基于中间相遇的哈希函数原像攻击
|
摘要
密码哈希函数(简称哈希函数)是密码学领域三大原语之一(其他两个分别是加密算法与签名算法),它在现代通信、金融以及安全计算等领域起着基础作用。哈希函数的传统而且重要的安全性质是抗碰撞性、抗第二原像性与抗原像性。本文使用中间相遇方法对六个哈希函数MD4、Extended MD4、3轮HAVAL、SM3、DHA-256与SShash的抗第二原像性与抗原像性进行了分析。
MD4是由Ronald L. Rivest设计的在1990年CRYPTO会议上提出的哈希函数,许多重要的哈希函数比如广泛应用的MD5、SHA-1与SHA-2的设计理念都是来源于MD4。MD4目前仍在被使用。我们提出了中间相遇原像攻击MD4的复杂度计算公式,提出了多中性字部分固定技术并设计了自动化计算复杂度的算法,对Kazumaro Aoki等人在SAC2008会议上提出的一块的MD4原像攻击进行了改进,由原先的2107的时间复杂度改进为295。Extended MD4是MD4的256比特的扩展版本,我们也应用类似的方法对Yu Sasaki等人在ACISP2009会议提出的对Extended MD4伪原像与原像攻击进行了改进,时间复杂度分别降低了2~(25.2)与2~(12.6)。这是目前最好的MD4与Extended MD4原像攻击。一块的原像攻击没有利用Merkle-Damg ard性质,它直接攻击的是压缩函数,这是令人兴趣的地方。
HAVAL是郑玉良等人在1992年AUSCRYPT会议上提出的哈希函数,包括3轮、4轮与5轮的版本。我们组合了各种方法,对Yu Sasaki等人在ASIACRYPT2008会议中的对3轮的HAVAL的伪原像与原像攻击进行了改进,相应的时间复杂度由原先的2~(192)与2~(225)分别降低到2~(172)与2~(209.6)。
SM3是中国国家密码管理局在2010年12月发布的国家标准哈希算法,总共64步,哈希输出256位。我们提出了对30步的SM3的原像攻击,这是对SM3抗原像性分析的第一个结果。
DHA-256是由Jesang Lee等人在2005年11月由美国国家标准技术研究院主办的密码哈希算法的讨论会上提出的哈希函数,总共64步,哈希输出256位。我们分别提出了对一块的27步的DHA-256与两块的35步的DHA-256的原像攻击。这是对DHA-256的抗原像性进行分析的第一个结果。
SShash是由Somitra Kumar Sanadhya等人在ASIACCS2009会议上提出的哈希函数,包括SShash-256与SShash-512,分别包含64与80步。我们对SShash的28步进行了原像攻击。这是对SShash的安全性进行分析的第一个结果。
本文提出的所有原像攻击都能处理消息填充与原始消息长度添加等相关的消息处理操作,因此也能平凡地转化为相应的第二原像攻击。
Cryptographic hash functions, known as hash functions, are one of threecryptographic primitives (others are encryption algorithm and signature algo-rithm). Cryptographic hash functions play important role in modern commu-nications, finance, and security computation, etc. The classical and importantsecurity properties of hash functions are collision resistance, second preimage re-sistance, and preimage resistance. The second preimage resistance and preimageresistance of six hash functions: MD4, Extended MD4,3-pass HAVAL, SM3,DHA-256and SShash, are analyzed in the thesis.
MD4is a hash function designed by Ronald L. Rivest and published atCRYPTO1990. The design philosophy of many important hash functions, suchas MD5, SHA-1and SHA-2, root in MD4. Moreover, MD4is still used in somecontext. We present the formula for computing complexity for the meet-in-the-middle attack on MD4, and propose the multi-neutral-word partial-fixing tech-nique, and also design the algorithm for computing complexity automatically,such that we give an improved preimage attack on one-block MD4with the timecomplexity295MD4compression function operations, as compared to the2107complexity of the previous attack by Aoki et al.(SAC2008) with the new tech-niques. Extended MD4is the256-bit version of MD4. We also use the similartechniques to improve the pseudo-preimage and preimage attacks on ExtendedMD4with2~(25.2)and2~(12.6)improvement factor, as compared to previous attacksby Sasaki et al.(ACISP2009), respectively. The attacks are the best preim-age attacks on MD4and Extended MD4. The preimage attacks on one-blockhash functions are particularly interesting, as the attackers do not use the char-acteristics of the merkle-damg ard construction and they attack the compression functions directly.
HAVAL is a hash function proposed by Yuliang Zheng et al. at AUSCRYPT1992, including3-,4-and5-pass versions. We use a nice mix techniques to im-prove pseudo-preimage and preimage attacks on3-Pass HAVAL at the complexityof2~(172)and2~(209.6), respectively, as compared to the previous best known results:2~(192)and2~(225)by Sasaki et al.(ASIACRYPT2008).
SM3was published by China State Cryptography Administration in Dec.2010. SM3is a dedicated hash function with output length of256bits and64steps of operations. We present a preimage attack on30-step SM3, which is thefirst result that analyzes preimage resistance of SM3.
DHA-256(Double Hash Algorithm) was designed by Jesang Lee et al. andproposed at the Cryptographic Hash Workshop hosted by NIST in November2005. DHA-256is a dedicated hash function with output length of256bits and64steps of operations. We show a preimage attack on35-step DHA-256. Wealso show one-block preimage attack on27-step DHA-256. To the best of ourknowledge, this is the first result that analyzes preimage resistance of DHA-256.
SShash is a hash family proposed by Somitra Kumar Sanadhya et al. inASIACCS2009, including SShash-256(64steps) and SShash-512(80steps). Weshow pseudo-preimage and preimage attacks on28-step SShash. As far as weknow, this is the first result that investigates the security of the SShash hashfamily.
The preimage attacks can be trivially turned into the corresponding secondpreimage attacks in the thesis, as they can deal with the operations about themessage, such as the message padding rule and appending the length of theoriginal message.
MD4是由Ronald L. Rivest设计的在1990年CRYPTO会议上提出的哈希函数,许多重要的哈希函数比如广泛应用的MD5、SHA-1与SHA-2的设计理念都是来源于MD4。MD4目前仍在被使用。我们提出了中间相遇原像攻击MD4的复杂度计算公式,提出了多中性字部分固定技术并设计了自动化计算复杂度的算法,对Kazumaro Aoki等人在SAC2008会议上提出的一块的MD4原像攻击进行了改进,由原先的2107的时间复杂度改进为295。Extended MD4是MD4的256比特的扩展版本,我们也应用类似的方法对Yu Sasaki等人在ACISP2009会议提出的对Extended MD4伪原像与原像攻击进行了改进,时间复杂度分别降低了2~(25.2)与2~(12.6)。这是目前最好的MD4与Extended MD4原像攻击。一块的原像攻击没有利用Merkle-Damg ard性质,它直接攻击的是压缩函数,这是令人兴趣的地方。
HAVAL是郑玉良等人在1992年AUSCRYPT会议上提出的哈希函数,包括3轮、4轮与5轮的版本。我们组合了各种方法,对Yu Sasaki等人在ASIACRYPT2008会议中的对3轮的HAVAL的伪原像与原像攻击进行了改进,相应的时间复杂度由原先的2~(192)与2~(225)分别降低到2~(172)与2~(209.6)。
SM3是中国国家密码管理局在2010年12月发布的国家标准哈希算法,总共64步,哈希输出256位。我们提出了对30步的SM3的原像攻击,这是对SM3抗原像性分析的第一个结果。
DHA-256是由Jesang Lee等人在2005年11月由美国国家标准技术研究院主办的密码哈希算法的讨论会上提出的哈希函数,总共64步,哈希输出256位。我们分别提出了对一块的27步的DHA-256与两块的35步的DHA-256的原像攻击。这是对DHA-256的抗原像性进行分析的第一个结果。
SShash是由Somitra Kumar Sanadhya等人在ASIACCS2009会议上提出的哈希函数,包括SShash-256与SShash-512,分别包含64与80步。我们对SShash的28步进行了原像攻击。这是对SShash的安全性进行分析的第一个结果。
本文提出的所有原像攻击都能处理消息填充与原始消息长度添加等相关的消息处理操作,因此也能平凡地转化为相应的第二原像攻击。
Cryptographic hash functions, known as hash functions, are one of threecryptographic primitives (others are encryption algorithm and signature algo-rithm). Cryptographic hash functions play important role in modern commu-nications, finance, and security computation, etc. The classical and importantsecurity properties of hash functions are collision resistance, second preimage re-sistance, and preimage resistance. The second preimage resistance and preimageresistance of six hash functions: MD4, Extended MD4,3-pass HAVAL, SM3,DHA-256and SShash, are analyzed in the thesis.
