The GOST hash function family has served as the new Russian national hash standard (GOST R 34.11-2012) since January 1, 2013, and it has two members, i.e., GOST256 and GOST-512 which correspond to two different output lengths. Most of the previous analyses of GOST emphasize on the compression function rather than the hash function. In this paper, we focus on security properties of GOST under th...

Many RFID protocols use cryptographic hash functions for their security. The resource constrained nature of RFID systems forces the use of light weight cryptographic algorithms. Tav-128 is one such 128-bit light weight hash function proposed by Peris-Lopez et al. for a low-cost RFID tag authentication protocol. Apart from some statistical tests for randomness by the designers themselves, Tav-12...

We propose a preimage attack against cryptographic hash functions based on the speedup enabled by quantum computing. Preimage resistance is a fundamental property cryptographic hash functions must possess. The motivation behind this work relies in the lack of conventional attacks against newly introduced hash schemes such as the recently elected SHA-3 standard. The proposed algorithm consists o...

The most important pre-quantum threat to AES-128 is the 1994 van Oorschot–Wiener “parallel rho method”, a low-communication parallel pre-quantum multi-target preimage-search algorithm. This algorithm uses a mesh of p small processors, each running for approximately 2/pt fast steps, to find one of t independent AES keys k1, . . . , kt, given the ciphertexts AESk1(0), . . . ,AESkt(0) for a shared...

ARMADILLO2 is the recommended variant of a multi-purpose cryptographic primitive dedicated to hardware which has been proposed by Badel et al. in [1]. In this paper we propose a meet-in-the-middle technique that allows us to invert the ARMADILLO2 function. Using this technique we are able to perform a key recovery attack on ARMADILLO2 in FIL-MAC application mode. A variant of this attack can al...

At ASIACRYPT 2012, Sasaki et al. introduced the guess-and-determine approach to extend meet-in-the-middle (MITM) preimage attack. CRYPTO 2021, Dong proposed a technique derive solution spaces of nonlinear constrained neutral words in MITM In this paper, we try combine these two techniques further improve attacks. Based on previous MILP-based automatic tools for attacks, introduce new constraint...

Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against...

In this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusive-or (XOR) combiner H1(M)⊕H2(M) is one of the two most classical combiners, together with the concatenation combiner H1(M) ‖ H2(M). While the security of the concaten...

At SAC 2006, Liskov proposed the zipper hash, a technique for constructing secure (indifferentiable from random oracles) hash functions based on weak (invertible) compression functions. Zipper hash is a two pass scheme, which makes it unfit for practical consideration. But, from the theoretical point of view it seemed to be secure, as it had resisted standard attacks for long. Recently, Andreev...

In this paper, we analyze the security of RIPEMD-128 against collision attacks. The ISO/IEC standard RIPEMD-128 was proposed 15 years ago and may be used as a drop-in replacement for 128-bit hash functions like MD5. Only few results have been published for RIPEMD-128, the best being a preimage attack for the first 33 steps of the hash function with complexity 2. In this work, we provide a new a...