New multivariate hash function quadratic polynomials multiplying linear polynomials

In modern cryptography, hash functions are considered as one of the key components for secure communication. They play a vital role in a wide range of applications such as ensuring the authentication and integrity of the data, in forensic investigation, password storage, random number generations for unique session keys, and for creating a unified view in blockchain. The Avalanche effect (also known as diffusion) is an important characteristic of a hash function where a minor change in the hash function’s input will result in a significantly different output. The absence of this property implies that the hash function is vulnerable to various attacks such as collision attack, length extension attack, and preimage attack. Through this research, we have investigated the Avalanche effect of sixteen hash functions and two hash-based applications, namely Hash-based Message Authentication Code (HMAC) and Public Key Cryptography Standards (PKCS). To measure the performance of these hash functions and hash-based applications, we have implemented a generic circuit using CrypTool for automating the simulation process for multiple trials. Simulation results indicate that around half of the inputs of each hash function failed to exhibit the Strict Avalanche Criterion (SAC) and, Bit Independence Criterion (BIC). Moreover, we ranked the hash functions based on Multi Criteria Decision Metrics (MCDM) using intermediate states of simulation results. Furthermore, a total of fifteen statistical tests were carried out to evaluate the randomization property of the hash functions using NIST (National Institute of Standards and Technology) toolkit. This study is aimed to open up a future scope of research to the need for improvement of various hash functions by analyzing the randomization and non-correlation properties of existing functions in terms of the Avalanche effect.

In this paper we propose a new multivariate compression function with HAIFA construction. We design the center map meticulously so that the hash function can keep the three cryptography properties and be immune to the differential attack. The memory storage is about 50% that of the one which is built of the cubic polynomials and their coefficients are random. And on the avalanche effect, more than one half of the output bits are different when one input bit is changed. Finally we give the experimental results and summarize the paper.

In this paper, we analyze the SHAvite-3-512 hash function, as proposed and tweaked for round 2 of the SHA-3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite-3-512, and on the full 14 round compression function of SHAvite-3-512. We show a second preimage attack on the hash function reduced to 10 rounds with a complexity of 2497 compression function evaluations and 216 memory. For the full 14-round compression function, we give a chosen counter, chosen salt preimage attack with 2384 compression function evaluations and 2128 memory (or complexity 2448 without memory), and a collision attack with 2192 compression function evaluations and 2128 memory.Keywordshash functioncryptanalysiscollision(second) preimage

In this paper, we present a new technique to construct a collision attack from a particular preimage attack which is called a partial target preimage attack. Since most of the recent meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a collision attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo collisions of the 43-step reduced SHA-256 and the 46-step reduced SHA-512 can be obtained with complexities of 2126 and 2254.5, respectively. As far as we know, our results are the best pseudo collision attacks on both SHA-256 and SHA-512 in literature. Moreover, we show that our pseudo collision attacks can be extended to 52 and 57 steps of SHA-256 and SHA-512, respectively, by combined with the recent preimage attacks on SHA-2 by bicliques. Furthermore, since the proposed technique is quite simple, it can be directly applied to other hash functions. We apply our algorithm to several hash functions including Skein and BLAKE, which are the SHA-3 finalists. We present not only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between a meet-in-the-middle preimage attack and a pseudo collision attack.

The Grostl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grostl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grostl-256 hash function and 8-round Grostl-512 hash function, and the complexities of these attacks are (2^(239.90), 2^(240.40)) (in time and memory) and (2^(499.50), 2^(499)), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grostl-256 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grostl-256 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are (2^(253.26), 2^(253.67)) and (2^(251.0), 2^(252.0)), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grostl hash function.

Parallel computing of hash functions along with the security requirements have great advantage in order to reduce the time consumption and overhead of the CPU. In this article, a keyed hash function based on farfalle construction and chaotic neural networks (CNNs) is proposed, which generates a hash value with arbitrary (defined by user) length (eg, 256 and 512 bits). The proposed hash function has parallelism merit because it is built over farfalle construction which avoids the dependency between the blocks of a given message. Moreover, the proposed hash function is chaos based (ie, it relies on chaotic maps and CNNs which have non‐periodic behavior). The security analysis shows that the proposed hash function is robust and satisfies the properties of hash algorithms, such as random‐like (non‐periodic) behavior, ideal sensitivity to original message and secret key, one‐way property and optimal diffusion effect. The speed performance of the hash function is also analyzed and compared with a hash function which was built based on sponge construction and CNN, and compared with secure hash algorithm (SHA) variants like SHA‐2 and SHA‐3. The results have shown that the proposed hash function has lower time complexity and higher throughput especially with large size messages. Additionally, the proposed hash function has enough resistance to multiple attacks, such as collision attack, birthday attack, exhaustive key search attack, preimage and second preimage attacks, and meet‐in‐the‐middle attack. These advantages make it ideal to be used as a good collision‐resistant hash function.

The GOST hash function family has served as the new Russian national hash standard (GOST R 34.11-2012) since January 1, 2013, and it has two members, i.e., GOST-256 and GOST-512 which correspond to two different output lengths. Most of the previous analyses of GOST emphasize on the compression function rather than the hash function. In this paper, we focus on security properties of GOST under the hash function setting. First we give two improved preimage attacks on 6-round GOST-512 compared with the previous preimage attack, i.e., a time-reduced attack with the same memory requirements and a memoryless attack with almost identical time. Then we improve the best collision attack on reduced GOST-256 (resp. GOST-512) from 5 rounds to 6.5 (resp. 7.5) rounds. Finally, we construct a limited-birthday distinguisher on 9.5-round GOST using the limited-birthday distinguisher on hash functions proposed at ASIACRYPT 2013. An essential technique used in our distinguisher is the carefully chosen differential trail, which can further exploit freedom degrees in the inbound phase when launching rebound attacks on the GOST compression function. This technique helps us to reduce the time complexity of the distinguisher significantly. We apply this strategy to Whirlpool, an ISO standardized hash function, as well. As a result, we construct a limited-birthday distinguisher on 9-round Whirlpool out of 10 rounds, and reduce the time complexity of the previous 7-round distinguisher. To the best of our knowledge, all of our results are the best cryptanalytic results on GOST and Whirlpool in terms of the number of rounds analyzed under the hash function setting.