MD4is a hash function designed by Ronald L. Rivest and published atCRYPTO1990. The design philosophy of many important hash functions, suchas MD5, SHA-1and SHA-2, root in MD4. Moreover, MD4is still used in somecontext. We present the formula for computing complexity for the meet-in-the-middle attack on MD4, and propose the multi-neutral-word partial-fixing tech-nique, and also design the algorithm for computing complexity automatically,such that we give an improved preimage attack on one-block MD4with the timecomplexity295MD4compression function operations, as compared to the2107complexity of the previous attack by Aoki et al.(SAC2008) with the new tech-niques. Extended MD4is the256-bit version of MD4. We also use the similartechniques to improve the pseudo-preimage and preimage attacks on ExtendedMD4with2~(25.2)and2~(12.6)improvement factor, as compared to previous attacksby Sasaki et al.(ACISP2009), respectively. The attacks are the best preim-age attacks on MD4and Extended MD4. The preimage attacks on one-blockhash functions are particularly interesting, as the attackers do not use the char-acteristics of the merkle-damg ard construction and they attack the compression functions directly.
HAVAL is a hash function proposed by Yuliang Zheng et al. at AUSCRYPT1992, including3-,4-and5-pass versions. We use a nice mix techniques to im-prove pseudo-preimage and preimage attacks on3-Pass HAVAL at the complexityof2~(172)and2~(209.6), respectively, as compared to the previous best known results:2~(192)and2~(225)by Sasaki et al.(ASIACRYPT2008).
SM3was published by China State Cryptography Administration in Dec.2010. SM3is a dedicated hash function with output length of256bits and64steps of operations. We present a preimage attack on30-step SM3, which is thefirst result that analyzes preimage resistance of SM3.
DHA-256(Double Hash Algorithm) was designed by Jesang Lee et al. andproposed at the Cryptographic Hash Workshop hosted by NIST in November2005. DHA-256is a dedicated hash function with output length of256bits and64steps of operations. We show a preimage attack on35-step DHA-256. Wealso show one-block preimage attack on27-step DHA-256. To the best of ourknowledge, this is the first result that analyzes preimage resistance of DHA-256.
SShash is a hash family proposed by Somitra Kumar Sanadhya et al. inASIACCS2009, including SShash-256(64steps) and SShash-512(80steps). Weshow pseudo-preimage and preimage attacks on28-step SShash. As far as weknow, this is the first result that investigates the security of the SShash hashfamily.
The preimage attacks can be trivially turned into the corresponding secondpreimage attacks in the thesis, as they can deal with the operations about themessage, such as the message padding rule and appending the length of theoriginal message.
引文
[1] Aoki K, Sasaki Y. Preimage Attacks on One-Block MD4,63-Step MD5and More. In: Avanzi R, Keliher L, Sica F,(eds.). Proceedings of SelectedAreas in Cryptography2008, Proceedings, volume5381of Lecture Notesin Computer Science. Springer,2009.103–119.
[2] Sasaki Y, Aoki K. Meet-in-the-Middle Preimage Attacks on Double-BranchHash Functions: Application to RIPEMD and Others. In: Boyd C, Nieto JG,(eds.). Proceedings of Australasian Conference on Information Securityand Privacy (ACISP)2009, Proceedings, volume5594of Lecture Notes inComputer Science. Springer,2009.214–231.
[3] Sasaki Y, Aoki K. Preimage Attacks on3,4, and5-Pass HAVAL. In:Pieprzyk J,(eds.). Proceedings of Advances in Cryptology–ASIACRYPT2008, Proceedings, volume5350of Lecture Notes in Computer Science.Springer,2008.253–271.
[4] Dife W, Hellman M E. New Directions in Cryptography. IEEE Transac-tions on Information Theory,1976, IT-22(6):644–654.
[5] Menezes A J, Oorschot P C, Vanstone S A. Handbook of applied cryptog-raphy. CRC Press,1997.
[6] Merkle R C. One Way Hash Functions and DES. In: Brassard G,(eds.).Proceedings of Advances in Cryptology–CRYPTO1989, Proceedings,volume435of Lecture Notes in Computer Science. Springer,1990.428–446.
[7] Damg ard I. A Design Principle for Hash Functions. In: Brassard G,(eds.).Proceedings of Advances in Cryptology–CRYPTO1989, Proceedings,volume435of Lecture Notes in Computer Science. Springer,1990.416–427.
[8] Meyer C, Schilling M. Secure program load with modification detectioncode. Proceedings of Proceedings of the5th Worldwide Congress on Com-puter and Communication Security and Protection–SECURICOM, volume88.111–130.
[9] Preneel B, Govaerts R, Vandewalle J. Hash Functions Based on BlockCiphers: A Synthetic Approach. In: Stinson D R,(eds.). Proceedingsof Advances in Cryptology–CRYPTO1993, Proceedings, volume773ofLecture Notes in Computer Science. Springer,1994.368–378.
[10] Preneel B. Analysis and Design of Cryptographic Hash Functions[DoctorThesis]. Katholieke Universiteit Leuven, February,1993.
[11] Lai X, Knudsen L R. Attacks on Double Block Length Hash Functions.In: Anderson R J,(eds.). Proceedings of Fast Software Encryption1993,Proceedings, volume809of Lecture Notes in Computer Science. Springer,1994.157–165.
[12] Hohl W, Lai X, Meier T, et al. Security of Iterated Hash Functions Basedon Block Ciphers. In: Stinson D R,(eds.). Proceedings of Advances inCryptology–CRYPTO1993, Proceedings, volume773of Lecture Notes inComputer Science. Springer,1994.379–390.
[13] Knudsen L R, Lai X. New Attacks on all Double Block Length Hash Func-tions of Hash Rate1, including the Parallel-DM. In: De Santis A,(eds.).Proceedings of Advances in Cryptology–EUROCRYPT1994, Proceed-ings, volume950of Lecture Notes in Computer Science. Springer,1995.410–418.
[14] Lai X, Massey J L. Hash Functions Based on Block Ciphers. In: RueppelR A,(eds.). Proceedings of Advances in Cryptology–EUROCRYPT1992,Proceedings, volume658of Lecture Notes in Computer Science. Springer,1993.55–70.
[15] Lai X. On the Design and Security of Block Ciphers[Doctor Thesis]. SwissFederal Institute of Technology,1992.
[16] Matyas S, Meyer C, Oseas J. Generating strong one-way functionswith cryptographic algorithm. IBM Technical Disclosure Bulletin,1985,27(10A):5658–5659.
