then used as versions of many hash functions. state and call to algorithm returns message

blocks „M3‟ and „N3‟ such that f(H2(M3)) ≠ f(H2(N3)) = H3. Similarly successive calls to algorithm can be made. Just with three calls, we have 23 = 8 different messages that maps to digest „H3‟. If hyposthesis made i.e., collision finding algorithm was taking into account as brute force attack and every call takes time 2n/2 n/2 then it took O (3 x 2 ) time to find 8-collisions. Generally it‟s demonstrated that this technique requires O (d x 2n/2) time for finding 2d-collisions instead of a compression function (f) using a brute force collision finding algorithm. The brute force technique for finding 2d- collisions must 1 n.k d d requires Ω (2 ) where k = (2 -1)/2 and here „n‟ is digest size of message going to be used.

Differential Cryptanalysis

Differential Cryptanalysis was introduced by Biham and Adi Shamir [34] in 1990, which was the most powerful technique in order to make analysis on Single/Public Key Cryptosystems

(i.e., Block Ciphers, Stream Ciphers) and on Fig 3.1: Boomerang Attack [36] Hash Functions (i.e, Hash, MAC, HMAC). In this technique actual relationship between input Rebound Attack and output w.r.t. differences analysed. In most This attack [35] was actually new tool for case that difference is an XOR (Exclusive OR) making differential cryptanalysis possible on difference, but it is also possible to use modulo n Hash Functions (Keyed/Non-Keyed). It‟s a 2 , arbitrary group operations etc. There are combination of three „Meet-in-Middle‟ attack, many further sub techniques available in this „Insided-Outside‟ approach and „Truncated type of cryptanalysis like Boomerang Attack, differentials‟. Let „E‟ be the the underlying Rebound Attack, Higher Order Collision, permutation of the hash function under Truncated differential cryptanalysis etc. consideration, then in the rebound attack „E‟ is In Differential Cryptanalysis [42] the attacker considered as a combination of three sub-ciphers. tries to find the best differential properties to E = E(bk) ◦ E(in) ◦ E(fwd) (3.2) mount/initiate an attack. Though the attack

Volume 5, Issue 11, November 2018 93 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

Here the main objective of Inbound E(in) is to find Rotational Cryptanalysis [39] was introduced the solution(s) for „meet-in-middle‟ round that‟ve in 2010, that also categorized in generic attacks low probability. And next the aim of Outbound as it applied on almost all the algorithms which E(bk) ,E(fwd) is to find the solution for entire are based on three primary operations such that, differential i.e., each solution of E(in) is computed Modular-Addition, Rotations (Shifts) and, Xor in both backward E(bk), and forward E(fwd) (Exlusive OR) or following specific structure like directions. And checked whether they satisfy the Merkle Damgard suggested structure of hash desired pattern or not. The Inbound Phase functions. One important point is the complexity repeated (iteratively) to obtain more starting of the rotational attack depends only on the points for the Outbound Phase which is number of modular additions, and does not probabilistic. At the end many solutions for the depend on the number of XORs and rotations, Truncated Differential can be concluded with a nor on the rotation amounts. less complexity. Higher Order Collision Conclusion By now Classic Differential Cryptanalysis In this paper, I discussed how cryptographic studied the propagation of difference between hash functions continuely gained its importance plaintext(s), Higher-order Differential in the field of security and cryptography from Cryptanalysis [37] exploits the propagation of past few decades. I have made all possible difference b/w differences. The concept of attempts to provide a complete image of higher-order derivatives has been first introduced cryptographic hash functions and it‟s variants, by Lai. Recently this attack was applied on its design strategies (which was already SHA-3 Candiates such as Keccak, Luffa and 2nd discussed [32], [42]), in this research paper Order Collision found in SHA-256. limited and in my previously published Review Paper/Comparative Study papers fully. Our main Linear Cryptanalysis focus in this paper was to get insights into type of renowned attacks applied on Hash Functions Linear Cryptanalysis Matsui [38] is another and take brief how we can develop or enhance powerful technique used in the analysis of Hash Function by studying about these attacks, cryptosystem‟s (Single-Key/Public-Key). It is so that newly developed ones will be less prone based on examining the relationship(s) between to these attacks and provides dreamt security. linear combinations of plaintext (i.e., actual This paper would really help researchers and message in bits) and ciphertext (bits) block(s). buddy students who would like to take up Let „C‟ be the cipher-text of plain-text „P‟ under research in this particular area. Also I‟m doing the secret key „K‟. A linear approximation my research on „Security & Cryptography‟ sub defined as: area of Networking in order to develop a new hash function which fulfill all the basic ΓP · P ⊕ ΓC ·C = ΓK · K properties of hash as mentioned by various Where „·‟ denotes inner product. The vectors ΓP, developers, cryptographers and research scholars ΓC and ΓK represent a fixed linear combination of this area, plus specifically I‟m focussing on of bits and are called linear masks. In order to Military Services i.e., don‟t care about size of initiate an attack, adversary have to find an digest and complexity of algorithm, just concern efficient linear approximation, which means that about tight security, consume less time from equation given above should hold with computing hash having justifiable digest size as probability p≠1/2 (i.e., not random). Actually compare to others so that, it will be easily finding the best linear approximation for an implented on every device where security is a arbitrary cipher is generally not an easy task. major issue. Since its introduction linear cryptanalysis has been successfully applied to many block ciphers References and stream ciphers, On the other hand it hasn‟t received much attention in terms of cryptanalysis 1. Daniel J. Bernstein, ChaCha, a variant of of hash functions. As there is no key to recover Salsa20, National Science Foundation under in hash functions, Linear cryptanalysis can grant ITR–0716498, 2008.01.28. only be used to evaluate the security of the 2. I. Damgård, "A Design Principle for Hash function. Functions", in CRYPTO, 1989, PP.416-427 3. R.C. Merkle, "One Way Hash Functions and Rotational Cryptanalysis DES", in CRYPTO, 1989, PP.428-446.

