In this paper, we develop a new attack on Damg̊ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We introduce a new property which hash functions should h...

A double-block-length (DBL) hash mode of block ciphers, MJH has been proved to be collision-resistant in the ideal cipher model upto 22n/3−log n queries. In this paper we provide first cryptanalytic results for MJH. We show that a collision attack on MJH has the time complexity below the birthday bound. When block ciphers with 128-bit blocks are used, it has time complexity around 2, which is t...

This paper presents attacks that clearly violate the explicit security claims of 11 of the 14 second-round submissions to the SHA-3 competition: Blue Midnight Wish, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Shabal, SHAvite-3, SIMD, and Skein. The attacks are structured-first-preimage attacks, the most devastating type of hash-function attack. The attacks use a quantum computer, but not a particul...

In this paper, we first present a new distinguisher on the CBC-MAC based on a block cipher in Cipher Block Chaining (CBC) mode. It can also be used to distinguish other CBC-like MACs from random functions. The main results of this paper are on the secondpreimage attack on CBC-MAC and CBC-like MACs include TMAC, OMAC, CMAC, PC-MAC and MACs based on three-key encipher CBC mode. Instead of exhaust...

Recently, NIST has selected 14 second round candidates of SHA3 competition. One of these candidates will win the competition and eventually become the new hash function standard. In TCC’04, Maurer et al introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. Indifferentiability is the appropriate notion of modeling a random ora...

We show that the LASH-x hash function is vulnerable to attacks that trade time for memory, including collision attacks as fast as 2 and preimage attacks as fast as 2. Moreover, we briefly mention heuristic lattice based collision attacks that use small memory but require very long messages that are expected to find collisions much faster than 2. All of these attacks exploit the designers’ choic...

In this article, we analyze the security of the GOST hash function. The GOST hash function, defined in the Russian standard GOST 34.11-94, is an iterated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterative structure, a checksum computed over all input message bloc...

In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered. Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Prei...

The Number Field Sieve (NFS) algorithm is the best known method to compute discrete logarithms (DL) in finite fields Fpn , with p medium to large and n ≥ 1 small. This algorithm comprises four steps: polynomial selection, relation collection, linear algebra and finally, individual logarithm computation. The first step outputs two polynomials defining two number fields, and a map from the polyno...

ARMADILLO2 is the recommended variant of a multi-purpose cryptographic primitive dedicated to hardware which has been proposed by Badel et al. in [1]. In this paper, we describe a meet-in-themiddle technique relying on the parallel matching algorithm that allows us to invert the ARMADILLO2 function. This makes it possible to perform a key recovery attack when used as a FIL-MAC. A variant of thi...