对缩减轮数SM3散列函数改进的原像与伪碰撞攻击

doi:10.11959/j.issn.1000-436x.2018011

Abstract

Abstract:

A preimage attack on 32-step SM3 hash function and a pseudo-collision attack on 33-step SM3 hash function respectively were shown.32-step preimage attack was based on the differential meet-in-the-middle and biclique technique,while the previously known best preimage attack on SM3 was only 30-step.The 33-step pseudo-collision attack was constructed by using the same techniques.The preimage attack on 32-step SM3 can be computed with a complexity of 2^254.5,and a memory of 2⁵.Furthermore,The pseudo-preimage and pseudo-collision attacks on 33-step SM3 by extending the differential characteristic of the 32-step preimage attack were present.The pseudo-collision attack on 33-step SM3 can be computed with a complexity of 2^126.7,and a memory of 2³.

Key words: SM3 hash function, preimage attack, pseudo-collision attack, differential meet-in-the-middle, biclique

CLC Number:

TP309

Jian ZOU,Le DONG. Improved preimage and pseudo-collision attacks on SM3 hash function[J]. Journal on Communications, 2018, 39(1): 46-55.

Figures/Tables 10

References 11

[1]	SASAKI Y , AOKI K . Preimage attacks on step-reduced MD5[C]// The 13th Information Security and Privacy Australasian Conference. 2008: 282-296.
[2]	GUO J , LING S , RRCHBERGER C . Advanced meet-in-the-middle preimage attacks:first results on full Tiger,and improved results on MD4 and SHA-2[C]// The 16th International Conference on the Theory and Application of Cryptology and Information Security. 2010: 56-75.
[3]	CANNIERE D C , RECHBERGER C . Preimages for reduced SHA-0 and SHA-1[C]// The 28th Annual International Cryptology Conference, 2008: 179-202.
[4]	KHOVRATOVICH D , RECHBERGER C , SAVELIEVA A . Bicliques for preimages:attacks on skein-512 and the SHA-2 family[C]// The 19th Fast Software Encryption International Workshop. 2012: 244-263.
[5]	LI J , ISOBE T , SHIBUTANI K . Converting meet-in-the-middle preimage attack into pseudo collision attack:application to SHA-2[C]// The 19th Fast Software Encryption International Workshop. 2012: 264-286.
[6]	KNELLWOLF S , KHOVRATOVICH D . New preimage attacks against reduced SHA-1[C]// The Advances in Cryptology 32nd Annual Cryptology Conference. 2012: 367-383.
[7]	ZOU J , WU W.L , WU S ,et al. Preimage attacks on step-reduced sm3 hash function[C]// The 14th Information Security and Cryptology International Conference. 2011: 375-390.
[8]	WANG G L , SHEN Y . Z:Preimage and pseudo-collision attacks on step-reduced SM3 hash function[J]. Inf Process Lett, 2013,113(8): 301-306.
[9]	MENDEL F , NAD T , SCHLAFER M . Finding collisions for round-reduced SM3[C]// The Cryptographers' Track at the {RSA}Conference 2013. 2013: 174-188.
[10]	AOKI K , SASAKI Y . Preimage attacks on one-block MD4,63-step MD5 and more[S]// Workshop Records of SAC 2008. 2008: 82-98.
[11]	PAUL C O A , MENEZES J , SCOTT A . Vanstone.handbook of applied cryptography[M]. CRC Press, 1996.

Metrics

Recommended 0

No Suggested Reading articles found!

