On the argument of the absence of properties of a random oracle for some cryptographic hash functions | Applied Discrete Mathematics. Supplement. 2019. № 12. DOI: 10.17223/2226308X/12/30

On the argument of the absence of properties of a random oracle for some cryptographic hash functions

The paper presents new preimage attacks related to the class of algebraic attacks on hash functions MD4-k, 39 ^ k ^ 48. Hash function MD4-k consists of first k steps used in MD4 algorithm. To solve the corresponding systems of algebraic equations, SAT-solvers are used. The proposed attacks demonstrate that MD4-k functions are not random oracles. More precisely, we estimate the fraction of easy-invertible outputs of these functions and show that even for full-round version of hash function MD4, the obtained fraction is very big. To construct such estimations with each function of the kind MD4-k, we associate a special function, which input length is much smaller than 512. In most cases the preimage finding problem for such function is significantly simpler than the original one. We show that any value of the special function is the value of function MD4-k and estimate the fraction of these values in {0,1}¹²⁸. This approach allows us to obtain an estimation for the fraction of easy-invertible outputs of original hash function MD4-k.

Download file

Counter downloads: 119

Keywords

криптографические хеш-функции, поиск прообразов хеш-функций, MD4, MD4-39, SAT, cryptographic hash functions, preimage attack on hash functions, MD4, MD4-39, SAT

Authors

Name	Organization	E-mail
Gribanova I. A.	Institute of System Dynamics and Control Theory named after V. M. Matrosova SB RAS	the42dimension@gmail.com
Semenov A. A.	Institute of System Dynamics and Control Theory named after V. M. Matrosova SB RAS	biclop.rambler@yandex.ru

Всего: 2

References

Bellare M. and Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols // Proc. CCS'93. N.Y.: ACM, 1993. P. 62-73.

Pointcheval D. and Stern J. Security proofs for signature schemes // EUROCRYPT'96. LNCS. 1996. V. 1070. P. 387-398.

Pointcheval D. and Stern J. Security arguments for digital signatures and blind signatures // J. Cryptology. 2000. V. 13. No. 3. P. 361-396.

RivestR.L. The MD4 message digest algorithm // CRYPT0'90. LNCS. 1990. V. 537. P. 303-311.

Gribanova I. and Semenov A. Using automatic generation of relaxation constraints to improve the preimage attack on 39-step MD4 // Proc. MIPR0-2018. IEEE, 2018. P. 1174-1179.

Грибанова И. А. Новый алгоритм порождения ослабляющих ограничений в задаче обращения хеш-функции MD4-39 // Прикладная дискретная математика. Приложение. 2018. №11. С. 139-141.

Dobbertin H. The first two rounds of MD4 are not one-way // Proc. FSE'1998. LNCS. 1998. V. 1372. P. 284-292.

De D., Kumarasubramanian A, and Venkatesan R. Inversion attacks on secure hash functions using SAT solvers // Proc. FSE'2007. LNCS. 2007. V.4501. P. 377-382.

Boros E. and Hammer P. L. Pseudo-boolean optimization // Discr. Appl. Math. 2002. V. 123(1-3), P. 155-225.

Иркутский суперкомпьютерный центр СО РАН. http://hpc.icc.ru.