基于散列函数的消息认证分析

基于网络通信中对消息认证的需求,介绍了散列函数的基本概念及构造方法,讨论了其用于消息认证中必须满足的特性,分析了散列函数在消息认证中的使用方式.生日攻击是通用的碰撞攻击方法,它可用于攻击任何类型的散列函数.为了增强散列函数的抗碰撞能力,探讨了生日攻击的碰撞阈值和攻击步骤.最后提出了安全散列函数设计时宜采用迭代和压缩型结构,该算法的核心技术是设计无碰撞的压缩函数并重复使用,从而可增大攻击者的攻击难度.     

基于混沌的Hash函数的安全性分析

随着现代密码学的发展,Hash函数算法越来越占有重要的地位。针对基于耦合映像格子的并行Hash函数算法和带密钥的基于动态查找表的串行Hash函数算法进行了安全性分析。对于前者,发现耦合映像格子系统导致算法中存在一种结构缺陷,在分组序号和分组消息满足特定约束关系的条件下,无需复杂的计算可以直接给出特定分组和消息的中间Hash值。对于后者,分析了产生碰撞缓存器状态的约束条件。在此条件下,找到算法的输出碰撞的代价为O(2~(100)),远大于生日攻击的代价。     

链接变量循环的Hash函数结构

现有的Hash函数基本上都是根据Merkle-Damg?ard结构设计的。基于Merkle-Damg?ard结构易受到长度扩展攻击、多碰撞攻击、Herding攻击等这些缺陷,设计了一种链接变量循环的Hash结构,该结构是基于宽管道Hash结构的,具有大的内部状态,可以有效抵抗上述针对Merkle-Damg?ard结构的攻击。结构具有可分析的安全性,可以提高Hash函数的性能,尤其是基于数学困难问题的Hash算法,增加了消息块对Hash值的作用。     

零知识数字签名方案中Hash值长度的研究

Hash函数已经被广泛用于各种数字签名方案中。在基于零知识概念的数字签名方案中,方案发明者宣称:所使用的Hash值的长度短至64-bits或72-bits即可达到2-64或者2-72的安全度。文中研究表明,在数字签名中由于存在来自签名者的生日攻击,如此短的Hash值并不能达到规定的安全度。并提出了一个简单的修改方案,使得在不增加计算复杂性的情况下来达到规定的安全度。     

零知识数字签名方案中Hash值长度的研究

Hash函数已经被广泛用于各种数字签名方案中。在基于零知识概念的数字签名方案中,方案发明者宣称：所使用的Hash值的长度短至64-bits或72-bits即可达到2-64或者2-72的安全度。文中研究表明,在数字签名中由于存在来自签名者的生日攻击,如此短的Hash值并不能达到规定的安全度。并提出了一个简单的修改方案,使得在不增加计算复杂性的情况下来达到规定的安全度。     

混沌数字签名算法与安全性分析

结合混沌系统与RSA数字签名技术的设计方法,提出了一种基于类Hénon混沌映射的数字签名方案.该方案用混沌Hash函数代替传统的Hash函数,这种混沌Hash函数具有不可逆性、防伪性、初值敏感性,而且充分利用了混沌系统对初始条件的敏感性和迭代过程的单向性,使得Hash结果的每一比特都与明文有着敏感和复杂的关系.这样的Hash函数在混乱和散布性质上更加安全,抵抗攻击的能力更强,有较高的抗碰撞能力.     

基于Rijndael的哈希函数的构造

为提高Hash函数性能,构造了一种基于Rijndael算法的新的哈希函数,经过分析测试,该函数具有很好的单向性、抗冲突性和初值敏感性。由于文中构造的散列函数的散列码长度为192bits,并且是基于Rijndael算法的,所以可以很好地抵御生日攻击和穷举攻击,具有很快的执行速度。     

基于Rijndael的哈希函数的构造

为提高Hash函数性能,构造了一种基于Rijndael算法的新的哈希函数,经过分析测试,该函数具有很好的单向性、抗冲突性和初值敏感性.由于文中构造的散列函数的散列码长度为192bits,并且是基于Rijndael算法的,所以可以很好地抵御生日攻击和穷举攻击,具有很快的执行速度.     

