Juha Kortelainen

Multicollision attacks and generalized iterated hash functions

Abstract We apply combinatorics on words to develop an approach to multicollisions in generalized iterated hash functions. Our work is based on the discoveries of A. Joux and on generalizations provided by M. Nandi and D. Stinson as well as J. Hoch and A. Shamir. We wish to unify the existing diverse notation in the field, bring basic facts together, reprove some previously published results and produce some new ones. A multicollision attack method informally described by Hoch and Shamir is laid on a sound statistical basis and studied in detail.

Algorithmic Verification with Multiple and Nested Parameters

We consider parameterised verification problem, where parameters are sets and relations over these sets, typically used to denote sets of identities of replicated components and connections between the components. A specification and a system are given as (multiply) parameterised labelled transition systems, parameter values are encoded using first-order logic and correctness is understood as the traces refinement. We provide an algorithm that reduces the (infinite) set of parameter values to a finite one without changing the answer to the verification task, which can be then solved with the aid of existing tools. To the best of our knowledge, the algorithm is the most general one that is both complete and applicable to systems with multiple and nested parameters.

On Diamond Structures and Trojan Message Attacks

The first part of this paper considers the diamond structures which were first introduced and applied in the herding attack by Kelsey and Kohno [7]. We present a new method for the construction of a diamond structure with 2 d chaining values the message complexity of which is \(\mathrm{O}(2^{\frac{n+d}{2}})\). Here n is the length of the compression function used. The aforementioned complexity was (with intuitive reasoning) suggested to be true in [7] and later disputed by Blackburn et al. in [3]. In the second part of our paper we give new, efficient variants for the two types of Trojan message attacks against Merkle-Damgard hash functions presented by Andreeva et al. [1] The message complexities of the Collision Trojan Attack and the stronger Herding Trojan Attack in [1] are \(\mathrm{O}(2^{\frac{n}{2}+r})\) and \(\mathrm{O}(2^{\frac{2n}{3}}+2^{\frac{n}{2}+r})\), respectively. Our variants of the above two attack types are the Weak Trojan Attack and the Strong Trojan Attack having the complexities \(\mathrm{O}(2^{\frac{n+r}{2}})\) and \(\mathrm{O}(2^{\frac{2n-s}{3}}+2^{\frac{n+r}{2}})\), respectively. Here 2 r is the cardinality of the prefix set and 2 s is the length of the Trojan message in the Strong Trojan Attack.

Unavoidable regularities in long words with bounded number of symbol occurrences

AbstractTraditionally in combinatorics on words one studies unavoidable regularities that appear in sufficiently long strings over a fixed size alphabet. Inspired by permutation problems originating from information security, another viewpoint is taken in this paper. We focus on combinatorial properties of long words in which the number of occurrences of any symbol is restricted by a fixed given constant. More precisely, we show that for all positive integers m and q there exists the least positive integer N(m,q) which is smaller than

Parameterised Process Algebraic Verification by Precongruence Reduction

m^{2^{q-1}}

Variants of multicollision attacks on iterated hash functions

and satisfies the following: If α is a word such that (i)|alph(α)|≥N(m,q) (i.e., the cardinality of the alphabet of α is at least N(m,q)); and(ii)|α|a≤q for each a∈alph(α) (i.e., the number of occurrences of any symbol of alph(α) in α is at most q), then there exist a set A⊆alph(α) of cardinality |A|=m, an integer p∈{1,2,…,q}, and permutations σ1,σ2,…,σp:{1,2,…,m}→{1,2,…,m} for which

On the system of word equations x i 1 x i 2…x i m=y i 1 y i 2…y i n (i=1, 2, …) in a free monoid

\pi_A(\alpha)\in a_{\sigma_1(1)}^+\cdots a_{\sigma_1(m)}^+a_{\sigma _2(1)}^+\cdots a_{\sigma_2(m)}^+\cdots a_{\sigma_p(1)}^+\cdots a_{\sigma_p(m)}^+ .

On the system of word equations x o u i i x 1 u i 2 x 2 u i 3 x 3 =y 0 v i 1 y 1 v i 2 y 2 v i 3 y 3 i=0,1,2,l in a free monoid

Here A={a1,a2,…,am} and πA is the projection morphism from alph(α)∗ into A∗. The second part of the paper considers information security. We give an introduction to (generalized iterated) hash functions and their security properties; finally we demonstrate how our combinatorial results are connected to constructing multicollision attacks on these functions.