The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Kami membentangkan analisis kriptografi versi asal fungsi cincang AURORA-512, yang merupakan calon SHA-1 pusingan-3. Serangan kami mengeksploitasi kelemahan dalam mod operasi paip sempit AURORA-512 bernama "Double-Mix Merkle-Damgård (DMMD)." Serangan perlanggaran terbaik semasa yang dicadangkan oleh Joux dan Lucks hanya memberikan anggaran kerumitan kasar. Mula-mula kami menilai kerumitan yang tepat dan menunjukkan pengoptimumannya. Kedua, kami menunjukkan bahawa serangan praimej kedua terbaik semasa yang dicadangkan oleh Ferguson dan Lucks tidak berfungsi dengan kerumitan yang didakwa 2291. Kami kemudian menilai kerumitan supaya serangan itu boleh berfungsi dengan kebarangkalian kejayaan yang tinggi. Kami juga menunjukkan bahawa serangan praimej kedua boleh digunakan untuk menyerang skim pencincangan rawak. Akhir sekali, kami membentangkan serangan pemulihan kunci pada HMAC-AURORA-512, yang mendedahkan kunci rahsia 512-bit dengan 2257 pertanyaan, 2259 Operasi AURORA-512, dan ingatan yang boleh diabaikan. Pemalsuan universal pada HMAC-AURORA-384 juga boleh dilakukan dengan menggabungkan serangan praimej kedua dan pemulihan kunci dalaman.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Yu SASAKI, "Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512" in IEICE TRANSACTIONS on Fundamentals,
vol. E94-A, no. 1, pp. 121-128, January 2011, doi: 10.1587/transfun.E94.A.121.
Abstract: We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E94.A.121/_p
Salinan
@ARTICLE{e94-a_1_121,
author={Yu SASAKI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512},
year={2011},
volume={E94-A},
number={1},
pages={121-128},
abstract={We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.},
keywords={},
doi={10.1587/transfun.E94.A.121},
ISSN={1745-1337},
month={January},}
Salinan
TY - JOUR
TI - Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 121
EP - 128
AU - Yu SASAKI
PY - 2011
DO - 10.1587/transfun.E94.A.121
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E94-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2011
AB - We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.
ER -