新的Haval-128的碰撞攻击

为了分析Hash函数的安全性,利用模差分,给出了一种新的Haval-128的碰撞攻击方法.主要结论是对于不同的初值可以选择不同的模差分,因而初值的选取具有更大的灵活性,并且给出了一种更有效的高级明文修改方法.在这组新的初值和差分条件下,通过PC机上大量测试,表明算法稳定以1/140左右的概率找到一组碰撞.该攻击方法同样适用于其它Hash函数,比如MD5和SHA1.     

一个新的MD4消息差分

在对Hash函数MD4的已知碰撞攻击方法研究的基础上,提出了一个新的分析思路——在差分路径的第3轮中不再构造局部碰撞,并给出了一条全新的差分路径。结果表明：新的差分路径在第3轮中不存在充分条件需要满足,以此路径构造的MD4碰撞攻击效率与以往攻击结果相比最优,计算复杂度不超过1次MD4运算。     

Collision Attack on the Full Extended MD4 and Pseudo-Preimage Attack on RIPEMD

The cryptographic hash functions Extended MD4 and RIPEMD are double-branch hash functions,which consist of two parallel branches.Extended MD4 was proposed by Rivest in 1990,and RIPEMD was devised in the framework of the RIPE project(RACE Integrity Primitives Evaluation,1988～1992).On the basis of differential analysis and meet-in-themiddle attack principle,this paper proposes a collision attack on the full Extended MD4 and a pseudo-preimage attack on the full RIPEMD respectively.The collision attack on Extended MD4 holds with a complexity of 237,and a collision instance is presented.The pseudo-preimage attack on RIPEMD holds with a complexity of 2 125.4,which optimizes the complexity order for brute-force attack.The results in this study will also be beneficial to the analysis of other double-branch hash functions such as RIPEMD-160.     

一种有代理门限签名方案的密码分析与改进

研究一种有代理的门限签名方案,该方案由于群私钥分享阶段设置不当,使其不满足强不可伪造性。为此,提出一种改进方案。在群私钥分享阶段加入哈希函数运算,并在签名时改变部分签名的形式使其能够抵抗外部攻击和内部攻击。分析结果表明,改进后的方案是安全的。     

一个改进的欺骗识别协议

在(m,n)门限方案中,如果有欺骗者提供错误的分享秘密,那么重构共享秘密的过程将失败。欺骗识别协议使得诚实的用户在重构共享秘密时能够发现欺骗行为,并找出欺骗者。在目前已经提出的多个欺骗识别协议中,Wu-Wu协议是一个比较常用,步骤比较简单的协议,其安全性依赖于一个单向hash函数。通过在Wu-Wu协议的基础上引入离散对数,增加随机参数,设计了一个新的欺骗识别协议,该协议在安全强度、抵抗重放攻击、可重用性三方面对Wu-Wu协议有了实质的改进。     

密码杂凑函数及其安全性分析

文章提出了针对密码杂凑函数及其安全性进行研究的重要意义,列举了单向杂凑函数、MD5、SHA-1等技术原理进行了技术分析,并从攻击手段入手,分析了密码杂凑函数的安全性,提出对SHA-1与MD-5的＂破解＂应客观看待的观点。     

Cryptanalysis of hash functions based on blockciphers suitable for IoT service platform security

