IETF Logo Mail Archive

Re: [Cfrg] RE: Who needs collision-resistance, anyway?

daw@taverner.cs.berkeley.edu (David Wagner) Tue, 22 March 2005 00:22 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17259 for <cfrg-web-archive@ietf.org>; Mon, 21 Mar 2005 19:22:59 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DDXFt-0001Fr-PX for cfrg-web-archive@ietf.org; Mon, 21 Mar 2005 19:28:23 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DDX9Q-0001Y1-D7; Mon, 21 Mar 2005 19:21:40 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DDX9O-0001Xu-Ts for cfrg@megatron.ietf.org; Mon, 21 Mar 2005 19:21:38 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17127 for <cfrg@ietf.org>; Mon, 21 Mar 2005 19:21:35 -0500 (EST)
Received: from abraham.cs.berkeley.edu ([128.32.37.170]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DDXEY-0001BA-Pf for cfrg@ietf.org; Mon, 21 Mar 2005 19:26:59 -0500
Received: from news by abraham.cs.berkeley.edu with local (Exim 4.43) id 1DDX7x-00064I-5z for cfrg@ietf.org; Mon, 21 Mar 2005 16:20:09 -0800
To: cfrg@ietf.org
Path: not-for-mail
From: daw@taverner.cs.berkeley.edu
Newsgroups: isaac.lists.ietf-cfrg
Subject: Re: [Cfrg] RE: Who needs collision-resistance, anyway?
Date: Tue, 22 Mar 2005 00:20:09 +0000
Organization: University of California, Berkeley
Lines: 51
Distribution: isaac
Message-ID: <d1nobp$mp1$1@abraham.cs.berkeley.edu>
References: <NDEFLDJKJNMAKNCBLAJACEJGCAAA.shaih@alum.mit.edu> <d1lr4n$uks$1@abraham.cs.berkeley.edu> <16959.5660.613357.509942@wasa.watson.ibm.com> <6.2.1.2.2.20050321154411.04a33980@203.30.171.17>
NNTP-Posting-Host: taverner.cs.berkeley.edu
X-Trace: abraham.cs.berkeley.edu 1111450809 23329 128.32.168.222 (22 Mar 2005 00:20:09 GMT)
X-Complaints-To: usenet@abraham.cs.berkeley.edu
NNTP-Posting-Date: Tue, 22 Mar 2005 00:20:09 +0000 (UTC)
X-Newsreader: trn 4.0-test76 (Apr 2, 2001)
Originator: daw@taverner.cs.berkeley.edu (David Wagner)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3

Charanjit Jutla writes:
> In the TCR model, the adversary chooses M first, and then is given IV
> (or key) and so he again tries the magic differential to get M'
> and will succeed with prob epsilon. This ASSUMES that the magic
> differential works equally well on all IV, and there is good reason to
> believe this is indeed the case.
> 
> Hence the rejection of MD5*.

That assumption doesn't sound like a good one to me.

After reading the paper on cryptanalysis of MD5 by Wang and Yu, it does
not look to me like their attack works in this way.  I think they rely
crucially on knowledge of the IV.  In particular, they choose a magic
differential.  However, their differential has a very low probability,
and it only works if a whole bunch of conditions on the message bits are
satisfied.  Then they pick a message which satisfies these conditions.
Even this still has too low a probability, so they derive some ways to
start with such a message and modify it to bypass a round or two for free.
See their section on multi-message modifications.

To put it another way, their attack seems to succeed at breaking the
collision-resistance, but they don't claim that it breaks the second
preimage resistance of the hash function.  If there were a magic
differential that worked for all messages (and didn't require their
constraints and message modification techniques), then second preimage
resistance would be broken.  Second preimage resistance is indeed a
necessary condition for TCR security.

In previous work, Dobbertin has a successful second pre-image attack
on MD4.  This means that there is no hope for MD4 to be TCR-secure.
Reading the paper by Wang, Lai, Feng, Chen, and Yu on MD4, they say
that they applied their techniques to MD4, and got a different second
pre-image attack on MD4.  However, their attack only works for a 2^-122
fraction of messages M.  They report briefly in the conclusion that there
is an improvement due to Yu, Wang, et al which improves this to 2^-72,
and that for SHA-0, it is 2^-107.

I don't see any other discussion of the possibility of second pre-image
attacks on MD5 or SHA1 in their paper, and I don't see any discussion
of the TCR property.  Presumably this will require some analysis.

It could well turn out that their techniques generalize to also find
second pre-images and break the TCR property, but I don't think it follows
trivially from the existence of collisions.  Likewise, I don't think we
can reject SHA1* out of hand based merely on the existence of collisions
(even ones based on differential analysis).

http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf
http://www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf
http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email