The ECRYPT Hash Function Website - User contributions [en]

HAS-V

2008-03-11T06:02:30Z

Npramstaller: /* Specification */

== Specification ==

* digest size: 128 - 320 bits
* max. message length: < 264 bits
* compression function: 1024-bit message block, 320-bit chaining variable
* Specification:
<bibtex>
@inproceedings{sacryptParkHL00,
author = {Nan Kyoung Park and Joon Ho Hwang and Pil Joong Lee},
title = {HAS-V: A New Hash Function with Variable Output Length},
booktitle = {Selected Areas in Cryptography},
year = {2000},
pages = {202-216},
url = {http://link.springer.de/link/service/series/0558/bibs/2012/20120202.htm},
editor = {Douglas R. Stinson and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {2012},
isbn = {3-540-42069-X},
abstract = {Hash functions play an essential role in many areas of cryptographic applications such as digital signature, authentication, and key derivation. In this paper, we propose a new hash function with variable output length, namely HAS-V, to meet the needs of various security levels desired among different applications. A great deal of attention was paid to balance the characteristics of security and performance. The use of message expansion, 4-variable Boolean functions, variable and fixed amounts of shifts, and interrelated parallel lines provide a high level of security for HAS-V. Experiments show that HAS-V is about 19% faster than SHA-1, 31% faster than RIPEMD-160, and 26% faster than HAVAL on a Pentium PC.},
}
</bibtex>

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

HAS-V

2008-03-11T06:01:50Z

Npramstaller: /* Specification */

== Specification ==

* digest size: 128 - 320 bits
* max. message length: < 264 bits
* compression function: 1024-bit message block, 320-bit chaining variable
* Specification:
<bibtex>
@inproceedings{sacryptParkHL00,
author = {Nan Kyoung Park and Joon Ho Hwang and Pil Joong Lee},
title = {HAS-V: A New Hash Function with Variable Output Length},
booktitle = {Selected Areas in Cryptography},
year = {2000},
pages = {202-216},
url = {http://link.springer.de/link/service/series/0558/bibs/2012/20120202.htm},
editor = {Douglas R. Stinson and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {2012},
isbn = {3-540-42069-X},
abstract = {Hash functions play an essential role in many areas of cryptographic applications such as digital signature, authentication, and key derivation. In this paper, we propose a new hash function with variable output length, namely HAS-V, to meet the needs of various security levels desired among different applications. A great deal of attention was paid to balance the characteristics of security and performance. The use of message expansion, 4-variable Boolean functions, variable and fixed amounts of shifts, and interrelated parallel lines provide a high level of security for HAS-V. Experiments show that HAS-V is about 19% faster than SHA-1, 31% faster than RIPEMD-160, and 26% faster than HAVAL on a Pentium PC.},
}
</bibtex>

----

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

RIPEMD-160

2008-03-11T06:01:17Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* Specification:
<bibtex>
@inproceedings{fseDobbertinBP96,
author = {Hans Dobbertin and Antoon Bosselaers and Bart Preneel},
title = {RIPEMD-160: A Strengthened Version of RIPEMD},
pages = {71-82},
editor = {Dieter Gollmann},
booktitle = {FSE},
publisher = {Springer},
series = {LNCS},
volume = {1039},
year = {1996},
isbn = {3-540-60865-6},
abstract = {Cryptographic hash functions are an important tool in cryptography
for applications such as digital ﬁngerprinting of messages, message
authentication, and key derivation. During the last ﬁve years, several
fast software hash functions have been proposed; most of them are based
on the design principles of Ron Rivest’s MD4. One such proposal was RIPEMD,
which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation).
Because of recent progress in the cryptanalysis of these hash functions, we
propose a new version of RIPEMD with a 160-bit result, as well as a plug-in
substitute for RIPEMD with a 128-bit result. We also compare the software
performance of several MD4-based algorithms, which is of independent interest.},
url = {http://homes.esat.kuleuven.be/~cosicart/pdf/AB-9601/AB-9601.pdf}
}
</bibtex>

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

<bibtex>
@inproceedings{iswMendelPRR06,
author = {Florian Mendel and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {On the Collision Resistance of RIPEMD-160},
booktitle = {ISC},
year = {2006},
pages = {101-116},
url = {http://dx.doi.org/10.1007/11836810_8},
editor = {Sokratis K. Katsikas and Javier Lopez and Michael Backes and Stefanos Gritzalis and Bart Preneel},
publisher = {Springer},
series = {LNCS},
volume = {4176},
isbn = {3-540-38341-7},
abstract = {In this article, the RIPEMD-160 hash function is studied in detail. To analyze the hash function, we have extended existing approaches and used recent results in cryptanalysis. While RIPEMD and RIPEMD-128 reduced to 3 rounds are vulnerable to the attack, it is not feasible for RIPEMD-160. Furthermore, we present an analytical attack on a round-reduced variant of the RIPEMD-160 hash function. To the best of our knowledge this is the first article that investigates the impact of recent advances in cryptanalysis of hash functions on RIPEMD-160.},
}
</bibtex>
----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-1

2008-03-11T06:00:44Z

Npramstaller: /* Others */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

The best collision attack on full SHA-1 was published by Wang et al. It has complexity of 269 hash evaluations. The best collision example, a 70-step collision for SHA-1, was published by DeCanniere, Mendel and Rechberger.
----

=== Collision Attacks ===

<bibtex>
@inproceedings{sacryptCanniereMR07,
author = {Christophe De Canni{\`e}re and Florian Mendel and Christian Rechberger},
title = {Collisions for 70-Step SHA-1: On the Full Cost of Collision Search},
booktitle = {Selected Areas in Cryptography},
year = {2007},
pages = {56-73},
url = {http://dx.doi.org/10.1007/978-3-540-77360-3_4},
editor = {Carlisle M. Adams and Ali Miri and Michael J. Wiener},
publisher = {Springer},
series = {LNCS},
volume = {4876},
isbn = {978-3-540-77359-7},
abstract = {The diversity of methods for fast collision search in SHA-1 and similar hash functions makes a comparison of them difficult. The literature is at times very vague on this issue, which makes comparison even harder. In situations where differences in estimates of attack complexity of a small factor might influence short-term recommendations of standardization bodies, uncertainties and ambiguities in the literature amounting to a similar order of magnitude are unhelpful. We survey different techniques and propose a simple but effective method to facilitate comparison. In a case study, we consider a newly developed attack on 70-step SHA-1, and give complexity estimates and performance measurements of this new and improved collision search method.},
}
</bibtex>