Volume 5, Issue 11, November 2018 94 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

4. R. Rivest, MIT Laboratory for Computer Production Sciences (FTP) and Natural Science and RSA Data Security, Inc, Sciences (FNU). Request for Comments: 1320, April 1992. 19. Amrita Roy Chowdhury, LOCHA: A Light- 5. R. Rivest, MIT Laboratory for Computer Weight One-way Cryptographic Hash Science and RSA Data Security, Inc, Algorithm for Wireless Sensor Network, Request for Comments: 1321, April 1992. Science Direct Procedia Computer Science 6. FIPS 180, Secure Hash Standard (SHS), 32 (2014), PP:497 – 504. National Institute of Standardsand 20. Meltem Sonmez Turan, Hash Function Technology, US Department of Commerce, Designs Based on Stream Ciphers, Washington D. C., 1993. Information Security and Cryptology 7. FIPS 180-1, Secure Hash Standard (SHS), Conference, ISC Turkey, December 2007. National Institute of Standards and 21. Piyush Gupta, A Comparative Analysis of Technology, US Department of Commerce, SHA and MD5 Algorithm, International Washington D. C.,1995. Journal of Computer Science and 8. FIPS 180-2, Secure Hash Standard (SHS), Information Technologies, Vol. 5 (3) , 2014. National Institute of Standards and 22. Thulasimani Lakshmanan, A Novel Secure Technology, US Department of Commerce, Hash Algorithm for Public Key Digital Washington D. C.,2002. Signature Schemes, The International Arab 9. FIPS180-3, Secure Hash Standard (SHS), Journal of Information Technology, Vol. 9, National Institute of Standards and No.3, May 2012. Technology, US Department of Commerce, 23. Mohan V. Pawar, Network Security and Washington D. C., 2008. Types of Attacks in Network, Science Direct 10. Guido Bertoni, Keccak sponge function International Conference on Intelligent family, Version 1.2, April 23, 2009 Computing, Communication & 11. M. Bellare, and T. Kohno, "Hash Function Convergence, 2015. Balance and Its Impact on Birthday 24. William Stallings, “Hash Functions” In the Attacks", in EUROCRYPT, 2004, PP.401- Cryptography and Network Security 418. Principles and Practice Book, Fifth Edition. 12. P. Gauravram, “Cryptographic Hash 25. Jean Philippe Aumasson, Blake, Version 1.3, Functions: Cryptanalysis, design and December 16, 2010. Applications”, Ph.D. thesis, Faculty of 26. Praveen Gauravaram, Grøstl, March 02, Information Technology, Queensland 2011. University of Technology, Brisbane, 27. Hongjun Wu, The Hash Function JH, Australia, 2003. January 16, 2011. 13. Rajeev Sobti, G. Geetha, Cryptographic 28. Praveen Gauravaram, CRUSH: A New Hash Functions: A Reviw. International Cryptographic Hash Function Using Journal of Computer Science Issues, Vol. 9, Iterative Halving, July 2004. Issue 2, No 2, March 2012. 29. William Stallings, The Whirlpool Secure 14. FIPS 46-3, “Data Encryption Standard”, Hash Function, 2006. National Institute of Standards and 30. Niels Ferguson, The Skein Hash Function Technology, US Department of Commerce, Family, Version 1.3, October 2010. Washington D. C., 1999. 31. Wikipedia, Comparison of Cryptographic 15. FIPS 197, Advanced Encryption Standard, Hash Functions, December 05, 2017., National Institute of Standards and https://en.wikipedia.org/wiki/Comparison_of Technology, US Department of Commerce, _cryptographic_hash_functions. Washington D. C., 2001. 32. Arvind, Comparative Analysis Of 16. William Stallings, The Whirlpool Secure Cryptographic Hash Functions, Proceedings Hash Function, Cryptologia, 30:55–67, of 18th IRF International Conference, 09th 2006. September, 2018, New Delhi, India. 17. Ivan B. Damgard, The breaking of the AR 33. Antoine Joux, Multicollision in Iterated Hash Function, Advances in Cryptology - Hash Functions, Application to Cascade EUROCRYPT '93, LNCS 765, PP. 286-292, Constructions, DCSSI Crypto Lab, 2004. 1994. Springer-Verlag Berlin Heidelberg PP: 306-316. 1994. 34. Biham and Shamir, A. Diﬀerential 18. Ashish Kumar, Cryptanalysis of Tav-128 Cryptanalysis of DES-like Cryptosystems. Hash function, Danish Council for July 19, 1990. Independent Research - Technology and

