Re: [Cfrg] RE: Who needs collision-resistance, anyway?
daw@taverner.cs.berkeley.edu (David Wagner) Tue, 22 March 2005 00:22 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17259 for <cfrg-web-archive@ietf.org>; Mon, 21 Mar 2005 19:22:59 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DDXFt-0001Fr-PX for cfrg-web-archive@ietf.org; Mon, 21 Mar 2005 19:28:23 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DDX9Q-0001Y1-D7; Mon, 21 Mar 2005 19:21:40 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DDX9O-0001Xu-Ts for cfrg@megatron.ietf.org; Mon, 21 Mar 2005 19:21:38 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17127 for <cfrg@ietf.org>; Mon, 21 Mar 2005 19:21:35 -0500 (EST)
Received: from abraham.cs.berkeley.edu ([128.32.37.170]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DDXEY-0001BA-Pf for cfrg@ietf.org; Mon, 21 Mar 2005 19:26:59 -0500
Received: from news by abraham.cs.berkeley.edu with local (Exim 4.43) id 1DDX7x-00064I-5z for cfrg@ietf.org; Mon, 21 Mar 2005 16:20:09 -0800
To: cfrg@ietf.org
Path: not-for-mail
From: daw@taverner.cs.berkeley.edu
Newsgroups: isaac.lists.ietf-cfrg
Subject: Re: [Cfrg] RE: Who needs collision-resistance, anyway?
Date: Tue, 22 Mar 2005 00:20:09 +0000
Organization: University of California, Berkeley
Lines: 51
Distribution: isaac
Message-ID: <d1nobp$mp1$1@abraham.cs.berkeley.edu>
References: <NDEFLDJKJNMAKNCBLAJACEJGCAAA.shaih@alum.mit.edu> <d1lr4n$uks$1@abraham.cs.berkeley.edu> <16959.5660.613357.509942@wasa.watson.ibm.com> <6.2.1.2.2.20050321154411.04a33980@203.30.171.17>
NNTP-Posting-Host: taverner.cs.berkeley.edu
X-Trace: abraham.cs.berkeley.edu 1111450809 23329 128.32.168.222 (22 Mar 2005 00:20:09 GMT)
X-Complaints-To: usenet@abraham.cs.berkeley.edu
NNTP-Posting-Date: Tue, 22 Mar 2005 00:20:09 +0000 (UTC)
X-Newsreader: trn 4.0-test76 (Apr 2, 2001)
Originator: daw@taverner.cs.berkeley.edu (David Wagner)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Charanjit Jutla writes: > In the TCR model, the adversary chooses M first, and then is given IV > (or key) and so he again tries the magic differential to get M' > and will succeed with prob epsilon. This ASSUMES that the magic > differential works equally well on all IV, and there is good reason to > believe this is indeed the case. > > Hence the rejection of MD5*. That assumption doesn't sound like a good one to me. After reading the paper on cryptanalysis of MD5 by Wang and Yu, it does not look to me like their attack works in this way. I think they rely crucially on knowledge of the IV. In particular, they choose a magic differential. However, their differential has a very low probability, and it only works if a whole bunch of conditions on the message bits are satisfied. Then they pick a message which satisfies these conditions. Even this still has too low a probability, so they derive some ways to start with such a message and modify it to bypass a round or two for free. See their section on multi-message modifications. To put it another way, their attack seems to succeed at breaking the collision-resistance, but they don't claim that it breaks the second preimage resistance of the hash function. If there were a magic differential that worked for all messages (and didn't require their constraints and message modification techniques), then second preimage resistance would be broken. Second preimage resistance is indeed a necessary condition for TCR security. In previous work, Dobbertin has a successful second pre-image attack on MD4. This means that there is no hope for MD4 to be TCR-secure. Reading the paper by Wang, Lai, Feng, Chen, and Yu on MD4, they say that they applied their techniques to MD4, and got a different second pre-image attack on MD4. However, their attack only works for a 2^-122 fraction of messages M. They report briefly in the conclusion that there is an improvement due to Yu, Wang, et al which improves this to 2^-72, and that for SHA-0, it is 2^-107. I don't see any other discussion of the possibility of second pre-image attacks on MD5 or SHA1 in their paper, and I don't see any discussion of the TCR property. Presumably this will require some analysis. It could well turn out that their techniques generalize to also find second pre-images and break the TCR property, but I don't think it follows trivially from the existence of collisions. Likewise, I don't think we can reject SHA1* out of hand based merely on the existence of collisions (even ones based on differential analysis). http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf http://www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Who needs collision-resistance, anyway? Daniel Brown
