Affiliation: IAIK, Graz University of Technology
Analysis of Step-Reduced SHA-256
This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al. We show the limits of applying techniques known so far to SHA-256. Next we introduce a new type of perturbation vector which circumvents the identified limits. This new technique is then applied to the unmodified SHA-256. Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before. Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security.
Second Preimages for Iterated Hash Functions Based on a b-Block Bypass
In this article, we present a second preimage attack on a double block-length hash proposal presented at FSE 2006. If the hash function is instantiated with DESX as underlying block cipher, we are able to construct second preimages deterministically. Nevertheless, this second preimage attack does not render the hash scheme insecure. For the hash scheme, we only show that it should not be instantiated with DESX but AES should rather be used. However, we use the instantiation of this hash scheme with DESX to introduce a new property of iterated hash functions, namely a so-called b-block bypass. We will show that if an iterated hash function possesses a b-block bypass, then this implies that second preimages can be constructed. Additionally, the attacker has more degrees of freedom for constructing the second preimage.
An Analysis of the Hermes8 Stream Ciphers
Hermes8 is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM). In this paper we present an analysis of the Hermes8 stream ciphers. In particular, we show an attack on the latest version of the cipher (Hermes8F), which requires very few known keystream bytes and recovers the cipher secret key in less than a second on a normal PC. Furthermore, we make some remarks on the cipher's key schedule and discuss some properties of ciphers with similar algebraic structure to Hermes8.
We present a collision attack on the recently proposed hash function SMASH. The attack uses negligible resources and we conjecture that it works for all hash functions built following the design method of SMASH.
Secure and Efficient Masking of AES - A Mission Impossible?
This document discusses masking approaches with a special focus on the AES S-box. Firstly, we discuss previously presented masking schemes with respect to their security and implementation. We conclude that algorithmic countermeasures to secure the AES algorithm against side-channel attacks have not been resistant against all first-order side-channel attacks. Secondly, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes when implemented in dedicated hardware.