<bibtex>
@inproceedings{asiacryptCanniereR06,
author = {Christophe De Canni{\`e}re and Christian Rechberger},
title = {Finding SHA-1 Characteristics: General Results and Applications},
pages = {1-20},
url = {http://dx.doi.org/10.1007/11935230_1},
editor = {Xuejia Lai and Kefei Chen},
booktitle = {ASIACRYPT},
publisher = {Springer},
series = {LNCS},
volume = {4284},
year = {2006},
isbn = {3-540-49475-8},
abstract = {The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptJutlaP06,
author = {Charanjit S. Jutla and Anindya C. Patthak},
title = {Provably Good Codes for Hash Function Design},
booktitle = {Selected Areas in Cryptography},
year = {2006},
pages = {376-393},
url = {http://dx.doi.org/10.1007/978-3-540-74462-7_26},
editor = {Eli Biham and Amr M. Youssef},
publisher = {Springer},
series = {LNCS},
volume = {4356},
isbn = {978-3-540-74461-0},
abstract = {We develop a new technique to lower bound the minimum distance of quasi-cyclic codes with large dimension by reducing the problem to lower bounding the minimum distance of a few significantly smaller dimensional codes. Using this technique, we prove that a code which is similar to the SHA-1 message expansion code has minimum distance at least 82, and that too in just the last 64 of the 80 expanded words. Further the minimum weight in the last 60 words (last 48 words) is at least 75 (52 respectively). We expect our technique to be helpful in designing future practical collision-resistant hash functions. We also use the technique to find the minimum weight of the SHA-1 code (25 in the last 60 words), which was an open problem.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptPramstallerRR05a,
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {Impact of Rotations in SHA-1 and Related Hash Functions},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {261-275},
url = {http://dx.doi.org/10.1007/11693383_18},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, i.e. the rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},
}
</bibtex>

<bibtex>
@inproceedings{ctrsaRijmenO05,
author = {Vincent Rijmen and Elisabeth Oswald},
title = {Update on SHA-1},
booktitle = {CT-RSA},
year = {2005},
pages = {58-71},
publisher = {Springer},
series = {LNCS},
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2^80 operations.},
url = {http://dx.doi.org/10.1007/b105222}}
</bibtex>
----

=== Preimage Attacks ===
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.
----

=== Others ===

<bibtex>
@inproceedings{iswSatoh05,
author = {Akashi Satoh},
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1},
booktitle = {ISC},
year = {2005},
pages = {259-273},
url = {http://dx.doi.org/10.1007/11556992_19},
editor = {Jianying Zhou and Javier Lopez and Robert H. Deng and Feng Bao},
publisher = {Springer},
series = {LNCS},
volume = {3650},
isbn = {3-540-29001-X},
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to $2^{69}$, which is only 1/2,000 of the $2^{80}$ operations needed for a birthday attack. The complexity is still too large even for today's supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation $2^{56}$ times at a maximum, but the complexity of $2^{69}$ hash operations to break SHA-1 does not mean $2^{69}$ SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the $2^{69}$ SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-$\micro m$ CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A \$10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.},
}
</bibtex>
----

== eHash Recommendation (optional) or eHash Opinion ==
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.

SHA-256/224

2008-03-11T05:59:53Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 256 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 256-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

<bibtex>
@inproceedings{sacryptYoshidaB05,
author = {Hirotaka Yoshida and Alex Biryukov},
title = {Analysis of a SHA-256 Variant},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {245-260},
url = {http://dx.doi.org/10.1007/11693383_17},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-256 is a cryptographic hash function which was proposed in 2000 as a new generation of SHA functions and was adopted as FIPS standard in 2002. In this paper we will consider a SHA-256 variant and a SHACAL-2 variant in which every arithmetic addition is replaced by XOR operation. We call the SHA-256 variant SHA-2-XOR and the SHACAL-2 variant SHACAL-2-XOR respectively. We will present a differential attack on these constructions by using one-round iterative differential characteristics with probability 2^{-8} we identified. Our result shows that SHACAL-2-XOR with up to 31 rounds out of 64 has a weakness of randomness and that SHA-2-XOR with up to 34 rounds has a weakness of pseudo-collision resistance. Using the 31-round distinguisher, we present an attack on SHACAL-2-XOR with up to 32 rounds. We also show that no 2-round iterative patterns with probability higher than 2^{-16} exist.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptGilbertH03,
author = {Henri Gilbert and Helena Handschuh},
title = {Security Analysis of SHA-256 and Sisters},
booktitle = {Selected Areas in Cryptography},
year = {2003},
pages = {175-193},
url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175},
editor = {Mitsuru Matsui and Robert J. Zuccherato},
publisher = {Springer},
series = {LNCS},
volume = {3006},
isbn = {3-540-21370-8},
abstract = {This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak: whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.},
}
</bibtex>

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-256/224

2008-03-11T05:59:20Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 256 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 256-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

