Re: proceedings from ECRYPT Hash Workshop 2007
Thanks to Vincent Rijmen and all who provided their papers and presentations. Most of them are there: http://events.iaik.tugraz.at/HashWorkshop07/program.html Vlastimil Klima - PŮVODNÍ ZPRÁVA - Od: [EMAIL PROTECTED] Komu: cryptography@metzdowd.com Předmět: proceedings from ECRYPT Hash Workshop 2007 Datum: 28.5.2007 - 8:39:31 > The workshop was very interesting. Will the presentations > or papers be > avalilable on the web soon? > > http://events.iaik.tugraz.at/HashWorkshop07/program.html > > Vlastimil Klima - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
proceedings from ECRYPT Hash Workshop 2007
The workshop was very interesting. Will the presentations or papers be avalilable on the web soon? http://events.iaik.tugraz.at/HashWorkshop07/program.html Vlastimil Klima - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Special block cipher family DN and hash function family HDN
FYI: Special block cipher family DN and hash function family HDN -- Notes from the Hash Futures Panel, SECOND CRYPTOGRAPHIC HASH WORKSHOP, Santa Barbara, USA, August 24-25, 2006, http://www.proper.com/lookit/hash-futures-panel-notes.html (Paul Hoffman): "...At the end of this topic, Joux says that we do not understand what we are doing and that we do not really know what we want; there is agreement from all the panelists." -- I would like to announce: "Special block cipher family DN and new generation SNMAC-type hash function family HDN", IACR ePrint archive Report 2007/050, and source codes, including a benchmark, available on homepage http://cryptography.hyperlink.cz/SNMAC/SNMAC_EN.html. The paper also contains an explanation why we need the new cryptographic primitive for hash functions. In the paper introducing SNMAC (http://eprint.iacr.org/2006/376) I briefly explained why a classical block cipher is not an appropriate building block for compression function of a hash function. However, I think I didn't stress enough the need for a new cryptographic primitive to build hash functions. I think that the difference between a compression function and a classical block cipher is just the difference between "what we want" and "what we are doing". -- The differences are briefly: classical block cipher X compression function: it contains an element, unknown to the attacker X the attacker knows all inputs and is able to manipulate with them its goal is to hide the plaintext structure and content in the ciphertext, this is based on a secret element, unknown to the attacker X its goal is to hide all structure and content of all inputs in the output, this is based on a public function if the key is not variable, the function is a permutation X we need random transformation invertible X one-way it is easy to create collisions X we need the protection against it - Hope that the new concept will be discussed. Best regards, Vlastimil Klima -- Nenechte se nachytat! Internet nemusí být drahý. Připojte se s VOLNÝ od 349 Kč. Více informací na http://adsl.volny.cz nebo na telefonu 800 880 842. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
A new generation of hash functions SNMAC
We would like to announce: - A new cryptographic primitive SBC (special block cipher) - A family of hash functions SNMAC as candidates for hash functions of new generation The paper "A New Concept of Hash Functions SNMAC Using a Special Block Cipher and NMAC/HMAC Constructions" was sent to EUROCRYPT 2007. Its extended version is available as IACR eprint Report 2006/376, http://eprint.iacr.org/2006/376.pdf. We ought to publish concrete instances of SBC (special block cipher DN) and of SNMAC (hash function HDN) on SNMAC homepage as soon as it will be possible (waiting for an approval of the publication). SNMAC homepage: http://cryptography.hyperlink.cz/SNMAC/SNMAC_EN.html The paper contains also an explanation why we need the new cryptographic primitive for hash functions. It also describes the procedure, which led to proposals of SBC and SNMAC. We hope that the new concept will be discussed. Vlastimil Klima, http://cryptography.hyperlink.cz/ -- Pokerová mánie - 6 freerollových turnajů o 5000 USD! http://im.impact.as/sign/betway/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: MD5 trick