[17] Winternitz R S. A Secure One-Way Hash Function Built from DES. Pro-ceedings of IEEE Symposium on Security and Privacy,1984.88–90.
[18] Rivest R L. The MD4Message Digest Algorithm. In: Menezes A, Van-stone S A,(eds.). Proceedings of Advances in Cryptology–CRYPTO1990,Proceedings, volume537of Lecture Notes in Computer Science. Springer,1991.303–311.
[19] Rivest R. RFC1321: The MD5message-digest algorithm. RFC EditorUnited States,1992..
[20] Zheng Y, Pieprzyk J, Seberry J. HAVAL-A One-Way Hashing Algorithmwith Variable Length of Output. In: Seberry J, Zheng Y,(eds.). Proceed-ings of Advances in Cryptology–ASIACRYPT1992, Proceedings, volume718of Lecture Notes in Computer Science. Springer,1993.83–104.
[21] RIPEMD. In: Bosselaers A, Preneel B,(eds.). Proceedings of IntegrityPrimitives for Secure Information Systems, volume1007of Lecture Notesin Computer Science. Springer,1995.69–111.
[22] Dobbertin H, Bosselaers A, Preneel B. RIPEMD-160: A strengthenedversion of RIPEMD. In: Gollmann D,(eds.). Proceedings of Fast SoftwareEncryption, volume1039of Lecture Notes in Computer Science. Springer,1996.71–82.
[23] Standard S H. Federal Information Processing Standard Publication#180.US Department of Commerce, National Institute of Standards and Tech-nology,1993,56:57–71.
[24] Standard S H. Federal Information Processing Standards Publication180-1.US Department of Commerce, National Institute of Standards and Tech-nology,1995,131.
[25] Standard S H. Draft Federal Information Processing Standard Publica-tion180-4. US Department of Commerce, National Institute of Standardsand Technology (NIST),2011. http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf.
[26] Bellare M, Goldreich O, Goldwasser S. Incremental Cryptography: TheCase of Hashing and Signing. In: Desmedt Y,(eds.). Proceedings of Ad-vances in Cryptology–CRYPTO1994, Proceedings, volume839of LectureNotes in Computer Science. Springer,1994.216–233.
[27] Contini S, Lenstra A K, Steinfeld R. VSH, an Efcient and ProvableCollision-Resistant Hash Function. In: Vaudenay S,(eds.). Proceedingsof Advances in Cryptology–EUROCRYPT2006, Proceedings, volume4004of Lecture Notes in Computer Science. Springer,2006.165–182.
[28] Boer B, Bosselaers A. An Attack on the Last Two Rounds of MD4. In:Feigenbaum J,(eds.). Proceedings of Advances in Cryptology–CRYPTO1991, Proceedings, volume576of Lecture Notes in Computer Science.Springer,1992.194–203.
[29] Vaudenay S. On the Need for Multipermutations: Cryptanalysis of MD4and SAFER. In: Preneel B,(eds.). Proceedings of Fast Software Encryption1994, Proceedings, volume1008of Lecture Notes in Computer Science.Springer,1995.286–297.
[30] Dobbertin H. Cryptanalysis of MD4. Journal of Cryptology,1998,11(4):253–271.
[31] Berson T A. Diferential Cryptanalysis Mod232with Applications to MD5.In: Rueppel R A,(eds.). Proceedings of Advances in Cryptology–EU-ROCRYPT1992, Proceedings, volume658of Lecture Notes in ComputerScience. Springer,1993.71–80.
[32] Boer B, Bosselaers A. Collisions for the Compression Function of MD5.In: Helleseth T,(eds.). Proceedings of Advances in Cryptology–EURO-CRYPT1993, Proceedings, volume765of Lecture Notes in Computer Sci-ence. Springer,1994.293–304.
[33] Wang X, Feng D, Lai X, et al. Collisions for hash functions MD4,MD5, HAVAL-128and RIPEMD. Proceedings of Short talk presented atCRYPTO2004, volume4.
[34] Wang X, Feng D, Lai X, et al. Collisions for Hash Functions MD4, MD5,HAVAL-128and RIPEMD. Cryptology ePrint Archive, Report2004/199,2004. http://eprint.iacr.org/.
[35] Wang X, Lai X, Feng D, et al. Cryptanalysis of the Hash Functions MD4and RIPEMD. In: Cramer R,(eds.). Proceedings of Advances in Cryptol-ogy–EUROCRYPT2005, Proceedings, volume3494of Lecture Notes inComputer Science. Springer,2005.1–18.
[36] Wang X, Yu H. How to Break MD5and Other Hash Functions. In: CramerR,(eds.). Proceedings of Advances in Cryptology–EUROCRYPT2005,Proceedings, volume3494of Lecture Notes in Computer Science. Springer,2005.19–35.
[37] Naito Y, Sasaki Y, Kunihiro N, et al. Improved Collision Attack on MD4with Probability Almost1. In: Won D, Kim S,(eds.). Proceedings ofInformation Security and Cryptology–ICISC2005, Proceedings, volume3935of Lecture Notes in Computer Science. Springer,2006.129–145.
[38] Liang J, Lai X. Improved collision attack on hash function MD5. Journalof Computer Science and Technology,2007,22(1):79–87.
[39] Klima V. Tunnels in Hash Functions: MD5Collisions Within a Minute.Cryptology ePrint Archive, Report2006/105,2006. http://eprint.iacr.org/.
[40] Sasaki Y, Wang L, Ohta K, et al. New Message Diference for MD4. In:Biryukov A,(eds.). Proceedings of Fast Software Encryption2007, Pro-ceedings, volume4593of Lecture Notes in Computer Science. Springer,2007.329–348.
[41] Yu H, Wang X. Multi-collision Attack on the Compression Functions ofMD4and3-Pass HAVAL. In: Nam K H, Rhee G,(eds.). Proceedings ofInformation Security and Cryptology–ICISC2007, Proceedings, volume4817of Lecture Notes in Computer Science. Springer,2007.206–226.
[42] Wang X, Feng D, Yu X. An attack on hash function HAVAL-128. Sciencein China Series F: Information Sciences,2005,48:545–556.10.1360/122004-107.
[43] Rompay B V, Biryukov A, Preneel B, et al. Cryptanalysis of3-Pass HAVAL.In: Laih C S,(eds.). Proceedings of Advances in Cryptology–ASIACRYPT2003, Proceedings, volume2894of Lecture Notes in Computer Science.Springer,2003.228–245.
[44] Yu H, Wang X, Yun A, et al. Cryptanalysis of the Full HAVAL with4and5Passes. In: Robshaw M J B,(eds.). Proceedings of Fast SoftwareEncryption2006, Proceedings, volume4047of Lecture Notes in ComputerScience. Springer,2006.89–110.
[45] Suzuki K, Kurosawa K. How to Find Many Collisions of3-Pass HAVAL. In:Miyaji A, Kikuchi H, Rannenberg K,(eds.). Proceedings of IWSEC2007,Proceedings, volume4752of Lecture Notes in Computer Science. Springer,2007.428–443.
[46] Wang X. The Collision attack on SHA-0(Chinese version),1997.
[47] Wang X. The Improved Collision attack on SHA-0(Chinese version),1998.
[48] Chabaud F, Joux A. Diferential Collisions in SHA-0. In: Krawczyk H,(eds.). Proceedings of Advances in Cryptology–CRYPTO1998, Proceed-ings, volume1462of Lecture Notes in Computer Science. Springer,1998.56–71.
[49] Biham E, Chen R. Near-Collisions of SHA-0. In: Franklin M K,(eds.).Proceedings of Advances in Cryptology–CRYPTO2004, Proceedings,volume3152of Lecture Notes in Computer Science. Springer,2004.290–305.