</bibtex>
@inproceedings{sacryptYoshidaB05,
author = {Hirotaka Yoshida and Alex Biryukov},
title = {Analysis of a SHA-256 Variant},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {245-260},
url = {http://dx.doi.org/10.1007/11693383_17},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-256 is a cryptographic hash function which was proposed in 2000 as a new generation of SHA functions and was adopted as FIPS standard in 2002. In this paper we will consider a SHA-256 variant and a SHACAL-2 variant in which every arithmetic addition is replaced by XOR operation. We call the SHA-256 variant SHA-2-XOR and the SHACAL-2 variant SHACAL-2-XOR respectively. We will present a differential attack on these constructions by using one-round iterative differential characteristics with probability 2^{-8} we identified. Our result shows that SHACAL-2-XOR with up to 31 rounds out of 64 has a weakness of randomness and that SHA-2-XOR with up to 34 rounds has a weakness of pseudo-collision resistance. Using the 31-round distinguisher, we present an attack on SHACAL-2-XOR with up to 32 rounds. We also show that no 2-round iterative patterns with probability higher than 2^{-16} exist.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptYoshidaB05,
author = {Hirotaka Yoshida and Alex Biryukov},
title = {Analysis of a SHA-256 Variant},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {245-260},
url = {http://dx.doi.org/10.1007/11693383_17},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-256 is a cryptographic hash function which was proposed in 2000 as a new generation of SHA functions and was adopted as FIPS standard in 2002. In this paper we will consider a SHA-256 variant and a SHACAL-2 variant in which every arithmetic addition is replaced by XOR operation. We call the SHA-256 variant SHA-2-XOR and the SHACAL-2 variant SHACAL-2-XOR respectively. We will present a differential attack on these constructions by using one-round iterative differential characteristics with probability 2^{-8} we identified. Our result shows that SHACAL-2-XOR with up to 31 rounds out of 64 has a weakness of randomness and that SHA-2-XOR with up to 34 rounds has a weakness of pseudo-collision resistance. Using the 31-round distinguisher, we present an attack on SHACAL-2-XOR with up to 32 rounds. We also show that no 2-round iterative patterns with probability higher than 2^{-16} exist.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptGilbertH03,
author = {Henri Gilbert and Helena Handschuh},
title = {Security Analysis of SHA-256 and Sisters},
booktitle = {Selected Areas in Cryptography},
year = {2003},
pages = {175-193},
url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175},
editor = {Mitsuru Matsui and Robert J. Zuccherato},
publisher = {Springer},
series = {LNCS},
volume = {3006},
isbn = {3-540-21370-8},
abstract = {This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak: whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.},
}
</bibtex>

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-256/224

2008-03-11T05:59:01Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 256 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 256-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

</bibtex>
@inproceedings{sacryptYoshidaB05,
author = {Hirotaka Yoshida and Alex Biryukov},
title = {Analysis of a SHA-256 Variant},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {245-260},
url = {http://dx.doi.org/10.1007/11693383_17},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-256 is a cryptographic hash function which was proposed in 2000 as a new generation of SHA functions and was adopted as FIPS standard in 2002. In this paper we will consider a SHA-256 variant and a SHACAL-2 variant in which every arithmetic addition is replaced by XOR operation. We call the SHA-256 variant SHA-2-XOR and the SHACAL-2 variant SHACAL-2-XOR respectively. We will present a differential attack on these constructions by using one-round iterative differential characteristics with probability 2^{-8} we identified. Our result shows that SHACAL-2-XOR with up to 31 rounds out of 64 has a weakness of randomness and that SHA-2-XOR with up to 34 rounds has a weakness of pseudo-collision resistance. Using the 31-round distinguisher, we present an attack on SHACAL-2-XOR with up to 32 rounds. We also show that no 2-round iterative patterns with probability higher than 2^{-16} exist.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptGilbertH03,
author = {Henri Gilbert and Helena Handschuh},
title = {Security Analysis of SHA-256 and Sisters},
booktitle = {Selected Areas in Cryptography},
year = {2003},
pages = {175-193},
url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175},
editor = {Mitsuru Matsui and Robert J. Zuccherato},
publisher = {Springer},
series = {LNCS},
volume = {3006},
isbn = {3-540-21370-8},
abstract = {This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak: whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.},
}
</bibtex>

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-256/224

2008-03-11T05:58:19Z

Npramstaller: /* Collision Attacks */

SHA-384

2008-03-11T05:58:01Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 384 bits
* max. message length: < 2128 bits
* compression function: 1024-bit message block, 512-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

<bibtex>
@inproceedings{sacryptGilbertH03,
author = {Henri Gilbert and Helena Handschuh},
title = {Security Analysis of SHA-256 and Sisters},
booktitle = {Selected Areas in Cryptography},
year = {2003},
pages = {175-193},
url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175},
editor = {Mitsuru Matsui and Robert J. Zuccherato},
publisher = {Springer},
series = {LNCS},
volume = {3006},
isbn = {3-540-21370-8},
abstract = {This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak: whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.},
}
</bibtex>

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-512/384

2008-03-11T05:57:35Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 512 bits
* max. message length: < 2128 bits
* compression function: 1024-bit message block, 512-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===
<bibtex>
@inproceedings{sacryptGilbertH03,
author = {Henri Gilbert and Helena Handschuh},
title = {Security Analysis of SHA-256 and Sisters},
booktitle = {Selected Areas in Cryptography},
year = {2003},
pages = {175-193},
url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3006{\&}spage=175},
editor = {Mitsuru Matsui and Robert J. Zuccherato},
publisher = {Springer},
series = {LNCS},
volume = {3006},
isbn = {3-540-21370-8},
abstract = {This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak: whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.},
}
</bibtex>

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-512/384

2008-03-11T05:56:46Z

Npramstaller: /* Specification */

SHA-384

2008-03-11T05:56:09Z

Npramstaller: /* Specification */

SHA-256/224

2008-03-11T05:55:17Z

Npramstaller: /* Specification */

SHA-512/384

2008-03-11T05:54:01Z

Npramstaller:

== Specification ==



== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-384

2008-03-11T05:53:43Z

Npramstaller:

== Specification ==



== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-256/224

2008-03-11T05:53:28Z

Npramstaller:

== Specification ==



== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

The Hash Function Zoo

2008-03-11T05:53:18Z

Npramstaller:

{| border="1" cellpadding="2" cellspacing="0" align="center" class="wikitable"
|+'''The Hash Function Zoo, a collection of cryptographic hash functions (in alphabetical order)'''
|- style="background:#efefef;"
! width="300"| Hash Function Name !! Designer(s) !! Issued in !! Status Cryptanalysis
|-
| [http://ehash.iaik.tugraz.at/index.php/AR AR] || ISO || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Boognish Boognish] || Daemen || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Cellhash Cellhash] || Daemen, Govaerts, Vandewalle || align="center"|1991 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/DHA-256 DHA-256] || Lyubashevsky, Micciancio, Peikert, Rosen || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Edon-R Edon-R] || Gligoroski, Markovski, Kocarev || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashI FFT-Hash I] || Schnorr || align="center"|1991 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashII FFT-Hash II] || Schnorr || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/FORK256 FORK-256] || Hong, Chang, Sung, Lee, Hong, Lee, Moon, Chee || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/FSB FSB] || Augot, Finiasz, Sendrier || align="center"|2005 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/GOST GOST R 34.11-94] || Government Committee of Russia for Standards || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Grindahl Grindahl] || Knudsen, Rechberger, Thomsen || align="center"|2007 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/HAS-V HAS-V] || Park, Hwang, Lee || align="center"|2000 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/HAVAL HAVAL] || Zheng, Pieprzyk, Seberry || align="center"|1994 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/LASH-n LASH-n] || Bentahar, Page, Saarinen, Silverman, Smart || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/MAME MAME] || Yoshida, Watanabe, Okeya, Kitahara, Wu, Kucuk, Preneel || align="center"|2007 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/MD2 MD2] || Rivest || align="center"|1989 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/MD4 MD4] || Rivest || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/MD5 MD5] || Rivest || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/N-Hash N-Hash] || Miyaguchi, Ohta, Iwata || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/PANAMA PANAMA] || Daemen, Clapp || align="center"|1998 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/ParallelFFT-Hash Parallel FFT-Hash] || Schnorr, Vaudenay || align="center"|1993 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/PARSHA-256 PARSHA-256] || Pal, Sarkar || align="center"|2003 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/PKC-HASH PKC-HASH] || Shin, Rhee, Ryu, Lee || align="center"|1998 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/RadioGatun RadioGatun[w]] || Bertoni, Daemen, Peeters, van Assche || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD RIPEMD] || The RIPE Consortium || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-128 RIPEMD-128] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-160 RIPEMD-160] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA0 SHA-0] || NIST/NSA || align="center"|1991 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-1 SHA-1] || NIST/NSA || align="center"|1993 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-224 SHA-224] || NIST/NSA || align="center"|2004 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-256 SHA-256] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-384 SHA-384] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-512 SHA-512] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SMASH SMASH] || Knudsen || align="center"|2005 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Snefru-n Snefru-n] || Merkle || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/StepRightUp StepRightUp] || Daemen || align="center"|1995 || wounded
|-
| [http://ehash.iaik.tugraz.at/index.php/SubHash SubHash] || Daemen || align="center"|1992 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Tiger Tiger] || Anderson, Biham || align="center"|1996 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/VSH VSH] || Contini, Lenstra, Steinfeld, || align="center"|2005 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Whirlpool Whirlpool] || Barreto and Rijmen || align="center"|2000 || ?
|}

HAS-V

2008-03-11T05:47:39Z

Npramstaller: /* Specification */

HAS-V

2008-03-11T05:42:23Z

Npramstaller: /* Specification */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* Specification:
<bibtex>
@inproceedings{sacryptParkHL00,
author = {Nan Kyoung Park and Joon Ho Hwang and Pil Joong Lee},
title = {HAS-V: A New Hash Function with Variable Output Length},
booktitle = {Selected Areas in Cryptography},
year = {2000},
pages = {202-216},
url = {http://link.springer.de/link/service/series/0558/bibs/2012/20120202.htm},
editor = {Douglas R. Stinson and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {2012},
isbn = {3-540-42069-X},
abstract = {Hash functions play an essential role in many areas of cryptographic applications such as digital signature, authentication, and key derivation. In this paper, we propose a new hash function with variable output length, namely HAS-V, to meet the needs of various security levels desired among different applications. A great deal of attention was paid to balance the characteristics of security and performance. The use of message expansion, 4-variable Boolean functions, variable and fixed amounts of shifts, and interrelated parallel lines provide a high level of security for HAS-V. Experiments show that HAS-V is about 19% faster than SHA-1, 31% faster than RIPEMD-160, and 26% faster than HAVAL on a Pentium PC.},
}
</bibtex>

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

HAS-V

2008-03-11T05:42:04Z

Npramstaller: /* Specification */

== Specification ==



== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

HAS-V

2008-03-11T05:41:20Z

Npramstaller:

== Specification ==



== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

The Hash Function Zoo

2008-03-11T05:41:02Z

Npramstaller:

{| border="1" cellpadding="2" cellspacing="0" align="center" class="wikitable"
|+'''The Hash Function Zoo, a collection of cryptographic hash functions (in alphabetical order)'''
|- style="background:#efefef;"
! width="300"| Hash Function Name !! Designer(s) !! Issued in !! Status Cryptanalysis
|-
| [http://ehash.iaik.tugraz.at/index.php/AR AR] || ISO || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Boognish Boognish] || Daemen || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Cellhash Cellhash] || Daemen, Govaerts, Vandewalle || align="center"|1991 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/DHA-256 DHA-256] || Lyubashevsky, Micciancio, Peikert, Rosen || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Edon-R Edon-R] || Gligoroski, Markovski, Kocarev || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashI FFT-Hash I] || Schnorr || align="center"|1991 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashII FFT-Hash II] || Schnorr || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/FORK256 FORK-256] || Hong, Chang, Sung, Lee, Hong, Lee, Moon, Chee || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/FSB FSB] || Augot, Finiasz, Sendrier || align="center"|2005 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/GOST GOST R 34.11-94] || Government Committee of Russia for Standards || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Grindahl Grindahl] || Knudsen, Rechberger, Thomsen || align="center"|2007 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/HAS-V HAS-V] || Park, Hwang, Lee || align="center"|2000 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/HAVAL HAVAL] || Zheng, Pieprzyk, Seberry || align="center"|1994 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/LASH-n LASH-n] || Bentahar, Page, Saarinen, Silverman, Smart || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/MAME MAME] || Yoshida, Watanabe, Okeya, Kitahara, Wu, Kucuk, Preneel || align="center"|2007 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/MD2 MD2] || Rivest || align="center"|1989 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/MD4 MD4] || Rivest || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/MD5 MD5] || Rivest || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/N-Hash N-Hash] || Miyaguchi, Ohta, Iwata || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/PANAMA PANAMA] || Daemen, Clapp || align="center"|1998 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/ParallelFFT-Hash Parallel FFT-Hash] || Schnorr, Vaudenay || align="center"|1993 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/PARSHA-256 PARSHA-256] || Pal, Sarkar || align="center"|2003 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/PKC-HASH PKC-HASH] || Shin, Rhee, Ryu, Lee || align="center"|1998 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/RadioGatun RadioGatun[w]] || Bertoni, Daemen, Peeters, van Assche || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD RIPEMD] || The RIPE Consortium || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-128 RIPEMD-128] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-160 RIPEMD-160] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA0 SHA-0] || NIST/NSA || align="center"|1991 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-1 SHA-1] || NIST/NSA || align="center"|1993 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-224 SHA-224] || NIST/NSA || align="center"|2004 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA256 SHA-256] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA384 SHA-384] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA512 SHA-512] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SMASH SMASH] || Knudsen || align="center"|2005 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Snefru-n Snefru-n] || Merkle || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/StepRightUp StepRightUp] || Daemen || align="center"|1995 || wounded
|-
| [http://ehash.iaik.tugraz.at/index.php/SubHash SubHash] || Daemen || align="center"|1992 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Tiger Tiger] || Anderson, Biham || align="center"|1996 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/VSH VSH] || Contini, Lenstra, Steinfeld, || align="center"|2005 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Whirlpool Whirlpool] || Barreto and Rijmen || align="center"|2000 || ?
|}

The Hash Function Zoo

2008-03-11T05:40:11Z

Npramstaller:

{| border="1" cellpadding="2" cellspacing="0" align="center" class="wikitable"
|+'''The Hash Function Zoo, a collection of cryptographic hash functions (in alphabetical order)'''
|- style="background:#efefef;"
! width="300"| Hash Function Name !! Designer(s) !! Issued in !! Status Cryptanalysis
|-
| [http://ehash.iaik.tugraz.at/index.php/AR AR] || ISO || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Boognish Boognish] || Daemen || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Cellhash Cellhash] || Daemen, Govaerts, Vandewalle || align="center"|1991 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/DHA-256 DHA-256] || Lyubashevsky, Micciancio, Peikert, Rosen || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Edon-R Edon-R] || Gligoroski, Markovski, Kocarev || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashI FFT-Hash I] || Schnorr || align="center"|1991 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashII FFT-Hash II] || Schnorr || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/FORK256 FORK-256] || Hong, Chang, Sung, Lee, Hong, Lee, Moon, Chee || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/FSB FSB] || Augot, Finiasz, Sendrier || align="center"|2005 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/GOST GOST R 34.11-94] || Government Committee of Russia for Standards || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Grindahl Grindahl] || Knudsen, Rechberger, Thomsen || align="center"|2007 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/HASV HAS-V] || Park, Hwang, Lee || align="center"|2000 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/HAVAL HAVAL] || Zheng, Pieprzyk, Seberry || align="center"|1994 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/LASH-n LASH-n] || Bentahar, Page, Saarinen, Silverman, Smart || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/MAME MAME] || Yoshida, Watanabe, Okeya, Kitahara, Wu, Kucuk, Preneel || align="center"|2007 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/MD2 MD2] || Rivest || align="center"|1989 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/MD4 MD4] || Rivest || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/MD5 MD5] || Rivest || align="center"|1992 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/N-Hash N-Hash] || Miyaguchi, Ohta, Iwata || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/PANAMA PANAMA] || Daemen, Clapp || align="center"|1998 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/ParallelFFT-Hash Parallel FFT-Hash] || Schnorr, Vaudenay || align="center"|1993 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/PARSHA-256 PARSHA-256] || Pal, Sarkar || align="center"|2003 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/PKC-HASH PKC-HASH] || Shin, Rhee, Ryu, Lee || align="center"|1998 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/RadioGatun RadioGatun[w]] || Bertoni, Daemen, Peeters, van Assche || align="center"|2006 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD RIPEMD] || The RIPE Consortium || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-128 RIPEMD-128] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-160 RIPEMD-160] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA0 SHA-0] || NIST/NSA || align="center"|1991 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-1 SHA-1] || NIST/NSA || align="center"|1993 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA-224 SHA-224] || NIST/NSA || align="center"|2004 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA256 SHA-256] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA384 SHA-384] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SHA512 SHA-512] || NIST/NSA || align="center"|2000 ||
|-
| [http://ehash.iaik.tugraz.at/index.php/SMASH SMASH] || Knudsen || align="center"|2005 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/Snefru-n Snefru-n] || Merkle || align="center"|1990 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/StepRightUp StepRightUp] || Daemen || align="center"|1995 || wounded
|-
| [http://ehash.iaik.tugraz.at/index.php/SubHash SubHash] || Daemen || align="center"|1992 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Tiger Tiger] || Anderson, Biham || align="center"|1996 || broken
|-
| [http://ehash.iaik.tugraz.at/index.php/VSH VSH] || Contini, Lenstra, Steinfeld, || align="center"|2005 || ?
|-
| [http://ehash.iaik.tugraz.at/index.php/Whirlpool Whirlpool] || Barreto and Rijmen || align="center"|2000 || ?
|}

SHA-1

2008-03-11T05:36:13Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

The best collision attack on full SHA-1 was published by Wang et al. It has complexity of 269 hash evaluations. The best collision example, a 70-step collision for SHA-1, was published by DeCanniere, Mendel and Rechberger.
----

