Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.

Slides:



Advertisements
Similar presentations
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Advertisements

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Hidden Markov Models (1)  Brief review of discrete time finite Markov Chain  Hidden Markov Model  Examples of HMM in Bioinformatics  Estimations Basic.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
The Rate of Concentration of the stationary distribution of a Markov Chain on the Homogenous Populations. Boris Mitavskiy and Jonathan Rowe School of Computer.
Session 4 Asymmetric ciphers.
Linear Transformations
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
6 1 Linear Transformations. 6 2 Hopfield Network Questions.
Eigen-decomposition of a class of Infinite dimensional tridiagonal matrices G.V. Moustakides: Dept. of Computer Engineering, Univ. of Patras, Greece B.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
Repairable Fountain Codes Megasthenis Asteris, Alexandros G. Dimakis IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 32, NO. 5, MAY /5/221.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Cryptographic hash functions from expander graphs Denis Charles, Microsoft Research Eyal Goren, McGill University Kristin Lauter, Microsoft Research ECC.
Algorithms Artur Ekert. Our golden sequence H H Circuit complexity n QUBITS B A A B B B B A # of gates (n) = size of the circuit (n) # of parallel units.
Yaomin Jin Design of Experiments Morris Method.
Based on Bruce Schneier Chapter 7: Key Length Dulal C. Kar.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Chapter 21 Public-Key Cryptography and Message Authentication.
Quantum Factoring Michele Mosca The Fifth Canadian Summer School on Quantum Information August 3, 2005.
Linear Relations in Irregularly Clocked Linear Finite State Machines Cees Jansen DeltaCrypto B.V. NATO-ARW Veliko Tarnovo, October 8, 2008.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
MSU/CSE 260 Fall Functions Read Section 1.8.
Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Chapter 10 Hashing. The search time of each algorithm depend on the number n of elements of the collection S of the data. A searching technique called.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Tae-Joon Kim Jong yun Jun
On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Chapter 13 Backtracking Introduction The 3-coloring problem
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
The Message Passing Communication Model David Woodruff IBM Almaden.
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
A Story of Principal Component Analysis in the Distributed Model David Woodruff IBM Almaden Based on works with Christos Boutsidis, Ken Clarkson, Ravi.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Attacks on Public Key Encryption Algorithms
Network Security Design Fundamentals Lecture-13
Security of Message Digests
Complex Eigenvalues Prepared by Vince Zaccone
A way to detect a collision…
Homework 3 As announced: not due today 
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Background: Lattices and the Learning-with-Errors problem
Network Security Design Fundamentals Lecture-13
Presentation transcript:

Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe Petit UCL Crypto Group 04/22/09 | CRYP-201 Collisions for hash functions C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor

2 Cryptographic hash functions

3 Graph-based hash functions Most hash functions can be seen as While Zémor-Tillich is more like

4 Outline The Zémor-Tillich hash functionIntroductionNew attacksReduced variantsConclusion

The Zémor- Tillich hash function

6 Introduced at CRYPTO’94 [TZ94] Let irreducible over with and let Let For a message Output set has size

7 The Zémor-Tillich hash function Graph and group interpretations of main properties Representation problem : given a group and a set, find a product Balance problem : find

8 The Zémor-Tillich hash function Previous cryptanalysis: –Malleability –Invertibility for short messages [SGGB00] –Trapdoor attacks on [CP94,AK98,SGGB00] –Projection to finite fields [G96] –Subgroup attacks for composite [SGGB00] This paper: –Generic collision and preimage subgroup attacks in time (instead of and for birthday and exhaustive)

New attacks

10 Generic collision attack Sketch: 1.Find lower triangular matrices with meet-in-the-middle random search 2.Combine lower triangular matrices to have a lower diagonal matrix with ones in the diagonal by solving discrete logarithms 3.The resulting matrix has order 2 In each step, we use

11 Generic collision attack, 1st step If for some Then for some To solve the equation: –Compute and on various random messages –For each obtained, store the projective point ( ) –After messages, likely to be done

12 Generic collision attack, 2nd step Combine triangular matrices to get a matrix with ones in the diagonal Use Representation problem in finite fields: Given find Equivalent to Discrete Logarithm [BM97]… that is easy here !

13 Generic collision attack, 3d step For any,

14 Improvements Preimage attack: –A bit more technical, but same ideas –Same complexity Memory-free versions –Transform the birthday search in the first step into a cycle detection problem –Use standard techniques (distinguished points,…)

15 Hard and easy components Finding a message hashing to a triangular matrix is “nearly’’ as hard as Finding a message hashing to the identity Similarly: –Finding a message hashing to a diagonal matrix –Given some vector, finding a message hashing to a matrix with left / right eigenvector are nearly as hard as finding a message hashing to the identity

16 Hard and easy components The output of ZT is bits while its security is bits: how to extract the secure bits ?

Reduced variants

18 Vectorial Zémor-Tillich The output of ZT is bits while its security is bits: how to extract the secure bits ? Vectorial version –Outputs bits –For a given initial vector, returns If the initial vector is chosen randomly, just as secure as the original matrix version

19 Equivalence between vectorial and matrix versions Suppose there is an algorithm finding collision for the vectorial version… –Run it on a random We get where and are the ZT hash values of the colliding messages –Run it on We get –Repeat times

20 Equivalence between vectorial and matrix versions Key observations: – –« Homomorphism » To find a collision: –Let –Find such that

21 Equivalence between vectorial and matrix versions Colliding messages: – – where if The two messages collide to the value

22 Projective version The output of ZT is bits while its security is bits: how to extract the secure bits ? Projective version –Outputs bits –Returns if the vectorial version returns If the initial vector is chosen randomly, « nearly » as secure as the initial matrix version

23 « Quasi » equivalence between projective and vectorial versions Suppose there is an algorithm finding collision for the projective version… –Run it on to get and –After steps, find such that Complexity of last step –Hard asymptotically ( discrete logarithms problems + one subset sum problem) –Feasible for

Conclusion

25 Conclusion New generic attacks –Collision attack in time (instead of ) –Preimage attack in time (instead of ) New variants –Vectorial variant as secure –Projective variant « nearly » as secure –Best attack against projective variant is birthday search Zémor-Tillich is not broken – is too small –Still a very interesting design

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.