[50] Wang X, Yu H, Yin Y L. Efcient Collision Search Attacks on SHA-0. In:Shoup V,(eds.). Proceedings of Advances in Cryptology–CRYPTO2005,Proceedings, volume3621of Lecture Notes in Computer Science. Springer,2005.1–16.
[51] Rijmen V, Oswald E. Update on SHA-1. In: Menezes A,(eds.). Proceedingsof Topics in Cryptology–CT-RSA2005, Proceedings, volume3376ofLecture Notes in Computer Science. Springer,2005.58–71.
[52] Biham E, Chen R, Joux A, et al. Collisions of SHA-0and Reduced SHA-1.In: Cramer R,(eds.). Proceedings of Advances in Cryptology–EURO-CRYPT2005, Proceedings, volume3494of Lecture Notes in ComputerScience. Springer,2005.36–57.
[53] Wang X, Yin Y L, Yu H. Finding Collisions in the Full SHA-1. In: Shoup V,(eds.). Proceedings of Advances in Cryptology–CRYPTO2005, Proceed-ings, volume3621of Lecture Notes in Computer Science. Springer,2005.17–36.
[54] Indesteege S, Mendel F, Preneel B, et al. Collisions and Other Non-randomProperties for Step-Reduced SHA-256. In: Avanzi R, Keliher L, Sica F,(eds.). Proceedings of Selected Areas in Cryptography2008, Proceedings,volume5381of Lecture Notes in Computer Science. Springer,2009.276–293.
[55] Sanadhya S K, Sarkar P. New Collision Attacks against Up to24-Step SHA-2. In: Chowdhury D R, Rijmen V, Das A,(eds.). Proceedings of Progressin Cryptology–INDOCRYPT2008, Proceedings, volume5365of LectureNotes in Computer Science. Springer,2008.91–103.
[56] Burr W E. NIST Comments on Cryptanalytic Attacks on SHA-1.http://csrc.nist.gov/groups/ST/hash/statement.html,2006.
[57] Meltem So¨nmez Turan L E B W B D C S j C M J D J M K S P,Peralta R. NIST Interagency Report7764:Status Report on the Sec-ond Round of the SHA-3Cryptographic Hash Algorithm Competi-tion, February,2011. http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Round2_Report_NISTIR_7764.pdf.
[58] Dobbertin H. The First Two Rounds of MD4are Not One-Way. In: Vaude-nay S,(eds.). Proceedings of Fast Software Encryption1998, Proceedings,volume1372of Lecture Notes in Computer Science. Springer,1998.284–292.
[59] Kuwakado H, Tanaka H. New algorithm for finding preimages in a re-duced version of the MD4compression function. IEICE TRANSACTIONSon Fundamentals of Electronics, Communications and Computer Sciences,2000,83(1):97–100.
[60] Yu H, Wang G, Zhang G, et al. The Second-Preimage Attack on MD4.In: Desmedt Y, Wang H, Mu Y, et al.,(eds.). Proceedings of Cryptologyand Network Security (CANS)2005, Proceedings, volume3810of LectureNotes in Computer Science. Springer,2005.1–12.
[61] Leurent G. MD4is Not One-Way. In: Nyberg K,(eds.). Proceedings ofFast Software Encryption2008, Proceedings, volume5086of Lecture Notesin Computer Science. Springer,2008.412–428.
[62] De D, Kumarasubramanian A, Venkatesan R. Inversion attacks on securehash functions using SAT solvers. In: Marques-Silva J, Sakallah K,(eds.).Proceedings of Theory and Applications of Satisfiability Testing–SAT2007, volume4501of Lecture Notes in Computer Science. Springer,2007.377–382.
[63] Dobbertin H. Cryptanalysis of MD4. In: Gollmann D,(eds.). Proceedingsof Fast Software Encryption1996, Proceedings, volume1039of LectureNotes in Computer Science. Springer,1996.53–69.
[64] Guo J, Ling S, Rechberger C, et al. Advanced Meet-in-the-Middle PreimageAttacks: First Results on Full Tiger, and Improved Results on MD4andSHA-2. In: Abe M,(eds.). Proceedings of Advances in Cryptology–ASI-ACRYPT2010, Proceedings, volume6477of Lecture Notes in ComputerScience. Springer,2010.56–75.
[65] Anderson R J, Biham E. TIGER: A Fast New Hash Function. In: GollmannD,(eds.). Proceedings of Fast Software Encryption1996, Proceedings, vol-ume1039of Lecture Notes in Computer Science. Springer,1996.89–97.
[66] Sasaki Y, Aoki K. Preimage Attacks on Step-Reduced MD5. In: MuY, Susilo W, Seberry J,(eds.). Proceedings of Australasian Conference onInformation Security and Privacy (ACISP)2008, Proceedings, volume5107of Lecture Notes in Computer Science. Springer,2008.282–296.
[67] Aumasson J P, Meier W, Mendel F. Preimage Attacks on3-Pass HAVALand Step-Reduced MD5. In: Avanzi R, Keliher L, Sica F,(eds.). Proceed-ings of Selected Areas in Cryptography2008, Proceedings, volume5381ofLecture Notes in Computer Science. Springer,2009.120–135.
[68] Sasaki Y, Aoki K. Finding Preimages in Full MD5Faster Than ExhaustiveSearch. In: Joux A,(eds.). Proceedings of Advances in Cryptology–EU-ROCRYPT2009, Proceedings, volume5479of Lecture Notes in ComputerScience. Springer,2009.134–152.
[69] Lee E, Chang D, Kim J, et al. Second Preimage Attack on3-Pass HAVALand Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL. In:Nyberg K,(eds.). Proceedings of Fast Software Encryption2008, Proceed-ings, volume5086of Lecture Notes in Computer Science. Springer,2008.189–206.
[70] Wang G, Wang S. Second Preimage Attack on5-Pass HAVAL and Par-tial Key-Recovery Attack on HMAC/NMAC-5-Pass HAVAL. In: PreneelB,(eds.). Proceedings of Progress in Cryptology–AFRICACRYPT2009,Proceedings, volume5580of Lecture Notes in Computer Science. Springer,2009.1–13.
[71] Sasaki Y. Meet-in-the-Middle Attacks Using Output Truncation in3-PassHAVAL. In: Samarati P, Yung M, Martinelli F, et al.,(eds.). Proceedingsof Information Security (ISC)2009, Proceedings, volume5735of LectureNotes in Computer Science. Springer,2009.79–94.
[72] Wang G, Wang S. Preimage attack on hash function RIPEMD. In: BaoF, Li H, Wang G,(eds.). Proceedings of Information Security Practice andExperience, volume5451of Lecture Notes in Computer Science. Springer,2009.274–284.
[73] Ohtahara C, Sasaki Y, Shimoyama T. Preimage Attacks on Step-ReducedRIPEMD-128and RIPEMD-160. In: Lai X, Yung M,(eds.). Proceedingsof Information Security and Cryptology (INSCRYPT)2010, Proceedings.Springer,2011.11.
[74] Wang L, Sasaki Y, Komatsubara W, et al.(Second) Preimage Attackson Step-Reduced RIPEMD/RIPEMD-128with a New Local-Collision Ap-proach. In: Kiayias A,(eds.). Proceedings of Topics in Cryptology–CT-RSA2011, volume6558of Lecture Notes in Computer Science. Springer,2011.197–212.
[75] De Canni`ere C, Rechberger C. Preimages for Reduced SHA-0and SHA-1.In: Wagner D,(eds.). Proceedings of Advances in Cryptology–CRYPTO2008, Proceedings, volume5157of Lecture Notes in Computer Science.Springer,2008.179–202.