> * [EMAIL PROTECTED] wrote: > > > Of course, it is a trick. Yesterday I updated my paper > > "Tunnels in > > Hash Functions: MD5 Collisions Within a Minute" > > (http://eprint.iacr.org/2006/105.pdf) and MD5 collision > > program > > (http://cryptography.hyperlink.cz/2006/web_version_1.zip). > > just being curious: from what you write, it looks like a pure > win-only source. do you happen to have a version that compiles > on > some kind of unix? > On hash homepage http://cryptography.hyperlink.cz/MD5_collisions.html there is a mutation of the program by Pavel Dufek: ...customizable init vector. Compilable in Windows (mingw gcc tested) and Linux (gcc). Vlastimil - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
MD5 trick
The trick could be shortly expressed as follows: "Give me three files and I will give you another three with the same MD5 hash" Of course, it is a trick. Yesterday I updated my paper "Tunnels in Hash Functions: MD5 Collisions Within a Minute" (http://eprint.iacr.org/2006/105.pdf) and MD5 collision program (http://cryptography.hyperlink.cz/2006/web_version_1.zip). Now, the average time of MD5 collision is 17 seconds on PC Intel Pentium 4 (3.2 MHz). I asked Ondrej Mikle to write the program "pack3". Thanks to him, you can find the progrm on http://cryptography.hyperlink.cz/2006/selfextract.zip Usage: pack3 file1 file2 file3 file4 file5 file6 will create two packages, package1.exe and package2.exe. Both will have the same MD5 sum, while package1.exe will extract files 1-3 and package2.exe will extract files 4-6. It enables attacking SW distribution process for instance. A department, distributing SW (to clients, web, etc.) could distribute package2, whilst it is signed by SW developing department as package1. The trick is here very easy, because it is the attacker, who creates colliding packages. A toy scenario: The SW development department sends the source to the distributing department. It adds a readme or help files and returns the complete package (package1) to the SW development department. Of course, SW development department runs package1.exe and checks byte by byte that the original source files aren´t changed. Now it signs it. Another one: The third party prepares a contract. The contract is sent to both buyer (package1) and seller (package2) and signed by both parties. The structure of package1,2 is trivial. The first part is common, the second part contains colliding blocks and the third part contains the table of files file1 file2 file3 file4 file5 file6. Package.exe decompresses file1 file2 file3 or file4 file5 file6 according to a specified bit value in the second part. Because now it is very quick to generate MD5 collision for any chosen IV, it is possible to write the first part arbitrarily and then generate a collision. Note that the number of files could be arbitrary and there are more clever scenarios. The program serves only as a toy example how to get arround the necessity of creating the second preimage. Vlastimil Klima - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Cfrg] HMAC-MD5
I think that we have the "evidence". The security MD5 depends heavily on a lot of nonlinearities in functions F,G,I and on carries in arithmetic additions. Nonlinearities in F,G,I are bitwise and very weak. Carries are much stronger, but the collision attacks showed that it is possible to controll them also. New differential schemes (paths) could be proposed, new ways of controlling the interior variables of MD5 could be discovered. It could lead to the second preimage attacks and maybe further. Vlastimil Klima - PŮVODNÍ ZPRÁVA - Od: "Victor Duchovni" <[EMAIL PROTECTED]> Komu: cryptography@metzdowd.com Předmět: Re: [Cfrg] HMAC-MD5 Datum: 29.3.2006 - 21:14:06 > On Wed, Mar 29, 2006 at 10:51:08AM +0200, > [EMAIL PROTECTED] wrote: > > > In am nearly sure that a preimage attack (MD5) will be found > > in the > > next two or three years. > > Is there already evidence of progress in that direction? > > -- > Viktor. > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > -- ! NOVINKA ! Vybruslete z jarni unavy! Inline brusle Nike za fantasticke ceny od 1999 Kc! http://www.sportobchod.cz/Prehled.php?kat1=10 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Cfrg] HMAC-MD5
