Difference between revisions of "SMASH"
From The ECRYPT Hash Function Website
|  (→Second Preimage Attacks) | Crechberger (talk | contribs)   (→Best Known Results) | ||
| (9 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | ==  | + | == Specification == | 
| − | + | ||
| − | * digest size:  | + | * digest size: 256/512 bits | 
| − | * max. message length: < 2<sup> | + | * max. message length: < 2<sup>128</sup> / < 2<sup>256</sup>bits | 
| − | * compression function: 512-bit message block,  | + | * compression function: 256/512-bit message block, 256/512-bit chaining variable | 
| * Specification:   | * Specification:   | ||
| − | --> | + | |
| + | <bibtex> | ||
| + | @inproceedings{fseKnudsen05, | ||
| + |   author    = {Lars R. Knudsen}, | ||
| + |   title     = {SMASH - A Cryptographic Hash Function}, | ||
| + |   pages     = {228-242}, | ||
| + |   url        = {http://dx.doi.org/10.1007/11502760_15}, | ||
| + |   editor    = {Henri Gilbert and Helena Handschuh}, | ||
| + |   booktitle = {FSE}, | ||
| + |   publisher = {Springer}, | ||
| + |   series    = {LNCS}, | ||
| + |   volume    = {3557}, | ||
| + |   year      = {2005}, | ||
| + |   isbn      = {3-540-26541-4}, | ||
| + |   abstract  = {This paper presents a new hash function design, which is different from the popular designs of the MD4-family. Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as fast as SHA-256.}, | ||
| + | } | ||
| + | </bibtex> | ||
| == Cryptanalysis == | == Cryptanalysis == | ||
| Line 12: | Line 28: | ||
| === Best Known Results === | === Best Known Results === | ||
| − | + | Practical collision and second preimage attacks. No preimage attacks. | |
| ---- | ---- | ||
| Line 21: | Line 37: | ||
| === Collision Attacks === | === Collision Attacks === | ||
| + | <bibtex> | ||
| + | @inproceedings{sacryptPramstallerRR05, | ||
| + |   author    = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen}, | ||
| + |   title     = {Breaking a New Hash Function Design Strategy Called SMASH}, | ||
| + |   booktitle = {Selected Areas in Cryptography}, | ||
| + |   year      = {2005}, | ||
| + |   pages     = {233-244}, | ||
| + |   url        = {http://dx.doi.org/10.1007/11693383_16}, | ||
| + |   editor    = {Bart Preneel and Stafford E. Tavares}, | ||
| + |   publisher = {Springer}, | ||
| + |   series    = {LNCS}, | ||
| + |   volume    = {3897}, | ||
| + |   isbn      = {3-540-33108-5}, | ||
| + |   abstract  = {We present a collision attack on SMASH. SMASH was proposed as a new hash function design strategy that does not rely on the structure of the MD4 family. The presented attack method allows us to produce almost any desired difference in the chaining variables of the iterated hash function. Due to the absence of a secret key, we are able to construct differences with probability 1. Furthermore, we get only few constraints on the colliding messages, which allows us to construct meaningful collisions. The presented collision attack uses negligible resources and we conjecture that it works for all hash functions built following the design strategy of SMASH.}, | ||
| + | } | ||
| + | </bibtex> | ||
| ---- | ---- | ||
| Line 31: | Line 63: | ||
|    title     = {Second Preimages for SMASH}, |    title     = {Second Preimages for SMASH}, | ||
|    booktitle = {CT-RSA}, |    booktitle = {CT-RSA}, | ||
| + |   series    = {LNCS}, | ||
|    year      = {2007}, |    year      = {2007}, | ||
|    pages     = {101-111}, |    pages     = {101-111}, | ||
| − | + |    url       = {http://dx.doi.org/10.1007/11967668_7}, | |
|    abstract  = {This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.} }    |    abstract  = {This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.} }    | ||
Latest revision as of 14:17, 27 March 2008
Contents
1 Specification
- digest size: 256/512 bits
- max. message length: < 2128 / < 2256bits
- compression function: 256/512-bit message block, 256/512-bit chaining variable
- Specification:
Lars R. Knudsen - SMASH - A Cryptographic Hash Function
- FSE 3557:228-242,2005
- http://dx.doi.org/10.1007/11502760_15
 BibtexAuthor : Lars R. Knudsen
 Title : SMASH - A Cryptographic Hash Function
 In : FSE -
 Address :
 Date : 2005
2 Cryptanalysis
2.1 Best Known Results
Practical collision and second preimage attacks. No preimage attacks.
2.2 Generic Attacks
2.3 Collision Attacks
Norbert Pramstaller, Christian Rechberger, Vincent Rijmen - Breaking a New Hash Function Design Strategy Called SMASH
- Selected Areas in Cryptography 3897:233-244,2005
- http://dx.doi.org/10.1007/11693383_16
 BibtexAuthor : Norbert Pramstaller, Christian Rechberger, Vincent Rijmen
 Title : Breaking a New Hash Function Design Strategy Called SMASH
 In : Selected Areas in Cryptography -
 Address :
 Date : 2005
2.4 Second Preimage Attacks
Mario Lamberger, Norbert Pramstaller, Christian Rechberger, Vincent Rijmen - Second Preimages for SMASH
- CT-RSA pp. 101-111,2007
- http://dx.doi.org/10.1007/11967668_7
 BibtexAuthor : Mario Lamberger, Norbert Pramstaller, Christian Rechberger, Vincent Rijmen
 Title : Second Preimages for SMASH
 In : CT-RSA -
 Address :
 Date : 2007
