DOCSLIB.ORG

Improved Collision Cryptanalysis of Authenticated Cipher MORUS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improved Collision Cryptanalysis of Authenticated Cipher MORUS Advances in Intelligent Systems Research, volume 133 2nd International Conference on Artificial Intelligence and Industrial Engineering (AIIE2016) Improved Collision Cryptanalysis of Authenticated Cipher MORUS Tairong Shi *, Jie Guan, Junzhi Li and Pei Zhang Information Science and Technology Institute, Zhengzhou, Henan, China *Corresponding author Abstract—MORUS is an authenticated stream cipher designed by each other, we utilize the partition method and propose the Wu et al. and submitted for the third-round of the CAESAR necessary conditions for an internal state collision after two- competition. The collision properties of MORUS-640-128 are step update. There results imply that MORUS resists against studied. We propose the necessary conditions for an internal state collision attack in theory. collision after two-step update, i.e., the Hamming weight of the input difference is at least 5 and the difference is distributed in at This paper is organized as follows. In Section 2, the least three 32-bit words, which provide the theoretical support description of MORUS is provided. In Section 3, the for MORUS’s resistance against collision attack. distribution of word difference is given. Section 4 discusses the lower bound of difference weight for collision. Section 5 Keywords-CAESAR; MORUS; collision cryptanalysis; partition concludes the paper. method II. DESCRIPTION OF MORUS I. INTRODUCTION MORUS operates four phases: initialization, processing of Authenticated encryption algorithm [1] combines the authenticated data, encryption, and finalization. In this encryption with authentication, providing both confidentiality paper we only focus on the processing of associated data and and authenticity simultaneously and has been widely used in encryption and study the security of MORUS-640-128. the security protocols such as SSL/TLS [2], etc. In order to MORUS takes a 128-bit key, a 128-bit nonce, and a tag length accelerate the development of authentication encryption, less than or equal to 128. More details of MORUS-640-128 can CAESAR competition [3] merges. CAESAR is a large-scale be found in [9]. All the “MORUS” in the rest of this paper cryptographic competition supported by the US National refers to “MORUS-640-128”. Institute of Standards and Technology (NIST) like AES [4], e- STREAM [5]. With the advance of the competition, A. Notations authenticated cipher receives more attentions and develops i rapidly. The third-round candidates own excellent performance S : State at the beginning of i-th step, where i t 0 ; on security and efficiency which are competitive and attract S i : State at the beginning of k-th round at i-th step, where many researchers [6], [7], [8]. k SSSSSSiiiiii (,,,,), 04ddk ; MORUS [9] is a notable family of authenticated stream kkkkkk,0 ,1 ,2 ,3 ,4 ciphers designed by H. Wu and T. Huang, which has been S i : The j-th element of the state S i . SSSiii (, , selected as a third-round candidate of CAESAR competition. kj, k kj,,,1,,2 kj kj ii By adopting the idea of block cipher, MORUS uses 5 registers SSkj,,3,) kj ,,4 , 04ddj ; of equal length in its internal state and update each state i i successively. Three MORUS versions: MORUS-640-128, Skjl,, : l-th 32-bit word of the Skj, , where 14ddl , MORUS-1280-128, and MORUS-1280-256 are recommended 04ddj ; with different internal state and key sizes. Mileva et al. [10] have proposed a distinguisher attack on MORUS in non-reuse & : Bit-wise AND; setting. And Zhang et al. [11] researched on the confusion and diffusion properties of the initialization of MORUS. The <<< : Rotation to the left; research on MORUS is relatively limited currently. >>> : Rotation to the right; Collision attack [12], [13] is a typical method used in x : The smallest integer not less than x ; attacking the message authentication. The basic technique is to «»ªº inject a message difference at certain encryption (or processing Rotl(,) x n : Divide the 128-bit block x into four 32-bit the associated date) step and cancel it at a later step. words and rotate each word left by n bits, In this paper, we evaluate the security of authentication by theory deduction. Observations reveal that 32-bit word are not Rotl-1 (,) x n : Analogous to Rotl(,) x n , divide the 128-bit x confused completely with internal state. Based on the feature into four 32-bit words and rotate each word right by n bits; that the 32-bit words in the state element are independent of Copyright © 2016, the Authors. Published by Atlantis Press. 