- Re: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- [Cfrg] Who needs collision-resistance, anyway? Shai Halevi
- Re: [Cfrg] Who needs collision-resistance, anyway? Russ Housley
- Re: [Cfrg] Who needs collision-resistance, anyway? csjutla
- Re: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- Re: [Cfrg] Who needs collision-resistance, anyway? D. J. Bernstein
- Re: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- Re: [Cfrg] Who needs collision-resistance, anyway? D. J. Bernstein
- Re: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- Re: [Cfrg] Who needs collision-resistance, anyway? D. J. Bernstein
- Re: [Cfrg] Who needs collision-resistance, anyway? David Wagner
- Re: [Cfrg] Who needs collision-resistance, anyway? D. J. Bernstein
- Re: [Cfrg] Who needs collision-resistance, anyway? Michael Silk
- Re: [Cfrg] Who needs collision-resistance, anyway? Daniel Brown
- [Cfrg] Re: Who needs collision-resistance, anyway? Shai Halevi
- [Cfrg] Re: Who needs collision-resistance, anyway? Shai Halevi
- [Cfrg] Is target-collision-resistance really hard… Shai Halevi
- Re: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- Re: [Cfrg] Who needs collision-resistance, anyway? D. J. Bernstein
- Re: [Cfrg] Is target-collision-resistance really … D. J. Bernstein
- Re: [Cfrg] Who needs collision-resistance, anyway? david jacobson
- Re: [Cfrg] Who needs collision-resistance, anyway? David Wagner
- RE: [Cfrg] Who needs collision-resistance, anyway? Hallam-Baker, Phillip
- RE: [Cfrg] Who needs collision-resistance, anyway? Doug Whiting
- Re: [Cfrg] Who needs collision-resistance, anyway? David Wagner
- Re: [Cfrg] Who needs collision-resistance, anyway? Steven M. Bellovin
- RE: [Cfrg] Who needs collision-resistance, anyway? Hallam-Baker, Phillip
- RE: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- RE: [Cfrg] Who needs collision-resistance, anyway? Hallam-Baker, Phillip
- RE: [Cfrg] Who needs collision-resistance, anyway? Hugo Krawczyk
- Re: [Cfrg] Who needs collision-resistance, anyway? David Wagner
- Re: [Cfrg] Who needs collision-resistance, anyway? David Wagner
- Re: [Cfrg] Who needs collision-resistance, anyway? D. J. Bernstein
- [Cfrg] RE: Who needs collision-resistance, anyway? Shai Halevi
- Re: [Cfrg] RE: Who needs collision-resistance, an… D. J. Bernstein
- Re: [Cfrg] RE: Who needs collision-resistance, an… Jack Lloyd
- Re: [Cfrg] RE: Who needs collision-resistance, an… David Wagner
- Re: [Cfrg] RE: Who needs collision-resistance, an… D. J. Bernstein
- Re: [Cfrg] RE: Who needs collision-resistance, an… David Wagner
- [Cfrg] RE: Who needs collision-resistance, anyway? Shai Halevi
- Re: [Cfrg] RE: Who needs collision-resistance, an… John Wilkinson
- Re: [Cfrg] RE: Who needs collision-resistance, an… D. J. Bernstein
- Re: [Cfrg] RE: Who needs collision-resistance, an… David Wagner
- Re: [Cfrg] RE: Who needs collision-resistance, an… John Wilkinson
- Re: [Cfrg] RE: Who needs collision-resistance, an… david jacobson
- use of hash functions _in_ CPRNGs (Re: [Cfrg] RE:… Adam Back
- Re: [Cfrg] RE: Who needs collision-resistance, an… csjutla
- RE: [Cfrg] RE: Who needs collision-resistance, an… Hallam-Baker, Phillip
- [Cfrg] Re: Who needs collision-resistance, anyway? Shai Halevi
- Re: [Cfrg] RE: Who needs collision-resistance, an… David Wagner
- Re: [Cfrg] RE: Who needs collision-resistance, an… Greg Rose
- Re: [Cfrg] RE: Who needs collision-resistance, an… csjutla
- Re: use of hash functions _in_ CPRNGs (Re: [Cfrg]… david jacobson
- Re: [Cfrg] RE: Who needs collision-resistance, an… David Wagner
- Re: use of hash functions _in_ CPRNGs (Re: [Cfrg]… Adam Back
- Re: [Cfrg] RE: Who needs collision-resistance, an… David Wagner
- Re: [Cfrg] Who needs collision-resistance, anyway? Russ Housley
- Re: [Cfrg] Who needs collision-resistance, anyway? Bodo Moeller