[76] Aoki K, Sasaki Y. Meet-in-the-Middle Preimage Attacks Against ReducedSHA-0and SHA-1. In: Halevi S,(eds.). Proceedings of Advances in Cryp-tology–CRYPTO2009, Proceedings, volume5677of Lecture Notes inComputer Science. Springer,2009.70–89.
[77] Isobe T, Shibutani K. Preimage Attacks on Reduced Tiger and SHA-2.In: Dunkelman O,(eds.). Proceedings of Fast Software Encryption2009,Proceedings, volume5665of Lecture Notes in Computer Science. Springer,2009.139–155.
[78] Aoki K, Guo J, Matusiewicz K, et al. Preimages for Step-Reduced SHA-2. In: Matsui M,(eds.). Proceedings of Advances in Cryptology–ASI-ACRYPT2009, Proceedings, volume5912of Lecture Notes in ComputerScience. Springer,2009.578–597.
[79] Khovratovich D, Nikolic I, Weinmann R P. Meet-in-the-Middle Attacks onSHA-3Candidates. In: Dunkelman O,(eds.). Proceedings of Fast SoftwareEncryption2009, Proceedings, volume5665of Lecture Notes in ComputerScience. Springer,2009.228–245.
[80] Wang L, Sasaki Y. Finding Preimages of Tiger Up to23Steps. In: HongS, Iwata T,(eds.). Proceedings of Fast Software Encryption2010, Proceed-ings, volume6147of Lecture Notes in Computer Science. Springer,2010.116–133.
[81] Sasaki Y. Meet-in-the-Middle Preimage Attacks on AES Hashing Modesand an Application to Whirlpool. In: Joux A,(eds.). Proceedings of FastSoftware Encryption2011, Proceedings. Springer,2011.
[82] Barreto P S L M, Rijmen V. The Whirlpool Hashing Function. Submit-ted to NESSIE, September2000. Revised February2011. Available: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html (2011/02/27).
[83] Hong D, Chang D, Sung J, et al. A New Dedicated256-Bit Hash Func-tion: FORK-256. In: Robshaw M J B,(eds.). Proceedings of Fast SoftwareEncryption2006, Proceedings, volume4047of Lecture Notes in ComputerScience. Springer,2006.195–209.
[84] Association T T. Hash Function Standard Part2: Hash Function AlgorithmStandard, HAS-160. Technical report,2000.
[85] Shin S U, Rhee K H, Ryu D H, et al. A New Hash Function Based onMDx-Family and Its Application to MAC. In: Imai H, Zheng Y,(eds.).Proceedings of Public Key Cryptography1998, Proceedings, volume1431of Lecture Notes in Computer Science. Springer,1998.234–246.
[86] Park N K, Hwang J H, Lee P J. HAS-V: A New Hash Function with Vari-able Output Length. In: Stinson D R, Tavares S E,(eds.). Proceedings ofSelected Areas in Cryptography2000, Proceedings, volume2012of LectureNotes in Computer Science. Springer,2001.202–216.
[87] Saarinen M J O. A Meet-in-the-Middle Collision Attack Against the NewFORK-256. In: Srinathan K, Rangan C P, Yung M,(eds.). Proceedings ofProgress in Cryptology–INDOCRYPT2007, Proceedings, volume4859ofLecture Notes in Computer Science. Springer,2007.10–17.
[88] Sasaki Y, Aoki K. A Preimage Attack for52-Step HAS-160. In: Lee PJ, Cheon J H,(eds.). Proceedings of Information Security and Cryptology–ICISC2008, Proceedings, volume5461of Lecture Notes in ComputerScience. Springer,2009.302–317.
[89] Hong D, Koo B, Sasaki Y. Improved Preimage Attack for68-Step HAS-160.In: Lee D, Hong S,(eds.). Proceedings of Information, Security and Cryp-tology–ICISC2009, volume5984of Lecture Notes in Computer Science.Springer,2010.332–348.
[90] Sasaki Y, Mendel F, Aoki K. Preimage Attacks against PKC98-Hash andHAS-V. In: Rhee K, Nyang D,(eds.). Proceedings of Information, Securityand Cryptology–ICISC2010. Springer,2011.
[91] Dean R D. Formal Aspects of Mobile Code Security[Doctor Thesis]. Prince-ton University, January,1999.
[92] Kelsey J, Schneier B. Second Preimages on n-Bit Hash Functions for MuchLess than2nWork. In: Cramer R,(eds.). Proceedings of Advances inCryptology–EUROCRYPT2005, Proceedings, volume3494of LectureNotes in Computer Science. Springer,2005.474–490.
[93] Joux A. Multicollisions in Iterated Hash Functions. Application to Cas-caded Constructions. In: Franklin M K,(eds.). Proceedings of Advances inCryptology–CRYPTO2004, Proceedings, volume3152of Lecture Notesin Computer Science. Springer,2004.306–316.
[94] Kelsey J, Kohno T. Herding Hash Functions and the Nostradamus Attack.In: Vaudenay S,(eds.). Proceedings of Advances in Cryptology–EURO-CRYPT2006, Proceedings, volume4004of Lecture Notes in ComputerScience. Springer,2006.183–200.
[95] Daum M. Finding Diferential Patterns for the Wang Attack. Presentedat Conference on Hash Functions by hosted by the ECRYPT Network ofExcellence, June23–24,2005, Przegorzaly..
[96] Daum M. Cryptanalysis of Hash Functions of the MD4-Family[DoctorThesis]. Ruhr University Bochum, May,2005.
[97] Schla¨fer M, Oswald E. Searching for Diferential Paths in MD4. In: Rob-shaw M J B,(eds.). Proceedings of Fast Software Encryption2006, Proceed-ings, volume4047of Lecture Notes in Computer Science. Springer,2006.242–261.
[98] Fouque P A, Leurent G, Nguyen P. Automatic Search of Diferential Pathin MD4. Cryptology ePrint Archive, Report2007/206,2007. http://eprint.iacr.org/.
[99] Stevens M, Lenstra A K, Weger B. Chosen-Prefix Collisions for MD5andColliding X.509Certificates for Diferent Identities. In: Naor M,(eds.).Proceedings of Advances in Cryptology–EUROCRYPT2007, Proceedings,volume4515of Lecture Notes in Computer Science. Springer,2007.1–22.
[100] Sasaki Y, Naito Y, Yajima J, et al. How to Construct Sufcient Condi-tions for Hash Functions. In: Nguyen P Q,(eds.). Proceedings of Progressin Cryptology–VIETCRYPT2006, Proceedings, volume4341of LectureNotes in Computer Science. Springer,2006.243–259.
[101] Yajima J, Sasaki Y, Naito Y, et al. A New Strategy for Finding a Difer-ential Path of SHA-1. In: Pieprzyk J, Ghodosi H, Dawson E,(eds.). Pro-ceedings of Australasian Conference on Information Security and Privacy(ACISP)2007, Proceedings, volume4586of Lecture Notes in ComputerScience. Springer,2007.45–58.
[102] Leurent G. Message Freedom in MD4and MD5Collisions: Application toAPOP. In: Biryukov A,(eds.). Proceedings of Fast Software Encryption2007, Proceedings, volume4593of Lecture Notes in Computer Science.Springer,2007.309–328.
[103] Sasaki Y, Wang L, Ohta K, et al. Security of MD5Challenge and Response:Extension of APOP Password Recovery Attack. In: Malkin T,(eds.). Pro-ceedings of Topics in Cryptology–CT-RSA2008, volume4964of LectureNotes in Computer Science. Springer,2008.1–18.