429 This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/). Advances in Intelligent Systems Research, volume 133 1n ( 0n ): n bits of ‘1’s (‘0’s); III. THE DISTRIBUTION OF WORD-ORIENTED DIFFERENCE FOR COLLISION W(D ) : The hamming weight of D , namely, the number of In this section, we divide each message into four 32-bit 1 in D ’s binary representation; words and give the representation of internal state differences. WB('mt ) : The number of nonzero word in 'mt . 'mt Suppose that a message difference ''zmmtt(0) is denotes the message difference, where Di (1ddi 4) represents injected at i-th encryption (or processing the associated date) a 32-bit word difference. step and 'S t 0 , through the differential analysis, it’s easy to get internal state differences in t+1-th step: B. The State Update Function of MOURS t1 MORUS uses five 128-bit registers in its internal state. This 'S0 0 function consists of five rounds with similar operations that t1 'SRotlm1 ('t ,31) 64 update the state S. t1 'SRotlm2 (,7)32't ii1 SS StateUpdate( ,mi ) is given as follows: t1 'S3 Rotl((,31),22)32 Rotl' mtt ' m Round 1: tttt1111 'S4012 Rotl(& S''!!!' S ( S 32),13) mt iiiii 64 SRotlSSS1,0 ((&),);0,0 0,1 0,2 Sb 0,3 0 ii Note: For convenience, we perform the left rotation for SS1,3 0,3 w 0 ; t1 t1 'S3 and 'S4 in advance. ii SS1,1 0,1; If and only if 'Sit2 0(0dd 4) , the internal state SSii ; i 1,2 0,2 collision occurs. Because we only concern that whether the ii SS1,4 0,4 ; difference is zero and external operation Rotl x, n doesn’t Round 2 to 5: influence the results, we leave out Rotl x, n . Each element of For k=1 to 4, state differences after the second step is shown as: tt21 t 1 tt 11 iiii 'SS (&' S )(&) ' SS SRotlSSS (( & ) 01 2 12 (k 1)mod5, k kk, kk ,( 1)mod5kk ,( 2)mod5 tt11 t 1 i ('SS12 & ' ) ( ' S 3 !!! 32); Smbkk,( 3)mod5 i, k ); ii tttt2111 tt 11 SSw ; 'SSSS1123 '(& ' )(&) ' SS 23 (kk 1)mod5,( 3)mod5 kk ,( 3)mod5 k ii ('SStt11 & ' ) ( ' S t 1 !!! 64) ' m ; SS(1)mod5,(1)mod5kk kk ,(1)mod5 ; 23 4t 1 i i tttt2111 tt 11 S S ; (kk 1)mod5,( 2)mod5 kk,( 2)mod5 'SSSS2234 '(& ' )(&) ' SS 34 ii tt11 SS(kk 1)mod5,( 4)mod5 kk ,( 4)mod5. ('''SS34 & ) mt 1 ; i1 ii1 tt21 tt 12 Generate S : For k=0 to 4: SSkk . 'SS33 ''(&) SSm 40 't 1 ; tt21 The rotation constants bwi,, 0,,4,4 for each round are ii 'SSm44 ''t 1. defined in [10]. It should be noted that 'St2 0 is a precondition, then we C. Processing the Associated Data and Encryption analyze the differences after the second step. The Processing the associated data AD of MORUS can be Now we discuss the difference distribution in the following described as follows. adlen means bit length of the associated situations with different values of WB('mt ) . Remember that data, where u ªº adlen 128 . «» Di (1ddi 4) represents a 32-bit word difference. ii128 For i=0 to u-1: SS StateUpdate( ,ADi ). A. When WB('mt ) 1 The encryption is described as follows. Let msglen Now, we assume that there is only one nonzero word represents the length of plaintext and vmsglen «»ªº128 . difference in 'mt , 'mt (D1 , 0, 0, 0) ,D1 z 0 . t1 For i 0 to v 1: 'S1 000Dc , whereDDc 31; CPS ui ( S ui 96) ( Sui & S ui ); t1 ii 01 23 'S2 00Dcc 0 , whereDDcc 7,i 1,2 ; ui1 ui SS StateUpdate( ,Pi ); 430 Advances in Intelligent Systems Research, volume 133 t1 tttt2112 'S3 00E 0 , where EDD ()22c ; 'SSSSm3340 ''& 't 1 t1 0EE11 00uuuu 0 uu 'Su4 00J , where JDD ()13c , u is unknown difference. t2 32 To ensure 'S3 0 , we deduce E1 0 , DDccc 1 and tt21 t2 J 0 , therefore 'S t1 0000 , 'Smt1 ' 00 uu. As Because of 'SSm44 ''t 1 and 'S4 0 , we get 1 3 41t t1 for 'S t2 , we get that 'mSt14 ' 00J u. 2 tttt2111 Through update function, we know the presentation of 'SSSSm2234 '''& t 1 t2 'S . 0DD12cc cc 0 00uu 0D 1 cc uu z 0 ttttttt2111111 t2 'SSSSSSS0121212 &&&'' '' It contradicts to 'S2 0 . The above results also hold for t1 'S3 !!! 32 'mt 00DD12 , 'mt 00DD12 and 'mt DD1200 . 0uu 0 000EE 0uu Case 2 'miti 00(DDD12 z 0,1,2) To ensure 'S t2 0 , we deduce E 0 , namely 0 'St1 00DDcc, where DDc 31,i 1,2 ; DD 31 0 , then D 132 must be established. Therefore 121 ii 32 t1 we can deduce DDccc 1 and EJ 0 , furthermore 'S212 DDcc00 cc , where DDiicc 7,i 1,2 ; t2 t2 'S3 0000 , 'Sm41 't 000 u. t1 'S312 EE00, where EDDiii ()22,1,2c i ; t2 Supposed 'S1 0, we can get t1 'Suu4 00 .