=== Collision Attacks ===

<bibtex>
@inproceedings{sacryptCanniereMR07,
author = {Christophe De Canni{\`e}re and Florian Mendel and Christian Rechberger},
title = {Collisions for 70-Step SHA-1: On the Full Cost of Collision Search},
booktitle = {Selected Areas in Cryptography},
year = {2007},
pages = {56-73},
url = {http://dx.doi.org/10.1007/978-3-540-77360-3_4},
editor = {Carlisle M. Adams and Ali Miri and Michael J. Wiener},
publisher = {Springer},
series = {LNCS},
volume = {4876},
isbn = {978-3-540-77359-7},
abstract = {The diversity of methods for fast collision search in SHA-1 and similar hash functions makes a comparison of them difficult. The literature is at times very vague on this issue, which makes comparison even harder. In situations where differences in estimates of attack complexity of a small factor might influence short-term recommendations of standardization bodies, uncertainties and ambiguities in the literature amounting to a similar order of magnitude are unhelpful. We survey different techniques and propose a simple but effective method to facilitate comparison. In a case study, we consider a newly developed attack on 70-step SHA-1, and give complexity estimates and performance measurements of this new and improved collision search method.},
}
</bibtex>

<bibtex>
@inproceedings{asiacryptCanniereR06,
author = {Christophe De Canni{\`e}re and Christian Rechberger},
title = {Finding SHA-1 Characteristics: General Results and Applications},
pages = {1-20},
url = {http://dx.doi.org/10.1007/11935230_1},
editor = {Xuejia Lai and Kefei Chen},
booktitle = {ASIACRYPT},
publisher = {Springer},
series = {LNCS},
volume = {4284},
year = {2006},
isbn = {3-540-49475-8},
abstract = {The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptJutlaP06,
author = {Charanjit S. Jutla and Anindya C. Patthak},
title = {Provably Good Codes for Hash Function Design},
booktitle = {Selected Areas in Cryptography},
year = {2006},
pages = {376-393},
url = {http://dx.doi.org/10.1007/978-3-540-74462-7_26},
editor = {Eli Biham and Amr M. Youssef},
publisher = {Springer},
series = {LNCS},
volume = {4356},
isbn = {978-3-540-74461-0},
abstract = {We develop a new technique to lower bound the minimum distance of quasi-cyclic codes with large dimension by reducing the problem to lower bounding the minimum distance of a few significantly smaller dimensional codes. Using this technique, we prove that a code which is similar to the SHA-1 message expansion code has minimum distance at least 82, and that too in just the last 64 of the 80 expanded words. Further the minimum weight in the last 60 words (last 48 words) is at least 75 (52 respectively). We expect our technique to be helpful in designing future practical collision-resistant hash functions. We also use the technique to find the minimum weight of the SHA-1 code (25 in the last 60 words), which was an open problem.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptPramstallerRR05a,
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {Impact of Rotations in SHA-1 and Related Hash Functions},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {261-275},
url = {http://dx.doi.org/10.1007/11693383_18},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, i.e. the rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},
}
</bibtex>

<bibtex>
@inproceedings{ctrsaRijmenO05,
author = {Vincent Rijmen and Elisabeth Oswald},
title = {Update on SHA-1},
booktitle = {CT-RSA},
year = {2005},
pages = {58-71},
publisher = {Springer},
series = {LNCS},
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2^80 operations.},
url = {http://dx.doi.org/10.1007/b105222}}
</bibtex>
----

=== Preimage Attacks ===
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.
----

=== Others ===

<bibtex>
@inproceedings{iswSatoh05,
author = {Akashi Satoh},
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1},
booktitle = {ISC},
year = {2005},
pages = {259-273},
url = {http://dx.doi.org/10.1007/11556992_19},
editor = {Jianying Zhou and Javier Lopez and Robert H. Deng and Feng Bao},
publisher = {Springer},
series = {LNCS},
volume = {3650},
isbn = {3-540-29001-X},
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to $2^{69}$, which is only 1/2,000 of the $2^{80}$ operations needed for a birthday attack. The complexity is still too large even for today's supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation $2^{56}$ times at a maximum, but the complexity of $2^{69}$ hash operations to break SHA-1 does not mean $2^{69}$ SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the $2^{69}$ SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-$\micro m$ CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A \$10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.},
}
</bibtex>

== eHash Recommendation (optional) or eHash Opinion ==
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.

SHA-1

2008-03-11T05:35:17Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

The best collision attack on full SHA-1 was published by Wang et al. It has complexity of 269 hash evaluations. The best collision example, a 70-step collision for SHA-1, was published by DeCanniere, Mendel and Rechberger.
----

=== Collision Attacks ===

<bibtex>
@inproceedings{asiacryptCanniereR06,
author = {Christophe De Canni{\`e}re and Christian Rechberger},
title = {Finding SHA-1 Characteristics: General Results and Applications},
pages = {1-20},
url = {http://dx.doi.org/10.1007/11935230_1},
editor = {Xuejia Lai and Kefei Chen},
booktitle = {ASIACRYPT},
publisher = {Springer},
series = {LNCS},
volume = {4284},
year = {2006},
isbn = {3-540-49475-8},
abstract = {The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptJutlaP06,
author = {Charanjit S. Jutla and Anindya C. Patthak},
title = {Provably Good Codes for Hash Function Design},
booktitle = {Selected Areas in Cryptography},
year = {2006},
pages = {376-393},
url = {http://dx.doi.org/10.1007/978-3-540-74462-7_26},
editor = {Eli Biham and Amr M. Youssef},
publisher = {Springer},
series = {LNCS},
volume = {4356},
isbn = {978-3-540-74461-0},
abstract = {We develop a new technique to lower bound the minimum distance of quasi-cyclic codes with large dimension by reducing the problem to lower bounding the minimum distance of a few significantly smaller dimensional codes. Using this technique, we prove that a code which is similar to the SHA-1 message expansion code has minimum distance at least 82, and that too in just the last 64 of the 80 expanded words. Further the minimum weight in the last 60 words (last 48 words) is at least 75 (52 respectively). We expect our technique to be helpful in designing future practical collision-resistant hash functions. We also use the technique to find the minimum weight of the SHA-1 code (25 in the last 60 words), which was an open problem.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptPramstallerRR05a,
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {Impact of Rotations in SHA-1 and Related Hash Functions},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {261-275},
url = {http://dx.doi.org/10.1007/11693383_18},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, i.e. the rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},
}
</bibtex>