It is well-known that blockcipher-based hash functions may be attacked when adopting blockciphers having related-key differential properties. However, all forms of related-key differentials are not always effective to attack them. In this paper we provide the general frameworks for collision and second-preimage attacks on hash functions by using related-key differential properties of instantiated blockciphers, and show their various applications. In the literature, there have been several provably secure blockcipher-based hash functions such as 12 PGV schemes, MDC-2, MJH, Abreast-DM, Tandem-DM, and HIROSE. However, their security cannot be guaranteed when they are instantiated with specific blockciphers. In this paper, we first observe related-key differential properties of some blockciphers such as Even-Mansour (EM), Single-key Even-Mansour (SEM), XPX with a fixed tweak (XPX₁₁₁₁), Chaskey cipher, and LOKI, which are suitable for IoT service platform security. We then present how these properties undermine the security of the aforementioned blockcipher-based hash functions. In our analysis, the collision and second-preimage attacks can be applied to several PGV schemes, MDC-2, MJH instantiated with SEM, XPX₁₁₁₁, Chaskey cipher, to PGV no.5, MJH, HIROSE, Abreast-DM, Tandem-DM instantiated with EM. Furthermore, LOKI-based MDC-2 is vulnerable to the collision attack. We also provide the necessary conditions for related-key differentials of blockciphers in order to attack each of the hash functions. To the best of our knowledge, this study is the first comprehensive analysis of hash functions based on blockciphers having related-key differential properties. Our cryptanalytic results support the well-known claim that blockcipher-based hash functions should avoid adopting blockciphers with related-key differential properties, such as the fixed point property in compression functions. We believe that this study provides a better understanding of the security of blockcipher-based hash functions.

     

On security arguments of the second round SHA-3 candidates

In 2007, the US National Institute for Standards and Technology (NIST) announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities like differential attacks identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. 14 candidates were left in the second round, out of which five candidates have been recently chosen for the final round. An important criterion in the selection process is the SHA-3 hash function security. We identify two important classes of security arguments for the new designs: (1) the possible reductions of the hash function security to the security of its underlying building blocks and (2) arguments against differential attack on building blocks. In this paper, we compare the state of the art provable security reductions for the second round candidates and review arguments and bounds against classes of differential attacks. We discuss all the SHA-3 candidates at a high functional level, analyze, and summarize the security reduction results and bounds against differential attacks. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.     

On hash functions using checksums

We analyse the security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation. We show that a large class of such schemes, including those using non-linear or even one-way checksum functions, is not secure against the second preimage attack of Kelsey and Schneier, the herding attack of Kelsey and Kohno and the multicollision attack of Joux. Our attacks also apply to a large class of cascaded hash functions. Our second preimage attacks on the cascaded hash functions improve the results of Joux presented at Crypto’04. We also apply our attacks to the MD2 and GOST hash functions. Our second preimage attacks on the MD2 and GOST hash functions improve the previous best known short-cut second preimage attacks on these hash functions by factors of at least 2²⁶ and 2⁵⁴, respectively. Our herding and multicollision attacks on the hash functions based on generic checksum functions (e.g., one-way) are a special case of the attacks on the cascaded iterated hash functions previously analysed by Dunkelman and Preneel and are not better than their attacks. On hash functions with easily invertible checksums, our multicollision and herding attacks (if the hash value is short as in MD2) are more efficient than those of Dunkelman and Preneel.     

MD5碰撞攻击的差分路径构建

著名的杂凑算法MD5是MD4的增强版本,由Ronald L.Rivest在1991年设计.MD5广泛应用于口令变换、数据完整性、数字证书等领域.近年最具影响的MD5安全性的分析结果是王小云首次发现的MD5碰撞.之后,MD5碰撞攻击的改进主要集中在提高碰撞对搜索的性能.基于新的不同于王小云的明文差分构成的MD5碰撞,介绍差分路径的构建方法,并给出一条差分路径以及碰撞对数据.     

基于格构造非交互不可展承诺方案

NTRU是基于格归约困难问题的公钥密码体制,目前主要用于公钥加密及数字签名。利用N"I'RU实现了 一个非交互不可展承诺方案,其安全性基于格上CVP困难问题,实现了承诺者绑定性。它基于抗碰撞Hash函数的 安全性对承诺合法性进行验证,通过随机映射扰动明文,使明文具有随机分布特性,以实现验证者隐藏性以及与揭示 有关的不可展性质。本方案具有N I'RU快速高效的特点,同时可抵杭信道窃听攻击、消息重放攻击及复制承诺攻击。