I agree with Steven´s "I'd rather avoid HMAC-MD5, just as a matter of future-proofing". And more. In am nearly sure that a preimage attack (MD5) will be found in the next two or three years. Vlastimil Klima http:/cryptography.hyperlink.cz - PŮVODNÍ ZPRÁVA - Od: "Steven M. Bellovin" <[EMAIL PROTECTED]> Komu: "Russ Housley" <[EMAIL PROTECTED]> Předmět: Re: [Cfrg] HMAC-MD5 Datum: 29.3.2006 - 1:11:25 > On Tue, 28 Mar 2006 16:20:59 -0500, Russ Housley > <[EMAIL PROTECTED]> > wrote: > > > At the SAAG session last week, Sam and I were asked about > > HMAC-MD5. Is it safe to keep using it? Should we encourage > > people > > to use HMAC-SHA1 or HMAC-SHA256 instead? Why? > > > > Please provide advice on this matter in the next two weeks. > > We have > > on working group that needs this advice very soon. > > > There are no risks from HMAC-MD5 from collision attacks. Hash > function > design has suddenly become a very hot topic, though. > Collision- > finding attacks on MD5 have gotten a lot faster, and people are > starting to look very hard at the basic design. I personally > will not > be surprised if a preimage attack is found in the next two or > three > years, in which case all bets are off. (I've made this > statement > before; others have disagreed with me on the likelihood of > collision > attacks.) I'd rather avoid HMAC-MD5, just as a matter of > future-proofing. > > > --Steven M. Bellovin, http://www.cs.columbia.edu/~smb > > ___ > Cfrg mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/cfrg > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Tunnels accelerate MD5 collisions
Hi all, according to my paper "Tunnels in Hash Functions: MD5 Collisions Within a Minute" I programmed tunnels for searching the second block of MD5 collision message also. In the zero version of the program I used tunnels only in the first block to demonstrate the method. It took 23 seconds, now it takes 1 second. Together with the first block (optimized from 60 s. to 30 s.) it generates a MD5 collision per 31 seconds in average (slow notebook Acer, Pentium, 1.6 GHz). The paper, source code and Windows exe is available on http://cryptography.hyperlink.cz/MD5_collisions.html regards, Vlastimil Klima http://cryptography.hyperlink.cz/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Tunnels in Hash Functions: MD5 Collisions in 40 seconds
Congratulations to Marc Stevens, who described a method for fast collision attack on MD5! Just now (! it is a collision !) I have finished the translation of my paper Vlastimil Klima: "Tunnels in Hash Functions: MD5 Collisions Within a Minute". It is based on a new method, tunneling. Using it on MD5 it gives a collision in 40 seconds on a 3 GHz Pentium 4. (Actually I used two times slower notebook with the time about 80 seconds.) I expect the publication on eprint also, but I will put in on my web together with the source code of the program in one or two hours. It is http://cryptography.hyperlink.cz/MD5_collisions.html Vlastimil Klima http://cryptography.hyperlink.cz/ -- Od: "Weger, B.M.M. de" <[EMAIL PROTECTED]> Komu: cryptography@metzdowd.com Predmet: MD5 collisions in one minute Datum: 17.3.2006 - 19:37:20 > Hi all, > > You might be interested in knowing that my MSc student > Marc Stevens has found a considerable speedup of MD5 > collision generation. His improvements of Wang's method > enables one to make MD5 collisions typically in one > minute on a PC; sometimes it takes a few minutes, and > sometimes only a few seconds. > His paper (shortly to appear on the Cryptology ePrint > Archive) can be found on http://www.win.tue.nl/hashclash/, > where we've also made his software available (source code > and a Win32 executable). > Grtz, > Benne de Weger - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Crypto 2005 papers on SHA-0 and SHA-1 collisions
Wang et al. published their Crypto 2005 papers on SHA-0 and SHA-1 collisions. Maybe you find it interesting http://www.infosec.sdu.edu.cn/people/wangxiaoyun.htm Vlastimil Klima -- Nechte si zasilat do mailu denni prehled nejzajimavejsich clanku z portalu VOLNY. http://web.volny.cz/mailinfo/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Finding MD5 Collisions - a Toy For a Notebook
I would like to announce my work Vlastimil Klima: "Finding MD5 Collisions - a Toy For a Notebook", March 5, 2005, http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf Vlastimil -- Levnější internet v pracovní dny již od 18:00 hod. Surfujte s VOLNÝ! http://mimospicku.volny.cz - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