Load more

Recommended publications
  • Increasing Cryptography Security Using Hash-Based Message
    ISSN (Print) : 2319-8613 ISSN (Online) : 0975-4024 Seyyed Mehdi Mousavi et al. / International Journal of Engineering and Technology (IJET) Increasing Cryptography Security using Hash-based Message Authentication Code Seyyed Mehdi Mousavi*1, Dr.Mohammad Hossein Shakour 2 1-Department of Computer Engineering, Shiraz Branch, Islamic AzadUniversity, Shiraz, Iran . Email : [email protected] 2-Assistant Professor, Department of Computer Engineering, Shiraz Branch, Islamic Azad University ,Shiraz ,Iran Abstract Nowadays, with the fast growth of information and communication technologies (ICTs) and the vulnerabilities threatening human societies, protecting and maintaining information is critical, and much attention should be paid to it. In the cryptography using hash-based message authentication code (HMAC), one can ensure the authenticity of a message. Using a cryptography key and a hash function, HMAC creates the message authentication code and adds it to the end of the message supposed to be sent to the recipient. If the recipient of the message code is the same as message authentication code, the packet will be confirmed. The study introduced a complementary function called X-HMAC by examining HMAC structure. This function uses two cryptography keys derived from the dedicated cryptography key of each packet and the dedicated cryptography key of each packet derived from the main X-HMAC cryptography key. In two phases, it hashes message bits and HMAC using bit Swapp and rotation to left. The results show that X-HMAC function can be a strong barrier against data identification and HMAC against the attacker, so that it cannot attack it easily by identifying the blocks and using HMAC weakness.
    [Show full text]
  • A Full Key Recovery Attack on HMAC-AURORA-512
    A Full Key Recovery Attack on HMAC-AURORA-512 Yu Sasaki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan [email protected] Abstract. In this note, we present a full key recovery attack on HMAC- AURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires 2257 queries and the off-line com- plexity is 2259 AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack can also recover the inner-key of HMAC-AURORA-384 with almost the same complexity as in HMAC-AURORA-512. This attack does not recover the outer-key of HMAC-AURORA-384, but universal forgery is possible by combining the inner-key recovery and 2nd-preimage attacks. Our attack exploits some weaknesses in the mode of operation. keywords: AURORA, DMMD, HMAC, Key recovery attack 1 Description 1.1 Mode of operation for AURORA-512 We briefly describe the specification of AURORA-512. Please refer to Ref. [2] for details. An input message is padded to be a multiple of 512 bits by the standard MD message padding, then, the padded message is divided into 512-bit message blocks (M0;M1;:::;MN¡1). 256 512 256 In AURORA-512, compression functions Fk : f0; 1g £f0; 1g ! f0; 1g 256 512 256 512 and Gk : f0; 1g £ f0; 1g ! f0; 1g , two functions MF : f0; 1g ! f0; 1g512 and MFF : f0; 1g512 ! f0; 1g512, and two initial 256-bit chaining U D 1 values H0 and H0 are defined .
    [Show full text]
  • The First Collision for Full SHA-1
    The first collision for full SHA-1 Marc Stevens1, Elie Bursztein2, Pierre Karpman1, Ange Albertini2, Yarik Markov2 1 CWI Amsterdam 2 Google Research [email protected] https://shattered.io Abstract. SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks. Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes. A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack. In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision. Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two PDF documents with the same SHA-1 hash yet that display arbitrarily-chosen distinct visual contents. We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 263:1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years. As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search.