[104] Wang L, Sasaki Y, Sakiyama K, et al. Bit-Free Collision: Application toAPOP Attack. In: Takagi T, Mambo M,(eds.). Proceedings of Advancesin Information and Computer Security, volume5824of Lecture Notes inComputer Science. Springer,2009.3–21.
[105] Lenstra A K, Weger B. On the Possibility of Constructing Meaningful HashCollisions for Public Keys. In: Boyd C, Nieto J M G,(eds.). Proceedingsof Australasian Conference on Information Security and Privacy (ACISP)2005, Proceedings, volume3574of Lecture Notes in Computer Science.Springer,2005.267–279.
[106] Stevens M, Sotirov A, Appelbaum J, et al. Short Chosen-Prefix Collisionsfor MD5and the Creation of a Rogue CA Certificate. In: Halevi S,(eds.).Proceedings of Advances in Cryptology–CRYPTO2009, Proceedings,volume5677of Lecture Notes in Computer Science. Springer,2009.55–69.
[107] Gebhardt M, Illies G, Schindler W. A Note on Practical Value of SingleHash Collisions for Special File Formats. Presented at NIST CryptographicHash Workshop, October31–November1,2005, Gaithersburg, Maryland,USA.
[108] Kim J, Biryukov A, Preneel B, et al. On the Security of HMAC and NMACBased on HAVAL, MD4, MD5, SHA-0and SHA-1(Extended Abstract).In: De Prisco R, Yung M,(eds.). Proceedings of Security and Cryptographyfor Networks, volume4116of Lecture Notes in Computer Science. Springer,2006.242–256.
[109] Contini S, Yin Y L. Forgery and Partial Key-Recovery Attacks on HMACand NMAC Using Hash Collisions. In: Lai X, Chen K,(eds.). Proceedingsof Advances in Cryptology–ASIACRYPT2006, Proceedings, volume4284of Lecture Notes in Computer Science. Springer,2006.37–53.
[110] Fouque P A, Leurent G, Nguyen P. Full Key-Recovery Attacks onHMAC/NMAC-MD4and NMAC-MD5. In: Menezes A,(eds.). Proceed-ings of Advances in Cryptology-CRYPTO2007, volume4622of LectureNotes in Computer Science. Springer,2007.13–30.
[111] Wang L, Ohta K, Kunihiro N. New Key-Recovery Attacks onHMAC/NMAC-MD4and NMAC-MD5. In: Smart N,(eds.). Proceedingsof Advances in Cryptology–EUROCRYPT2008, volume4965of LectureNotes in Computer Science. Springer,2008.237–253.
[112] Wang X, Yu H, Wang W, et al. Cryptanalysis on HMAC/NMAC-MD5and MD5-MAC. In: Joux A,(eds.). Proceedings of Advances in Cryptol-ogy–EUROCRYPT2009, Proceedings, volume5479of Lecture Notes inComputer Science. Springer,2009.121–133.
[113] Barreto P, Nikov V, Nikova S, et al. Whirlwind: a new cryptographic hashfunction. Designs, Codes and Cryptography,2010,56:141–162.
[114] Preneel B. The First30Years of Cryptographic Hash Functions and theNIST SHA-3Competition. Invited Talk. In: Pieprzyk J,(eds.). Proceedingsof Topics in Cryptology–CT-RSA2010, Proceedings, volume5985ofLecture Notes in Computer Science. Springer,2010.1–14.
[115] Mendel F, Rechberger C, Schla¨fer M, et al. The Rebound Attack: Crypt-analysis of Reduced Whirlpool and Gr stl. In: Dunkelman O,(eds.).Proceedings of Fast Software Encryption2009, Proceedings, volume5665of Lecture Notes in Computer Science. Springer,2009.260–276.
[116] Matusiewicz K, Naya-Plasencia M, Nikolic I, et al. Rebound Attack onthe Full Lane Compression Function. In: Matsui M,(eds.). Proceedings ofAdvances in Cryptology–ASIACRYPT2009, Proceedings, volume5912of Lecture Notes in Computer Science. Springer,2009.106–125.
[117] Lamberger M, Mendel F, Rechberger C, et al. Rebound Distinguishers:Results on the Full Whirlpool Compression Function. In: Matsui M,(eds.).Proceedings of Advances in Cryptology–ASIACRYPT2009, Proceedings,volume5912of Lecture Notes in Computer Science. Springer,2009.126–143.
[118] Mendel F, Rechberger C, Schl¨afer M, et al. Rebound Attacks on the Re-duced Gr stl Hash Function. In: Pieprzyk J,(eds.). Proceedings of Topicsin Cryptology–CT-RSA2010, Proceedings, volume5985of Lecture Notesin Computer Science. Springer,2010.350–365.
[119] Rijmen V, Toz D, Varici K. Rebound Attack on Reduced-Round Versions ofJH. In: Hong S, Iwata T,(eds.). Proceedings of Fast Software Encryption2010, Proceedings, volume6147of Lecture Notes in Computer Science.Springer,2010.286–303.
[120] Gilbert H, Peyrin T. Super-Sbox Cryptanalysis: Improved Attacks forAES-Like Permutations. In: Hong S, Iwata T,(eds.). Proceedings of FastSoftware Encryption2010, Proceedings, volume6147of Lecture Notes inComputer Science. Springer,2010.365–383.
[121] Sasaki Y, Li Y, Wang L, et al. Non-full-active Super-Sbox Analysis: Appli-cations to ECHO and Gr stl. In: Abe M,(eds.). Proceedings of Advancesin Cryptology-ASIACRYPT2010, volume6477of Lecture Notes in Com-puter Science. Springer,2010.38–55.
[122] Khovratovich D, Nikolic I, Rechberger C. Rotational Rebound Attacks onReduced Skein. In: Abe M,(eds.). Proceedings of Advances in Cryptology-ASIACRYPT2010, volume6477of Lecture Notes in Computer Science.Springer,2010.1–19.
[123] Administration S C. SM3Cryptographic Hash Algorithm.http://www.oscca.gov.cn/UpFile/20101222141857786.pdf,2010.
[124] Lee J, Chang D, Kim H, et al. A New256-bit Hash Function DHA-256–Enhancing the Security of SHA-256. Presented at NIST CryptographicHash Workshop, October31–November1,2005, Gaithersburg, Maryland,USA.
[125] Sanadhya S K, Sarkar P. A new hash family obtained by modifying theSHA-2family. Proceedings of Proceedings of the4th International Sym-posium on Information, Computer, and Communications Security. ACM,2009.353–363.
[126] Sanadhya S K. A Study of the SHA-2Cryptographic Hash Family[DoctorThesis]. Indian Statistical Institute, February,2009.
[127] Khovratovich D, Rechberger C, Savelieva A. Bicliques for Preimages: At-tacks on Skein-512and the SHA-2family. Cryptology ePrint Archive, Re-port2011/286,2011. http://eprint.iacr.org/.
[128] Group I K. Preliminary Analysis of DHA-256. Cryptology ePrint Archive,Report2005/398,2005. http://eprint.iacr.org/.
[129] Hong D, Koo B, Kim W H, et al. Preimage Attacks on Reduced Stepsof ARIRANG and PKC98-Hash. In: Lee D, Hong S,(eds.). Proceedingsof Information, Security and Cryptology–ICISC2009, volume5984ofLecture Notes in Computer Science. Springer,2010.315–331.
[130] NIST SHA-3Competition. http://csrc.nist.gov/groups/ST/hash/.
[2] Sasaki Y, Aoki K. Meet-in-the-Middle Preimage Attacks on Double-BranchHash Functions: Application to RIPEMD and Others. In: Boyd C, Nieto JG,(eds.). Proceedings of Australasian Conference on Information Securityand Privacy (ACISP)2009, Proceedings, volume5594of Lecture Notes inComputer Science. Springer,2009.214–231.
