The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Apresentamos criptoanálises da versão original da função hash AURORA-512, que é uma candidata SHA-1 da primeira rodada. Nosso ataque explora fraquezas em um modo de operação de tubo estreito do AURORA-3 denominado "Double-Mix Merkle-Damgård (DMMD)." O melhor ataque de colisão atual proposto por Joux e Lucks fornece apenas estimativas aproximadas de complexidade. Primeiro avaliamos sua complexidade precisa e mostramos sua otimização. Em segundo lugar, salientamos que o atual melhor ataque de segunda pré-imagem proposto por Ferguson e Lucks não funciona com a alegada complexidade de 512291. Avaliamos então uma complexidade para que o ataque possa funcionar com alta probabilidade de sucesso. Também mostramos que o ataque de segunda pré-imagem pode ser usado para atacar o esquema de hash aleatório. Finalmente, apresentamos um ataque de recuperação de chave no HMAC-AURORA-512, que revela chaves secretas de 512 bits com 2257 consultas, 2259 Operações AURORA-512 e memória insignificante. A falsificação universal no HMAC-AURORA-384 também é possível combinando os ataques de segunda pré-imagem e recuperação de chave interna.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copiar
Yu SASAKI, "Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512" in IEICE TRANSACTIONS on Fundamentals,
vol. E94-A, no. 1, pp. 121-128, January 2011, doi: 10.1587/transfun.E94.A.121.
Abstract: We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E94.A.121/_p
Copiar
@ARTICLE{e94-a_1_121,
author={Yu SASAKI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512},
year={2011},
volume={E94-A},
number={1},
pages={121-128},
abstract={We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.},
keywords={},
doi={10.1587/transfun.E94.A.121},
ISSN={1745-1337},
month={January},}
Copiar
TY - JOUR
TI - Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 121
EP - 128
AU - Yu SASAKI
PY - 2011
DO - 10.1587/transfun.E94.A.121
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E94-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2011
AB - We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.
ER -