    [Show full text]
  • Related-Key and Key-Collision Attacks Against RMAC
    Related-Key and Key-Collision Attacks Against RMAC Tadayoshi Kohno CSE Department, UC San Diego 9500 Gilman Drive, MC-0114 La Jolla, California 92093-0114, USA IACR ePrint archive 2002/159, 21 October 2002, revised 2 December 2002. Abstract. In [JJV02] Jaulmes, Joux, and Valette propose a new ran- domized message authentication scheme, called RMAC, which NIST is currently in the process of standardizing [NIS02]. In this work we present several attacks against RMAC. The attacks are based on a new protocol- level related-key attack against RMAC and can be considered variants of Biham’s key-collision attack [Bih02]. These attacks provide insights into the RMAC design. We believe that the protocol-level related-key attack is of independent interest. Keywords: RMAC, key-collision attacks, related-key attacks. 1 Introduction Jaulmes, Joux, and Valette’s RMAC construction [JJV02] is a new ran- domized message authentication scheme. Similar to Petrank and Rackoff’s DMAC construction [PR97] and Black and Rogaway’s ECBC construc- tion [BR00], the RMAC construction is a CBC-MAC variant in which an input message is first MACed with standard CBC-MAC and then the resulting intermediate value is enciphered with one additional block ci- pher application. Rather than using a fixed key for the last block cipher application (as DMAC and ECBC do), RMAC enciphers the last block with a randomly chosen (but related) key. One immediate observation is that RMAC directly exposes the underlying block cipher to a weak form of related-key attacks [Bih93]. We are interested in attacks that do not exploit some related-key weakness of the underlying block cipher, but rather some property of the RMAC mode itself.
    [Show full text]
  • A New Approach in Expanding the Hash Size of MD5
    374 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 10, No. 2, August 2018 A New Approach in Expanding the Hash Size of MD5 Esmael V. Maliberan, Ariel M. Sison, Ruji P. Medina Graduate Programs, Technological Institute of the Philippines, Quezon City, Philippines Abstract: The enhanced MD5 algorithm has been developed by variants and RIPEMD-160. These hash algorithms are used expanding its hash value up to 1280 bits from the original size of widely in cryptographic protocols and internet 128 bit using XOR and AND operators. Findings revealed that the communication in general. Among several hashing hash value of the modified algorithm was not cracked or hacked algorithms mentioned above, MD5 still surpasses the other during the experiment and testing using powerful bruteforce, since it is still widely used in the domain authentication dictionary, cracking tools and rainbow table such as security owing to its feature of irreversible [41]. This only CrackingStation, Hash Cracker, Cain and Abel and Rainbow Crack which are available online thus improved its security level means that the confirmation does not need to demand the compared to the original MD5. Furthermore, the proposed method original data but only need to have an effective digest to could output a hash value with 1280 bits with only 10.9 ms confirm the identity of the client. The MD5 message digest additional execution time from MD5. algorithm was developed by Ronald Rivest sometime in 1991 to change a previous hash function MD4, and it is commonly Keywords: MD5 algorithm, hashing, client-server used in securing data in various applications [27,23,22].
    [Show full text]
  • Hashes, Macs & Authenticated Encryption Today's Lecture Hashes
    Today’s Lecture • Hashes and Message Authentication Codes Hashes, MACs & • Properties of Hashes and MACs Authenticated Encryption • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC ICS Lecture 4 • Authenticated Encryption – CCM Hashes Signatures l A hash of any message is a short string • Using RSA Epub(Dpriv(M)) = M generated from that message. • This can be used to sign messages. l The hash of a message is always the same. l Any small change makes the hash totally • Sign a message with the private key and this can be different. verified with the public key. l It is very hard to go from the hash to the message. • Any real crypto suite will not use the same key for encryption and signing. l It is very unlikely that any two different messages have the same hash. – as this can be used to trick people into decrypting. Signatures Uses of Hashing Alice has a signing key Ks • Download/Message verification and wants to sign message M Plain Text • Tying parts of a message together (hash the whole message) Detached Signature: Dks(#(M)) RSA decrypt with key ks SHA hash • Hash message, then sign the hash. • Protect Passwords Signed: M,Dks(#(M)) – Store the hash, not the password 1 Attacks on hashes Birthday Paradox • Preimage Attack: Find a message for a • How many people do you need to ask given hash: very hard. before you find 2 that have the same birthday? • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • 23 people, gives (23*22)/2 = 253 pairs.