攻击目标及轮数	攻击类型	时间复杂度	存储复杂度	文献
30轮SM3（从第7轮开始）	原像攻击	2 ²⁴⁹	2 ¹⁶	文献[7]
30轮SM3（从第1轮开始）	原像攻击	2 ^251.1	2⁶	文献[8]
31轮SM3（从第2轮开始）	原像攻击	2 ^252.4	2 ¹⁰	本文
32轮SM3（从第4轮开始）	原像攻击	2 ^254.5	2⁵	本文
20轮SM3（从第1轮开始）	碰撞攻击	实际可行	实际可行	文献[9]
24轮SM3（从第1轮开始）	伪碰撞攻击	实际可行	实际可行	文献[9]
32轮SM3（从第1轮开始）	伪碰撞攻击	2 ^125.1	2⁶	文献[8]
33轮SM3（从第3轮开始）	伪碰撞攻击	2 ^126.7	2³	本文

差分				步函数
差分	18	…	28	29	30	31	32
ΔW	0	…	0	0	0	0	0
ΔW '	0	…	0	Δ₁	0	0	?
ΔA	0	…	0	?	?	?	?
ΔB	0	…	0	0	?	?	?
ΔC	0	…	0	0	0	?	?
ΔD	0	…	0	0	0	0	?
ΔE	0	…	0	0	?	?	?
ΔF	0	…	0	0	0	?	?
ΔG	0	…	0	0	0	0	?
ΔH	0	…	0	0	0	0	0
概率	1	…	1	1	1	1	1

差分				步函数
差分	15	…	5		4	3	2
ΔW	0	…	0		Δ₂	0	0
ΔW '	0	…	0		Δ₂	0	0
ΔA	0	…	0		0	0	0
ΔB	0	…	0		0	0	Δ₄
ΔC	0	…	0		0	Δ₃	Δ₃
ΔD	0	…	0		Δ₃	Δ₃	Δ₄
ΔE	0	…	0		0	0	0
ΔF	0	…	0		0	0	Δ₅
ΔG	0	…	0		0	Δ₃	Δ₃
ΔH	0	…	0		Δ₃	Δ₃	Δ₆
概率	1	…	1		1	1	1?2^?2

差分				步函数
差分	21	…	31	32	33	34	35
ΔW	0	…	0	0	0	0	0
ΔW '	0	…	0	Δ₇	0	0	?
ΔA	0	…	0	?	?	?	?
ΔB	0	…	0	0	?	?	?
ΔC	0	…	0	0	0	?	?
ΔD	0	…	0	0	0	0	?
ΔE	0	…	0	0	?	?	?
ΔF	0	…	0	0	0	?	?
ΔG	0	…	0	0	0	0	?
ΔH	0	…	0	0	0	0	0
概率	1	…	1	1	1	1	1

差分				步函数
差分	17	…	7		6	5	4
ΔW	0	…	0		Δ₈	0	0
ΔW '	0	…	0		Δ₈	0	0
ΔA	0	…	0		0	0	0
ΔB	0	…	0		0	0	Δ₁₀
ΔC	0	…	0		0	Δ₉	Δ₉
ΔD	0	…	0		Δ₉	Δ₉	Δ₁₀
ΔE	0	…	0		0	0	0
ΔF	0	…	0		0	0	Δ₁₁
ΔG	0	…	0		0	Δ₉	Δ₉
ΔH	0	…	0		Δ₉	Δ₉	Δ₁₁
概率	1	…	1		1	1	1

Improved preimage and pseudo-collision attacks on SM3 hash function

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 11

Related Articles 5

Metrics

Recommended 0

[1]	Jie CUI,Hai-feng ZUO,Hong ZHONG. Biclique cryptanalysis on lightweight block ciphers I-PRESENT-80 and I-PRESENT-128 [J]. Journal on Communications, 2017, 38(11): 13-23.
[2]	Gao-li WANG,Yan-zhao SHEN. Preimage and pseudo-collision attacks on 29-step SM3 hash function with padding [J]. Journal on Communications, 2014, 35(2): 40-45.
[3]	. Preimage and pseudo-collision attacks on 29-step SM3 hash function with padding [J]. Journal on Communications, 2014, 35(2): 6-45.
[4]	. Preimage and pseudo collision attacks on round-reduced DHA-256 hash function [J]. Journal on Communications, 2013, 34(6): 2-15.
[5]	Jian ZOU,Wen-ling WU,Shuang WU,Le DONG. Preimage and pseudo collision attacks on round-reduced DHA-256 hash function [J]. Journal on Communications, 2013, 34(6): 8-15.