Finding Collisions for a 45-Step Simplified HAS-V
Lecture Notes in Computer Science
Recent attacks on hash functions start by constructing a differential characteristic. By finding message pairs that satisfy this characteristic, a collision can be found. This paper describes the method of De Cannière and Rechberger to construct generalized characteristics for SHA-1 in more detail. This method is further generalized and applied to a simplified variant of the HAS-V hash function. Using these techniques, a characteristic for 45 steps is found, requiring an effort of about 2 46
... pression function evaluations to find a colliding message pair. A lot of the message bits can still be freely chosen when using this characteristic, greatly increasing its usefulness. hash function with a variable digest size. The only cryptanalytic results on HAS-V known to us are described in  . Results using the recent attacks on hash functions have not been published before. The cryptanalysis of a simplified variant of HAS-V is the subject of this paper. Recent attacks on hash functions focus on the construction of a differential characteristic, that allows collisions to be found with a good probability by finding messages m, m that satisfy this characteristic. Characteristics are often constructed in an ad hoc way, which does not give any insight into the application of these attacks to other hash functions. This emphasizes the need for automated methods. One such method, introduced in , is further generalized and applied to the simplified HAS-V. Using this method, we found a characteristic for a 45-step collision with an expected work factor of 2 75.84 step function evaluations, which is given in Table 12 . Further improvements lead to the better characteristic shown in Table 13 , which has a work factor of 2 51.53 , making a collision finding attack feasible. If the cost of one step function evaluation is about 2 −5 compression function evaluations, these work factors are equivalent to about 2 71 and 2 46 compression function evaluations, respectively. Note that a lot of bits in the message words can still be freely chosen. Notation is defined in Table 1 . In Sect. 2, a description of a simplified variant of HAS-V is given. An alternative, cyclic description of this hash function is provided as well. The technique for finding NL-characteristics of  is further explained, generalized and applied to HAS-V in Sect. 3. Techniques for improving NL-characteristics are laid out in Sect. 4, where good NL-characteristics for a 45-step simplified HAS-V are obtained as well. A conclusion and suggestions for future work are given in Sect. 5. Appendix A lists the NL-characteristics we obtained. To assist the reader in understanding the more abstract explanation of the graph method in this paper, a simple example is given in Appendix B. Although this method is extensively used to attack SHA-1 in  , this paper is the first to fully explain it.