    [Show full text]
  • MD5 Collision Attack
    MD5 Considered Harmful Today Creating a rogue CA certificate Alexander Sotirov New York, USA Marc Stevens CWI, Netherlands Jacob Appelbaum Noisebridge/Tor, SF Arjen Lenstra EPFL, Switzerland David Molnar UC Berkeley, USA Dag Arne Osvik EPFL, Switzerland Benne de Weger TU/e, Netherlands Introduction • International team of researchers ○ working on chosen-prefix collisions for MD5 • MD5 is still used by real CAs to sign SSL certificates today ○ MD5 has been broken since 2004 ○ theoretical CA attack published in 2007 • We used a MD5 collision to create a rogue Certification Authority ○ trusted by all major browsers ○ allows man-in-the-middle attacks on SSL Overview of the talk • Public Key Infrastructure • MD5 chosen-prefix collisions • Generating colliding certificates ○ on a cluster of 200 PlayStation 3’s • Impact • Countermeasures • Conclusion Live demo 1. Set your system date to August 2004 ○ intentional crippling of our demo CA ○ not a technical limit of the method itself 2. Connect to our wireless network ○ ESSID “MD5 Collisions Inc” 3. Connect to any secure HTTPS website ○ MITM attack ○ check the SSL certificate! Part I Public Key Infrastructure Overview of SSL • Wide deployment ○ web servers ○ email servers (POP3, IMAP) ○ many other services (IRC, SSL VPN, etc) • Very good at preventing eavesdropping ○ asymmetric key exchange (RSA) ○ symmetric crypto for data encryption • Man-in-the-middle attacks ○ prevented by establishing a chain of trust from the website digital certificate to a trusted Certificate Authority Certification Authorities (CAs) • Website digital certificates must be signed by a trusted Certificate Authority • Browsers ship with a list of trusted CAs ○ Firefox 3 includes 135 trusted CA certs • CAs’ responsibilities: ○ verify the identity of the requestor ○ verify domain ownership for SSL certs ○ revoke bad certificates Certificate hierarchy Obtaining certificates 1.
    [Show full text]
  • Fast Collision Attack on MD5
    Fast Collision Attack on MD5 Marc Stevens Department of Mathematics and Computer Science, Eindhoven University of Technology P.O. Box 513, 5600 MB Eindhoven, The Netherlands. [email protected] Abstract. In this paper, we present an improved attack algorithm to find two-block colli- sions of the hash function MD5. The attack uses the same differential path of MD5 and the set of sufficient conditions that was presented by Wang et al. We present a new technique which allows us to deterministically fulfill restrictions to properly rotate the differentials in the first round. We will present a new algorithm to find the first block and we will use an al- gorithm of Klima to find the second block. To optimize the inner loop of these algorithms we will optimize the set of sufficient conditions. We also show that the initial value used for the attack has a large influence on the attack complexity. Therefore a recommendation is made for 2 conditions on the initial value of the attack to avoid very hard situations if one has some freedom in choosing this initial value. Our attack can be done in an average of about 1 minute (avg. complexity 232.3) on a 3Ghz Pentium4 for these random recommended initial values. For arbitrary random initial values the average is about 5 minutes (avg. complexity 234.1). With a reasonable probability a collision is found within mere seconds, allowing for instance an attack during the execution of a protocol. Keywords: MD5, collision, differential cryptanalysis 1 Introduction Hash functions are among the primitive functions used in cryptography, because of their one- way and collision free properties.
    [Show full text]
  • Hash Collision Attack Vectors on the Ed2k P2P Network
    Hash Collision Attack Vectors on the eD2k P2P Network Uzi Tuvian Lital Porat Interdisciplinary Center Herzliya E-mail: {tuvian.uzi,porat.lital}[at]idc.ac.il Abstract generate colliding executables – two different executables which share the same hash value. In this paper we discuss the implications of MD4 In this paper we present attack vectors which use collision attacks on the integrity of the eD2k P2P such colliding executables into an elaborate attacks on network. Using such attacks it is possible to generate users of the eD2k network which uses the MD4 hash two different files which share the same MD4 hash algorithm in its generation of unique file identifiers. value and therefore the same signature in the eD2k By voiding the 'uniqueness' of the identifiers, the network. Leveraging this vulnerability enables a attacks enable selective distribution – distributing a covert attack in which a selected subset of the hosts specially generated harmless file as a decoy to garner receive malicious versions of a file while the rest of the popularity among hosts in the network, and then network receives a harmless one. leveraging this popularity to send malicious We cover the trust relations that can be voided as a executables to a specific sub-group. Unlike consequence of this attack and describe a utility conventional distribution of files over P2P networks, developed by the authors that can be used for a rapid the attacks described give the attacker relatively high deployment of this technique. Additionally, we present control of the targets of the attack, and even lets the novel attack vectors that arise from this vulnerability, attacker terminate the distribution of the malicious and suggest modifications to the protocol that can executable at any given stage.