[3] Sasaki Y, Aoki K. Preimage Attacks on3,4, and5-Pass HAVAL. In:Pieprzyk J,(eds.). Proceedings of Advances in Cryptology–ASIACRYPT2008, Proceedings, volume5350of Lecture Notes in Computer Science.Springer,2008.253–271.
[4] Dife W, Hellman M E. New Directions in Cryptography. IEEE Transac-tions on Information Theory,1976, IT-22(6):644–654.
[5] Menezes A J, Oorschot P C, Vanstone S A. Handbook of applied cryptog-raphy. CRC Press,1997.
[6] Merkle R C. One Way Hash Functions and DES. In: Brassard G,(eds.).Proceedings of Advances in Cryptology–CRYPTO1989, Proceedings,volume435of Lecture Notes in Computer Science. Springer,1990.428–446.
[7] Damg ard I. A Design Principle for Hash Functions. In: Brassard G,(eds.).Proceedings of Advances in Cryptology–CRYPTO1989, Proceedings,volume435of Lecture Notes in Computer Science. Springer,1990.416–427.
[8] Meyer C, Schilling M. Secure program load with modification detectioncode. Proceedings of Proceedings of the5th Worldwide Congress on Com-puter and Communication Security and Protection–SECURICOM, volume88.111–130.
[9] Preneel B, Govaerts R, Vandewalle J. Hash Functions Based on BlockCiphers: A Synthetic Approach. In: Stinson D R,(eds.). Proceedingsof Advances in Cryptology–CRYPTO1993, Proceedings, volume773ofLecture Notes in Computer Science. Springer,1994.368–378.
[10] Preneel B. Analysis and Design of Cryptographic Hash Functions[DoctorThesis]. Katholieke Universiteit Leuven, February,1993.
[11] Lai X, Knudsen L R. Attacks on Double Block Length Hash Functions.In: Anderson R J,(eds.). Proceedings of Fast Software Encryption1993,Proceedings, volume809of Lecture Notes in Computer Science. Springer,1994.157–165.
[12] Hohl W, Lai X, Meier T, et al. Security of Iterated Hash Functions Basedon Block Ciphers. In: Stinson D R,(eds.). Proceedings of Advances inCryptology–CRYPTO1993, Proceedings, volume773of Lecture Notes inComputer Science. Springer,1994.379–390.
[13] Knudsen L R, Lai X. New Attacks on all Double Block Length Hash Func-tions of Hash Rate1, including the Parallel-DM. In: De Santis A,(eds.).Proceedings of Advances in Cryptology–EUROCRYPT1994, Proceed-ings, volume950of Lecture Notes in Computer Science. Springer,1995.410–418.
[14] Lai X, Massey J L. Hash Functions Based on Block Ciphers. In: RueppelR A,(eds.). Proceedings of Advances in Cryptology–EUROCRYPT1992,Proceedings, volume658of Lecture Notes in Computer Science. Springer,1993.55–70.
[15] Lai X. On the Design and Security of Block Ciphers[Doctor Thesis]. SwissFederal Institute of Technology,1992.
[16] Matyas S, Meyer C, Oseas J. Generating strong one-way functionswith cryptographic algorithm. IBM Technical Disclosure Bulletin,1985,27(10A):5658–5659.
[17] Winternitz R S. A Secure One-Way Hash Function Built from DES. Pro-ceedings of IEEE Symposium on Security and Privacy,1984.88–90.
[18] Rivest R L. The MD4Message Digest Algorithm. In: Menezes A, Van-stone S A,(eds.). Proceedings of Advances in Cryptology–CRYPTO1990,Proceedings, volume537of Lecture Notes in Computer Science. Springer,1991.303–311.
[19] Rivest R. RFC1321: The MD5message-digest algorithm. RFC EditorUnited States,1992..
[20] Zheng Y, Pieprzyk J, Seberry J. HAVAL-A One-Way Hashing Algorithmwith Variable Length of Output. In: Seberry J, Zheng Y,(eds.). Proceed-ings of Advances in Cryptology–ASIACRYPT1992, Proceedings, volume718of Lecture Notes in Computer Science. Springer,1993.83–104.
[21] RIPEMD. In: Bosselaers A, Preneel B,(eds.). Proceedings of IntegrityPrimitives for Secure Information Systems, volume1007of Lecture Notesin Computer Science. Springer,1995.69–111.
[22] Dobbertin H, Bosselaers A, Preneel B. RIPEMD-160: A strengthenedversion of RIPEMD. In: Gollmann D,(eds.). Proceedings of Fast SoftwareEncryption, volume1039of Lecture Notes in Computer Science. Springer,1996.71–82.
[23] Standard S H. Federal Information Processing Standard Publication#180.US Department of Commerce, National Institute of Standards and Tech-nology,1993,56:57–71.
[24] Standard S H. Federal Information Processing Standards Publication180-1.US Department of Commerce, National Institute of Standards and Tech-nology,1995,131.
[25] Standard S H. Draft Federal Information Processing Standard Publica-tion180-4. US Department of Commerce, National Institute of Standardsand Technology (NIST),2011. http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf.
[26] Bellare M, Goldreich O, Goldwasser S. Incremental Cryptography: TheCase of Hashing and Signing. In: Desmedt Y,(eds.). Proceedings of Ad-vances in Cryptology–CRYPTO1994, Proceedings, volume839of LectureNotes in Computer Science. Springer,1994.216–233.
[27] Contini S, Lenstra A K, Steinfeld R. VSH, an Efcient and ProvableCollision-Resistant Hash Function. In: Vaudenay S,(eds.). Proceedingsof Advances in Cryptology–EUROCRYPT2006, Proceedings, volume4004of Lecture Notes in Computer Science. Springer,2006.165–182.
[28] Boer B, Bosselaers A. An Attack on the Last Two Rounds of MD4. In:Feigenbaum J,(eds.). Proceedings of Advances in Cryptology–CRYPTO1991, Proceedings, volume576of Lecture Notes in Computer Science.Springer,1992.194–203.
[29] Vaudenay S. On the Need for Multipermutations: Cryptanalysis of MD4and SAFER. In: Preneel B,(eds.). Proceedings of Fast Software Encryption1994, Proceedings, volume1008of Lecture Notes in Computer Science.Springer,1995.286–297.
[30] Dobbertin H. Cryptanalysis of MD4. Journal of Cryptology,1998,11(4):253–271.
[31] Berson T A. Diferential Cryptanalysis Mod232with Applications to MD5.In: Rueppel R A,(eds.). Proceedings of Advances in Cryptology–EU-ROCRYPT1992, Proceedings, volume658of Lecture Notes in ComputerScience. Springer,1993.71–80.
[32] Boer B, Bosselaers A. Collisions for the Compression Function of MD5.In: Helleseth T,(eds.). Proceedings of Advances in Cryptology–EURO-CRYPT1993, Proceedings, volume765of Lecture Notes in Computer Sci-ence. Springer,1994.293–304.
[33] Wang X, Feng D, Lai X, et al. Collisions for hash functions MD4,MD5, HAVAL-128and RIPEMD. Proceedings of Short talk presented atCRYPTO2004, volume4.
[34] Wang X, Feng D, Lai X, et al. Collisions for Hash Functions MD4, MD5,HAVAL-128and RIPEMD. Cryptology ePrint Archive, Report2004/199,2004. http://eprint.iacr.org/.
[35] Wang X, Lai X, Feng D, et al. Cryptanalysis of the Hash Functions MD4and RIPEMD. In: Cramer R,(eds.). Proceedings of Advances in Cryptol-ogy–EUROCRYPT2005, Proceedings, volume3494of Lecture Notes inComputer Science. Springer,2005.1–18.
