Abstract
The kite generator, first introduced by Andreeva et al. [1], is a strongly connected directed graph that allows creating a message of almost any desired length, connecting two chaining values covered by the kite generator. The kite generator can be used in second pre-image attacks against (dithered) Merkle-Damgård hash functions.
In this work we discuss the complexity of constructing the kite generator. We show that the analysis of the construction of the kite generator first described by Andreeva et al. is somewhat inaccurate and discuss its actual complexity. We follow with presenting a new method for a more efficient construction of the kite generator, cutting the running time of the preprocessing by half (compared with the original claims of Andreeva et al. or by a linear factor compared to corrected analysis). Finally, we adapt the new method to the dithered Merkle-Damgård structure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We describe here the standard padding step done in many real hash functions such as MD5 and SHA1. Other variants of this step exist, all aiming to achieve prefix-freeness.
- 2.
It is common to set \(2^{\ell }-1\) as the maximal length of a message.
- 3.
Note that using this method \(d_{out}(a)\) follows a Poi(2) distribution, and about \(13\%\) of the chaining values are expected to have \(d_{out}(a)=0\). To solve this issue, it is possible to generate for each chaining value as many message blocks as needed to find two out-edges. Now, the average time complexity needed for a chaining value a is \(2^{k+1}\). The actual running time for a given chaining value is the sum of two geometric random variables with mean \(2^k\) each. Hence, the total running time is the sum of \(2^{n-k+1}\) geometric random variables \(X_i\sim Geo(2^{-k})\). Since \(\sum _{i=1}^{2^{n-k+1}}(X_i-1)\sim NB(2^{n-k+1},1-2^{-k})\), then \(\sum _{i=1}^{2^{n-k+1}}X_i\sim 2^{n-k+1}+NB(2^{n-k+1},1-2^{-k})\). Therefore, \(E[\sum _{i=1}^{2^{n-k+1}}X_i]=2^{n-k+1}+\frac{(1-2^{-k})2^{n-k+1}}{2^{-k}} = 2^{n+1}\) with a standard deviation of \(\frac{\sqrt{2^{n-k+1}(1-2^{-k})}}{2^{-k}}\le 2^{\frac{n+k+1}{2}}\).
- 4.
Andreeva et al. [1] note that it is possible to find the common chaining value by a more sophisticated algorithm which requires the same time but negligible additional memory, using memoryless collision finding. Our findings affect these variants as well.
- 5.
It is not necessary to use only two different message blocks in the setting, but it is possible since they are used for different chaining values.
- 6.
With high probability we expect some collisions in A. This can be easily solved during the construction: If a chaining value \(f(h_i,m_j)\) is already generated, replace the message block \(m_j\) one by one until a new chaining value is reached. It is easy to see that the additional time complexity is negligible.
- 7.
Again, in this step we actually need to generate for each chaining value as many message blocks as needed to find two out-edges. Now, the average time complexity needed for a chaining value a is \(2^{k+1}\). The actual running time for a given chaining value is the sum of two geometric random variables with mean \(2^k\) each. Hence, the total running time is the sum of \(2^{n-k}\) geometric random variables \(X_i\sim Geo(2^{-k})\). Since \(\sum _{i=1}^{2^{n-k}}(X_i-1)\sim NB(2^{n-k},1-2^{-k})\), then \(\sum _{i=1}^{2^{n-k}}X_i\sim 2^{n-k}+NB(2^{n-k},1-2^{-k})\). Therefore, \(E[\sum _{i=1}^{2^{n-k}}X_i]=2^{n-k}+\frac{(1-2^{-k})2^{n-k}}{2^{-k}} = 2^{n}\) with a standard deviation of \(\frac{\sqrt{2^{n-k}(1-2^{-k})}}{2^{-k}}\le 2^{\frac{n+k}{2}}\).
- 8.
This issue happens also in the online phase, when the adversary looks for common chaining values between the two lists described in Sect. 3.1. The fixing is similarly – increase the size of these lists accordingly.
References
Andreeva, E., Bouillaguet, C., Dunkelman, O., Fouque, P.-A., Hoch, J., Kelsey, J., Shamir, A., Zimmer, S.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016)
Andreeva, E., Bouillaguet, C., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_16
Athreya, K.B., Ney, P.E.: Dover books on mathematics. In: Branching Processes, pp. 1–8. Dover Publications, New York (2004). Chap. 1
Blackburn, S.R., Stinson, D.R., Upadhyay, J.: On the complexity of the herding attack and some related attacks on hash functions. Des. Codes Crypt. 64(1–2), 171–193 (2012)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39
Dean, R.D.: Formal aspects of mobile code security. Ph.D. thesis, Princeton University, Princeton (1999)
Joux, A.: Multicollisions in iterated hash functions. application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_19
Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_12
Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_28
Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 524–539. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_27
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_40
National Institute of Standards and Technology: Secure hash standard. FIPS, PUB 17, 3–180 (1995)
Rivest, R.L.: Abelian square-free dithering for iterated hash functions. In: ECrypt Hash Function Workshop, vol. 21, June 2005
Weizmann, A., Dunkelman, O., Haber, S.: Efficient construction of diamond structures. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 166–185. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_9
Acknowledgements
The research of Ariel Weizman was supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Dunkelman, O., Weizman, A. (2018). Efficient Construction of the Kite Generator Revisited. In: Dinur, I., Dolev, S., Lodha, S. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2018. Lecture Notes in Computer Science(), vol 10879. Springer, Cham. https://doi.org/10.1007/978-3-319-94147-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-94147-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94146-2
Online ISBN: 978-3-319-94147-9
eBook Packages: Computer ScienceComputer Science (R0)