We study the security of AES in the open-key setting by showing an analysis on hash function modes instantiating AES including Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel modes. In particular, we propose preimage attacks on these constructions, while most of previous work focused their attention on collision attacks or distinguishers using non-ideal differential properties. This research is based on the motivation that we should evaluate classical and important security notions for hash functions and avoid complicated attack models that seem to have little relevance in practice. We apply a recently developed meet-in-the-middle preimage approach. As a result, we obtain a preimage attack on 7 rounds of Davies-Meyer AES and a second preimage attack on 7 rounds of Matyas-Meyer-Oseas and Miyaguchi-Preneel AES. Considering that the previous best collision attack only can work up to 6 rounds, the number of attacked rounds reaches the best in terms of the classical security notions. In our attacks, the key is regarded as a known constant, and the attacks thus can work for any key length in common.KeywordsAEShash functionDavies-MeyerMatyas-Meyer-OseasMiyaguchi-PreneelPGVpreimagemeet-in-the-middleWhirlpool

We study the security of AES in the open-key setting by showing an analysis on hash function modes instantiating AES including Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel modes. In particular, we propose preimage attacks on these constructions, while most of previous work focused their attention on collision attacks or distinguishers using non-ideal differential properties. This research is based on the motivation that we should evaluate classical and important security notions for hash functions and avoid complicated attack models that seem to have little relevance in practice. We apply a recently developed meet-in-the-middle preimage approach. As a result, we obtain a preimage attack on 7 rounds of Davies-Meyer AES and a second preimage attack on 7 rounds of Matyas-Meyer-Oseas and Miyaguchi-Preneel AES. Considering that the previous best collision attack only can work up to 6 rounds, the number of attacked rounds reaches the best in terms of the classical security notions. In our attacks, the key is regarded as a known constant, and the attacks thus can work for any key length in common.

In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.

Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.• On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296.• On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5.Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

In this paper we spot light on dedicated quantum collision attacks on concrete hash functions, which has not received much attention so far. In the classical setting, the generic complexity to find collisions of an n-bit hash function is \(O(2^{n/2})\), thus classical collision attacks based on differential cryptanalysis such as rebound attacks build differential trails with probability higher than \(2^{-n/2}\). By the same analogy, generic quantum algorithms such as the BHT algorithm find collisions with complexity \(O(2^{n/3})\). With quantum algorithms, a pair of messages satisfying a differential trail with probability p can be generated with complexity \(p^{-1/2}\). Hence, in the quantum setting, some differential trails with probability up to \(2^{-2n/3}\) that cannot be exploited in the classical setting may be exploited to mount a collision attack in the quantum setting. In particular, the number of attacked rounds may increase. In this paper, we attack two international hash function standards: AES-MMO and Whirlpool. For AES-MMO, we present a 7-round differential trail with probability \(2^{-80}\) and use it to find collisions with a quantum version of the rebound attack, while only 6 rounds can be attacked in the classical setting. For Whirlpool, we mount a collision attack based on a 6-round differential trail from a classical rebound distinguisher with a complexity higher than the birthday bound. This improves the best classical attack on 5 rounds by 1. We also show that those trails are optimal in our approach. Our results have two important implications. First, there seems to exist a common belief that classically secure hash functions will remain secure against quantum adversaries. Indeed, several second-round candidates in the NIST post-quantum competition use existing hash functions, say SHA-3, as quantum secure ones. Our results disprove this common belief. Second, our observation suggests that differential trail search should not stop with probability \(2^{-n/2}\) but should consider up to \(2^{-2n/3}\). Hence it deserves to revisit the previous differential trail search activities.

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasaki's work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasaki's preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO’94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.KeywordsHash FunctionDiscrete LogarithmRepresentation ProblemDiscrete Logarithm ProblemProjective VersionThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

The security of digital communication and information systems is mostly dependent on block ciphers. ARX-based ciphers are widely used due to their simplicity and efficiency. This paper provides an exhaustive cryptanalysis of a subset of ARX-based block ciphers, with particular emphasis on SIMON, SPECK, and IDEA. These ciphers need to be exposed for their weaknesses in algebraic attack resistance and cryptographic properties such as key sensitivity. In addition, we assess the resource utilization and speed of these ciphers, both of which are critical for practical implementation. SMT (Satisfiability Modulo Theories) framework is utilized to tackle constraint fulfillment problems based on first-order logic. The following cryptographic steps use SMT solvers: differential cryptanalysis, collision attack, pre-image attack, modular root-finding, and cryptographic primitive verification. We show that SMT solvers can solve block cipher cryptanalysis constraints. In a cryptanalytic attack, we convert block cipher boolean equations to Z3py. The proposed cryptanalysis method evaluates ARX cipher performance. This method recovers the partial secret key using plaintext and ciphertext pairs, partial key bits, and a predetermined number of rounds. To determine whether SIMON, SPECK, or IDEA are appropriate for distinct security requirements, we conducted a comparative analysis of the results and presented them in tabulated form. This research builds a better understanding of ARX-based block ciphers and allows us to develop more robust and efficient cryptographic algorithms to protect sensitive data in modern communication systems.