<bibtex>
@inproceedings{ctrsaRijmenO05,
author = {Vincent Rijmen and Elisabeth Oswald},
title = {Update on SHA-1},
booktitle = {CT-RSA},
year = {2005},
pages = {58-71},
publisher = {Springer},
series = {LNCS},
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2^80 operations.},
url = {http://dx.doi.org/10.1007/b105222}}
</bibtex>
----

=== Preimage Attacks ===
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.
----

=== Others ===

<bibtex>
@inproceedings{iswSatoh05,
author = {Akashi Satoh},
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1},
booktitle = {ISC},
year = {2005},
pages = {259-273},
url = {http://dx.doi.org/10.1007/11556992_19},
editor = {Jianying Zhou and Javier Lopez and Robert H. Deng and Feng Bao},
publisher = {Springer},
series = {LNCS},
volume = {3650},
isbn = {3-540-29001-X},
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to $2^{69}$, which is only 1/2,000 of the $2^{80}$ operations needed for a birthday attack. The complexity is still too large even for today's supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation $2^{56}$ times at a maximum, but the complexity of $2^{69}$ hash operations to break SHA-1 does not mean $2^{69}$ SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the $2^{69}$ SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-$\micro m$ CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A \$10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.},
}
</bibtex>

== eHash Recommendation (optional) or eHash Opinion ==
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.

SHA-1

2008-03-11T05:33:24Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]

== Cryptanalysis ==

=== Best Known Results ===

The best collision attack on full SHA-1 was published by Wang et al. It has complexity of 269 hash evaluations. The best collision example, a 70-step collision for SHA-1, was published by DeCanniere, Mendel and Rechberger.
----

=== Collision Attacks ===

<bibtex>
@inproceedings{asiacryptCanniereR06,
author = {Christophe De Canni{\`e}re and Christian Rechberger},
title = {Finding SHA-1 Characteristics: General Results and Applications},
pages = {1-20},
url = {http://dx.doi.org/10.1007/11935230_1},
editor = {Xuejia Lai and Kefei Chen},
booktitle = {ASIACRYPT},
publisher = {Springer},
series = {LNCS},
volume = {4284},
year = {2006},
isbn = {3-540-49475-8},
abstract = {The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.},
}
</bibtex>

<bibtex>
@inproceedings{sacryptPramstallerRR05a,
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {Impact of Rotations in SHA-1 and Related Hash Functions},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {261-275},
url = {http://dx.doi.org/10.1007/11693383_18},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, i.e. the rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},
}
</bibtex>

<bibtex>
@inproceedings{ctrsaRijmenO05,
author = {Vincent Rijmen and Elisabeth Oswald},
title = {Update on SHA-1},
booktitle = {CT-RSA},
year = {2005},
pages = {58-71},
publisher = {Springer},
series = {LNCS},
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2^80 operations.},
url = {http://dx.doi.org/10.1007/b105222}}
</bibtex>
----

=== Preimage Attacks ===
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.
----

=== Others ===

<bibtex>
@inproceedings{iswSatoh05,
author = {Akashi Satoh},
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1},
booktitle = {ISC},
year = {2005},
pages = {259-273},
url = {http://dx.doi.org/10.1007/11556992_19},
editor = {Jianying Zhou and Javier Lopez and Robert H. Deng and Feng Bao},
publisher = {Springer},
series = {LNCS},
volume = {3650},
isbn = {3-540-29001-X},
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to $2^{69}$, which is only 1/2,000 of the $2^{80}$ operations needed for a birthday attack. The complexity is still too large even for today's supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation $2^{56}$ times at a maximum, but the complexity of $2^{69}$ hash operations to break SHA-1 does not mean $2^{69}$ SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the $2^{69}$ SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-$\micro m$ CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A \$10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.},
}
</bibtex>

== eHash Recommendation (optional) or eHash Opinion ==
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.

SMASH

2008-03-11T05:31:40Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 256/512 bits
* max. message length: < 2128 / < 2256bits
* compression function: 256/512-bit message block, 256/512-bit chaining variable
* Specification:

<bibtex>
@inproceedings{fseKnudsen05,
author = {Lars R. Knudsen},
title = {SMASH - A Cryptographic Hash Function},
pages = {228-242},
url = {http://dx.doi.org/10.1007/11502760_15},
editor = {Henri Gilbert and Helena Handschuh},
booktitle = {FSE},
publisher = {Springer},
series = {LNCS},
volume = {3557},
year = {2005},
isbn = {3-540-26541-4},
abstract = {This paper presents a new hash function design, which is different from the popular designs of the MD4-family. Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as fast as SHA-256.},
}
</bibtex>

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===
<bibtex>
@inproceedings{sacryptPramstallerRR05,
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {Breaking a New Hash Function Design Strategy Called SMASH},
booktitle = {Selected Areas in Cryptography},
year = {2005},
pages = {233-244},
url = {http://dx.doi.org/10.1007/11693383_16},
editor = {Bart Preneel and Stafford E. Tavares},
publisher = {Springer},
series = {LNCS},
volume = {3897},
isbn = {3-540-33108-5},
abstract = {We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.},
}
</bibtex>

=== Second Preimage Attacks ===

<bibtex>
@inproceedings{ctrsaLambergerPRR07,
author = {Mario Lamberger and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {Second Preimages for SMASH},
booktitle = {CT-RSA},
series = {LNCS},
year = {2007},
pages = {101-111},
url = {http://dx.doi.org/10.1007/11967668_7},

abstract = {This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.} }
</bibtex>
----

=== Preimage Attacks ===

----

=== Others ===

PKC-HASH

2008-03-11T05:25:55Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* Specification:

<bibtex>
@inproceedings{pkcShinRRL98,
author = {Sang Uk Shin and Kyung Hyune Rhee and Dae-Hyun Ryu and Sangjin Lee},
title = {A New Hash Function Based on MDx-Family and Its Application to MAC},
pages = {234-246},
url = {http://link.springer.de/link/service/series/0558/bibs/1431/14310234.htm},
editor = {Hideki Imai and Yuliang Zheng},
booktitle = {Public Key Cryptography},
publisher = {Springer},
series = {LNCS},
volume = {1431},
year = {1998},
isbn = {3-540-64693-0},
abstract = {Several fast software hash functions have been proposed since the hash function MD4 was introduced by R. Rivest in 1990. At the moment, SHA-1, RIPEMD-160, and HAVAL are known as secure dedicated hash functions in MDx-family hash functions. In this paper, we propose a new hash function based on advantages of these three hash functions, which keeps the maximum security of them and is more efficient in performance. The proposed hash function processes an arbitrary finite message by 512-bit block and outputs 160 bits digest. The key feature of the proposed hash function is data-dependent rotation. This feature guarantees the strength against existing known attacks. Moreover, we propose a new keyed MAC (Message Authentication Code) constructed using the proposed hash function. The proposed MAC uses a maximum keys of 160 bits and has a bitlength less than equal to the hash result. From the viewpoint of performance, the proposed MAC is only reduced about 10% comparing to the underlyinghash function.},
}
</bibtex>

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

<bibtex>
@inproceedings{sacryptChangSSLL02,
author = {Donghoon Chang and Jaechul Sung and Soo Hak Sung and Sangjin Lee and Jongin Lim},
title = {Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC'98},
booktitle = {Selected Areas in Cryptography},
year = {2002},
pages = {160-174},
url = {http://link.springer.de/link/service/series/0558/bibs/2595/25950160.htm},
editor = {Kaisa Nyberg and Howard M. Heys},
publisher = {Springer},
series = {LNCS},
volume = {2595},
isbn = {3-540-00622-2},
abstract = {Shin et al. [4] proposed a new hash function with 160-bit output length at PKC'98. Recently, at FSE 2002, Han et al. [5] cryptanalyzed the hash function proposed at PKC'98 and suggested a method finding a collision pair with probability $2^{-30}$, supposing that boolean functions satisfy the SAC(Strict Avalanche Criterion). This paper improves their attack and shows that we can find a collision pair from the original version of the hash function with probability $2^{-37.13}$ through the improved method. Furthermore we point out a weakness of the function comes from shift values dependent on message.},
}
</bibtex>

<bibtex>
@inproceedings{fseHanPC02,
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98},
pages = {252-262},
url = {http://link.springer.de/link/service/series/0558/bibs/2365/23650252.htm},
editor = {Joan Daemen and Vincent Rijmen},
booktitle = {FSE},
publisher = {Springer},
series = {LNCS},
volume = {2365},
year = {2002},
isbn = {3-540-44009-7},
abstract = {In the conference PKC’98, Shin et al. proposed a dedicated hash
function of the MD family. In this paper, we study the security
of Shin’s hash function. We analyze the property of the
Boolean functions, the message expansion, and the data
dependent rotations of the hash function. We propose a
method for finding the collisions of the modified Shin’s
hash function and show that we can find collisions with probability 2-30}
}
</bibtex>
----

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

RIPEMD-160

2008-03-11T05:22:39Z

Npramstaller: /* Collision Attacks */

== Specification ==

* digest size: 160 bits
* max. message length: < 264 bits
* compression function: 512-bit message block, 160-bit chaining variable
* Specification:
<bibtex>
@inproceedings{fseDobbertinBP96,
author = {Hans Dobbertin and Antoon Bosselaers and Bart Preneel},
title = {RIPEMD-160: A Strengthened Version of RIPEMD},
pages = {71-82},
editor = {Dieter Gollmann},
booktitle = {FSE},
publisher = {Springer},
series = {LNCS},
volume = {1039},
year = {1996},
isbn = {3-540-60865-6},
abstract = {Cryptographic hash functions are an important tool in cryptography
for applications such as digital ﬁngerprinting of messages, message
authentication, and key derivation. During the last ﬁve years, several
fast software hash functions have been proposed; most of them are based
on the design principles of Ron Rivest’s MD4. One such proposal was RIPEMD,
which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation).
Because of recent progress in the cryptanalysis of these hash functions, we
propose a new version of RIPEMD with a 160-bit result, as well as a plug-in
substitute for RIPEMD with a 128-bit result. We also compare the software
performance of several MD4-based algorithms, which is of independent interest.},
url = {http://homes.esat.kuleuven.be/~cosicart/pdf/AB-9601/AB-9601.pdf}
}
</bibtex>

== Cryptanalysis ==

=== Best Known Results ===

----

=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]

----

=== Collision Attacks ===

<bibtex>
@inproceedings{iswMendelPRR06,
author = {Florian Mendel and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
title = {On the Collision Resistance of RIPEMD-160},
booktitle = {ISC},
year = {2006},
pages = {101-116},
url = {http://dx.doi.org/10.1007/11836810_8},
editor = {Sokratis K. Katsikas and Javier Lopez and Michael Backes and Stefanos Gritzalis and Bart Preneel},
publisher = {Springer},
series = {LNCS},
volume = {4176},
isbn = {3-540-38341-7},
abstract = {In this article, the RIPEMD-160 hash function is studied in detail. To analyze the hash function, we have extended existing approaches and used recent results in cryptanalysis. While RIPEMD and RIPEMD-128 reduced to 3 rounds are vulnerable to the attack, it is not feasible for RIPEMD-160. Furthermore, we present an analytical attack on a round-reduced variant of the RIPEMD-160 hash function. To the best of our knowledge this is the first article that investigates the impact of recent advances in cryptanalysis of hash functions on RIPEMD-160.},
}
</bibtex>

=== Second Preimage Attacks ===

----

=== Preimage Attacks ===

----

=== Others ===

SHA-1

2008-03-11T05:19:01Z

Npramstaller: /* Others */

SHA-1

2008-03-11T05:16:54Z

Npramstaller: /* Others */

SHA-1

2008-03-11T05:15:29Z

Npramstaller: /* Others */

SHA-1

2008-03-11T05:13:50Z

Npramstaller: /* Others */