Bad Directions in Cryptographic Hash Functions

  • Daniel J. Bernstein
  • Andreas Hülsing
  • Tanja Lange
  • Ruben Niederhagen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9144)


A 25-gigabyte “point obfuscation” challenge “using security parameter 60” was announced at the Crypto 2014 rump session; “point obfuscation” is another name for password hashing. This paper shows that the particular matrix-multiplication hash function used in the challenge is much less secure than previous password-hashing functions are believed to be. This paper’s attack algorithm broke the challenge in just 19 minutes using a cluster of 21 PCs.


Symmetric cryptography Hash functions Password hashing Point obfuscation Matrix multiplication Meet-in-the-middle attacks Meet-in-many-middles attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [4]
    Ananth, P., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: ACM-CCS 2014 (2014).
  2. [5]
    Apon, D., Huang, Y., Katz, J., Malozemoff, A.J.: Implementing cryptographic program obfuscation, version 20141005 (2014).
  3. [6]
    Apon, D., Huang, Y., Katz, J., Malozemoff, A.J.: Implementing cryptographic program obfuscation (software) (2014).
  4. [7]
    Apon, D., Huang, Y., Katz, J., Malozemoff, A.J.: Implementing cryptographic program obfuscation (slides). In: Crypto 2014 Rump Session (2014).
  5. [8]
    Apon, D., Huang, Y., Katz, J., Malozemoff, A.J.: Implementing cryptographic program obfuscation (video). In: Crypto 2014 Rump Session, starting at 3:56:25 (2014).
  6. [10]
    Aumasson, J.-P., Henzen, L., Meier, W., Phan, R.C.-W.: SHA-3 proposal BLAKE (version 1.3) (2010).
  7. [11]
    Bernstein, D.J.: Fast multiplication and its applications, in Surveys in algorithmic number theory, pp. 325–384. Cambridge University Press (2008)Google Scholar
  8. [12]
    Bernstein, D.J.: The Saber cluster (2014).
  9. [13]
    Bernstein, D.J., Hülsing, A., Lange, T., Niederhagen, R.: Bad directions in cryptographic hash functions (2015).
  10. [14]
    Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique Cryptanalysis of the Full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011) Google Scholar
  11. [20]
    Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015).
  12. [21]
    Contini, S., Lenstra, A.K., Steinfeld, R.: VSH, an efficient and provable collision-resistant hash function. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 165–182. Springer, Heidelberg (2006) Google Scholar
  13. [23]
    Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013) Google Scholar
  14. [24]
    Garfinkel, S., Spafford, G., Schwartz, A.: Practical UNIX & Internet security, 3rd edition. O’Reilly (2003)Google Scholar
  15. [25]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013) Google Scholar
  16. [26]
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS 2013, pp. 40–49 (2013)Google Scholar
  17. [27]
    Gentry, C., Halevi, S., Maji, H.K., Sahai, A.: Zeroizing without zeroes: Cryptana-lyzing multilinear maps without encodings of zero (2014).
  18. [28]
    Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. Journal of Cryptology 27, 480–505 (2014)Google Scholar
  19. [30]
    Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012) Google Scholar
  20. [34]
    Lynn, B.Y.S., Prabhakaran, M., Sahai, A.: Positive Results and Techniques for Obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004) Google Scholar
  21. [35]
    Osvik, D.A., Tromer, E.: Cryptologic applications of the PlayStation 3: Cell SPEED, SPEED (2007).
  22. [36]
    Pollard, J.M.: Kangaroos, Monopoly and discrete logarithms. Journal of Cryptology 13, 437–447 (2000)Google Scholar
  23. [37]
    Rivest, R.L.: The MD5 message-digest algorithm. RFC 1321 (1992).
  24. [38]
    Shanks, D.: Class number, a theory of factorization, and genera. In: Proceedings of Symposia in Pure Mathematics, vol. 20, pp. 415–440. AMS (1971)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands

Personalised recommendations