TY - GEN
T1 - Distinguishing attacks on LPMAC based on the full RIPEMD and reduced-step RIPEMD-{256,320}
AU - Wang, Gaoli
PY - 2011
Y1 - 2011
N2 - This paper presents the first distinguishing attack on the LPMAC based on RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, and the LPMAC is the secret-prefix MAC with the message length prepended to the message before hashing. Wang et al. presented the first distinguishing attack on HMAC/NMAC-MD5 without the related-key setting in [27], then they extended this technique to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [24]. In this paper, we utilize the techniques in [24,27] combined with our pseudo-near-collision differential path on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 to distinguish the LPMAC based on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 from the LPMAC based on a random function respectively. Because RIPEMD and RIPEMD-{256,320} all contain two different and independent parallel lines of operations, the difficulty of our attack is to choose proper message differences and to find proper near-collision differential paths of the two parallel lines of operations. The complexity of distinguishing the LPMAC based on the full RIPEMD is about 266 MAC queries. For the LPMAC based on 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, the complexities are about 2163.5 MAC queries and 2208.5 MAC queries respectively.
AB - This paper presents the first distinguishing attack on the LPMAC based on RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, and the LPMAC is the secret-prefix MAC with the message length prepended to the message before hashing. Wang et al. presented the first distinguishing attack on HMAC/NMAC-MD5 without the related-key setting in [27], then they extended this technique to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [24]. In this paper, we utilize the techniques in [24,27] combined with our pseudo-near-collision differential path on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 to distinguish the LPMAC based on the full RIPEMD, 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320 from the LPMAC based on a random function respectively. Because RIPEMD and RIPEMD-{256,320} all contain two different and independent parallel lines of operations, the difficulty of our attack is to choose proper message differences and to find proper near-collision differential paths of the two parallel lines of operations. The complexity of distinguishing the LPMAC based on the full RIPEMD is about 266 MAC queries. For the LPMAC based on 58-step reduced RIPEMD-256 and 48-step reduced RIPEMD-320, the complexities are about 2163.5 MAC queries and 2208.5 MAC queries respectively.
KW - Hash function
KW - MAC
KW - RIPEMD- family
KW - distinguishing attack
UR - https://www.scopus.com/pages/publications/79960770045
U2 - 10.1007/978-3-642-21518-6_15
DO - 10.1007/978-3-642-21518-6_15
M3 - 会议稿件
AN - SCOPUS:79960770045
SN - 9783642215179
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 199
EP - 217
BT - Information Security and Cryptology - 6th International Conference, Inscrypt 2010, Revised Selected Papers
T2 - 6th China International Conference on Information Security and Cryptology, Inscrypt 2010
Y2 - 20 October 2010 through 24 October 2010
ER -