Volume 5, Issue 11, November 2018 95 http://ijics.com INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347

35. Mendal et al, The Rebound Attack: Teaching as well as in Research. Having 40+ Cryptanalysis of Reduced Whirlpool and research publications. Grøstl, In Dunkleman, 2009. 36. Wagner, The Boomerang Attack, L.Knudsen, 1999. 37. Lai, Higher Order Derivative and Differential Cryptanalysis, 1994. 38. Matushi, Linear Cryptanalysis Method for DES Cipher, Springer-Verlang, 1998. 39. Dmitry, Rotational Cryptanalysis of ARX, 2010. 40. Arvind, Security & Cryptography Hash Functions: Review, Proceedings of ERA- 2017, Rayat Bhara University, SAS Nagar, Punjab, India, December 2017. 41. Joel Lathrop, Cube Attacks on Cryptographic Hash Functions, Master Thesis, Rochester Institute of Technology, May 21, 2009. 42. Deniz, Cryptanalysis of Hash Functions, Thesis, Arenberg Doctoral School, 2013. 43. Vlamdir Omar, A Study on Hash Functions for Cryptography, GIAC Practical Repository, Sans Institute, 2003.

Author Profile Arvind K. Sharma working as Assistant Professor in Department of “MMICT&BM” M.M. University, Mullana, Ambala (Punjab). Previously he worked for Chandigarh University (CU) in Department of CSE, Mohali (Punjab) and Trinity College, Jalandhar (Punjab) in the Department of Computer Science as Assistant Professor. He is pursuing his Ph.D. from Rayat Bahra University, Mohali in the field of CSE in Networking ans Security. He has received his M.Tech. CSE Degree from Lovely Professional University, Phagwara in 2015 and, MSc. Computer Science Degree from Guru Nanak Dev University, Amritsar in 2011. Area of Interest is “Networking and Security”, “Routing & Switching”, “Programming”, “DBMS”. Dr. S. K. Mittal is heading (Departmental Head) University School of Engineering & Technology Rayat Bahra University, SAS Nagar, Punjab, India. He has nearly three decades of experience in industry, research and in Teaching. He‟s a renowned personality having 60+ research publications. Dr. Summit Mittal is heading (Principal) Maharishi Markandeshwar Institute of Communication Technology and Business Management (MMICT&BM)(MCA) and Registrar of Maharishi Markandeshwar (Deemed to be University), Mullana, Haryana, India. He has spent almost two decades in

Volume 5, Issue 11, November 2018 96 http://ijics.com