    [Show full text]
  • Modified SHA1: a Hashing Solution to Secure Web Applications Through Login Authentication
    36 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 11, No. 1, April 2019 Modified SHA1: A Hashing Solution to Secure Web Applications through Login Authentication Esmael V. Maliberan Graduate Studies, Surigao del Sur State University, Philippines Abstract: The modified SHA1 algorithm has been developed by attack against the SHA-1 hash function, generating two expanding its hash value up to 1280 bits from the original size of different PDF files. The research study conducted by [9] 160 bit. This was done by allocating 32 buffer registers for presented a specific freestart identical pair for SHA-1, i.e. a variables A, B, C and D at 5 bytes each. The expansion was done by collision within its compression function. This was the first generating 4 buffer registers in every round inside the compression appropriate break of the SHA-1, extending all 80 out of 80 function for 8 times. Findings revealed that the hash value of the steps. This attack was performed for only 10 days of modified algorithm was not cracked or hacked during the experiment and testing using powerful online cracking tool, brute computation on a 64-GPU. Thus, SHA1 algorithm is not force and rainbow table such as Cracking Station and Rainbow anymore safe in login authentication and data transfer. For Crack and bruteforcer which are available online thus improved its this reason, there were enhancements and modifications security level compared to the original SHA1. being developed in the algorithm in order to solve these issues [10, 11]. [12] proposed a new approach to enhance Keywords: SHA1, hashing, client-server communication, MD5 algorithm combined with SHA compression function modified SHA1, hacking, brute force, rainbow table that produced a 256-bit hash code.
    [Show full text]
  • Reforgeability of Authenticated Encryption Schemes 1 Introduction
    Reforgeability of Authenticated Encryption Schemes Christian Forler1, Eik List2, Stefan Lucks2, and Jakob Wenzel2 1 Beuth Hochschule für Technik Berlin, Germany cforler(at)beuth-hochschule.de 2 Bauhaus-Universität Weimar, Germany <first name>.<last name>(at)uni-weimar.de Abstract. This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: j-Int-CTXT, which is derived from the notion INT-CTXT. Second, we define an attack scenario called j-IV-Collision Attack (j-IV-CA), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to j-IV-CAs of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to j-IV-CAs. Based on this insight, we briefly discuss two alternative design strategies to resist j-IV-CAs. Keywords: authenticated encryption, CAESAR, multi-forgery attack, reforgeability. 1 Introduction (Nonce-Based) Authenticated Encryption. Simultaneously protecting authenticity and pri- vacy of messages is the goal of authenticated encryption (AE) schemes.
    [Show full text]
  • Generic Attacks Against Beyond-Birthday-Bound Macs
    Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent1, Mridul Nandi2, and Ferdinand Sibleyras1 1 Inria, France {gaetan.leurent,ferdinand.sibleyras}@inria.fr 2 Indian Statistical Institute, Kolkata [email protected] Abstract. In this work, we study the security of several recent MAC constructions with provable security beyond the birthday bound. We con- sider block-cipher based constructions with a double-block internal state, such as SUM-ECBC, PMAC+, 3kf9, GCM-SIV2, and some variants (LightMAC+, 1kPMAC+). All these MACs have a security proof up to 22n/3 queries, but there are no known attacks with less than 2n queries. We describe a new cryptanalysis technique for double-block MACs based on finding quadruples of messages with four pairwise collisions in halves of the state. We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(23n/4) queries, and how to build a forgery attack with the same query complexity. The time com- plexity of these attacks is above 2n, but it shows that the schemes do not reach full security in the information theoretic model. Surprisingly, our attack on LightMAC+ also invalidates a recent security proof by Naito. Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexity O˜(26n/7). As far as we know, this is the first attack with complexity below 2n against a deterministic beyond- birthday-bound secure MAC. As a side result, we also give a birthday attack against 1kf9, a single-key variant of 3kf9 that was withdrawn due to issues with the proof.
    [Show full text]