[36] Wang X, Yu H. How to Break MD5and Other Hash Functions. In: CramerR,(eds.). Proceedings of Advances in Cryptology–EUROCRYPT2005,Proceedings, volume3494of Lecture Notes in Computer Science. Springer,2005.19–35.
[37] Naito Y, Sasaki Y, Kunihiro N, et al. Improved Collision Attack on MD4with Probability Almost1. In: Won D, Kim S,(eds.). Proceedings ofInformation Security and Cryptology–ICISC2005, Proceedings, volume3935of Lecture Notes in Computer Science. Springer,2006.129–145.
[38] Liang J, Lai X. Improved collision attack on hash function MD5. Journalof Computer Science and Technology,2007,22(1):79–87.
[39] Klima V. Tunnels in Hash Functions: MD5Collisions Within a Minute.Cryptology ePrint Archive, Report2006/105,2006. http://eprint.iacr.org/.
[40] Sasaki Y, Wang L, Ohta K, et al. New Message Diference for MD4. In:Biryukov A,(eds.). Proceedings of Fast Software Encryption2007, Pro-ceedings, volume4593of Lecture Notes in Computer Science. Springer,2007.329–348.
[41] Yu H, Wang X. Multi-collision Attack on the Compression Functions ofMD4and3-Pass HAVAL. In: Nam K H, Rhee G,(eds.). Proceedings ofInformation Security and Cryptology–ICISC2007, Proceedings, volume4817of Lecture Notes in Computer Science. Springer,2007.206–226.
[42] Wang X, Feng D, Yu X. An attack on hash function HAVAL-128. Sciencein China Series F: Information Sciences,2005,48:545–556.10.1360/122004-107.
[43] Rompay B V, Biryukov A, Preneel B, et al. Cryptanalysis of3-Pass HAVAL.In: Laih C S,(eds.). Proceedings of Advances in Cryptology–ASIACRYPT2003, Proceedings, volume2894of Lecture Notes in Computer Science.Springer,2003.228–245.
[44] Yu H, Wang X, Yun A, et al. Cryptanalysis of the Full HAVAL with4and5Passes. In: Robshaw M J B,(eds.). Proceedings of Fast SoftwareEncryption2006, Proceedings, volume4047of Lecture Notes in ComputerScience. Springer,2006.89–110.
[45] Suzuki K, Kurosawa K. How to Find Many Collisions of3-Pass HAVAL. In:Miyaji A, Kikuchi H, Rannenberg K,(eds.). Proceedings of IWSEC2007,Proceedings, volume4752of Lecture Notes in Computer Science. Springer,2007.428–443.
[46] Wang X. The Collision attack on SHA-0(Chinese version),1997.
[47] Wang X. The Improved Collision attack on SHA-0(Chinese version),1998.
[48] Chabaud F, Joux A. Diferential Collisions in SHA-0. In: Krawczyk H,(eds.). Proceedings of Advances in Cryptology–CRYPTO1998, Proceed-ings, volume1462of Lecture Notes in Computer Science. Springer,1998.56–71.
[49] Biham E, Chen R. Near-Collisions of SHA-0. In: Franklin M K,(eds.).Proceedings of Advances in Cryptology–CRYPTO2004, Proceedings,volume3152of Lecture Notes in Computer Science. Springer,2004.290–305.
[50] Wang X, Yu H, Yin Y L. Efcient Collision Search Attacks on SHA-0. In:Shoup V,(eds.). Proceedings of Advances in Cryptology–CRYPTO2005,Proceedings, volume3621of Lecture Notes in Computer Science. Springer,2005.1–16.
[51] Rijmen V, Oswald E. Update on SHA-1. In: Menezes A,(eds.). Proceedingsof Topics in Cryptology–CT-RSA2005, Proceedings, volume3376ofLecture Notes in Computer Science. Springer,2005.58–71.
[52] Biham E, Chen R, Joux A, et al. Collisions of SHA-0and Reduced SHA-1.In: Cramer R,(eds.). Proceedings of Advances in Cryptology–EURO-CRYPT2005, Proceedings, volume3494of Lecture Notes in ComputerScience. Springer,2005.36–57.
[53] Wang X, Yin Y L, Yu H. Finding Collisions in the Full SHA-1. In: Shoup V,(eds.). Proceedings of Advances in Cryptology–CRYPTO2005, Proceed-ings, volume3621of Lecture Notes in Computer Science. Springer,2005.17–36.
[54] Indesteege S, Mendel F, Preneel B, et al. Collisions and Other Non-randomProperties for Step-Reduced SHA-256. In: Avanzi R, Keliher L, Sica F,(eds.). Proceedings of Selected Areas in Cryptography2008, Proceedings,volume5381of Lecture Notes in Computer Science. Springer,2009.276–293.
[55] Sanadhya S K, Sarkar P. New Collision Attacks against Up to24-Step SHA-2. In: Chowdhury D R, Rijmen V, Das A,(eds.). Proceedings of Progressin Cryptology–INDOCRYPT2008, Proceedings, volume5365of LectureNotes in Computer Science. Springer,2008.91–103.
[56] Burr W E. NIST Comments on Cryptanalytic Attacks on SHA-1.http://csrc.nist.gov/groups/ST/hash/statement.html,2006.
[57] Meltem So¨nmez Turan L E B W B D C S j C M J D J M K S P,Peralta R. NIST Interagency Report7764:Status Report on the Sec-ond Round of the SHA-3Cryptographic Hash Algorithm Competi-tion, February,2011. http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Round2_Report_NISTIR_7764.pdf.
[58] Dobbertin H. The First Two Rounds of MD4are Not One-Way. In: Vaude-nay S,(eds.). Proceedings of Fast Software Encryption1998, Proceedings,volume1372of Lecture Notes in Computer Science. Springer,1998.284–292.
[59] Kuwakado H, Tanaka H. New algorithm for finding preimages in a re-duced version of the MD4compression function. IEICE TRANSACTIONSon Fundamentals of Electronics, Communications and Computer Sciences,2000,83(1):97–100.
[60] Yu H, Wang G, Zhang G, et al. The Second-Preimage Attack on MD4.In: Desmedt Y, Wang H, Mu Y, et al.,(eds.). Proceedings of Cryptologyand Network Security (CANS)2005, Proceedings, volume3810of LectureNotes in Computer Science. Springer,2005.1–12.
[61] Leurent G. MD4is Not One-Way. In: Nyberg K,(eds.). Proceedings ofFast Software Encryption2008, Proceedings, volume5086of Lecture Notesin Computer Science. Springer,2008.412–428.
[62] De D, Kumarasubramanian A, Venkatesan R. Inversion attacks on securehash functions using SAT solvers. In: Marques-Silva J, Sakallah K,(eds.).Proceedings of Theory and Applications of Satisfiability Testing–SAT2007, volume4501of Lecture Notes in Computer Science. Springer,2007.377–382.
[63] Dobbertin H. Cryptanalysis of MD4. In: Gollmann D,(eds.). Proceedingsof Fast Software Encryption1996, Proceedings, volume1039of LectureNotes in Computer Science. Springer,1996.53–69.
[64] Guo J, Ling S, Rechberger C, et al. Advanced Meet-in-the-Middle PreimageAttacks: First Results on Full Tiger, and Improved Results on MD4andSHA-2. In: Abe M,(eds.). Proceedings of Advances in Cryptology–ASI-ACRYPT2010, Proceedings, volume6477of Lecture Notes in ComputerScience. Springer,2010.56–75.
[65] Anderson R J, Biham E. TIGER: A Fast New Hash Function. In: GollmannD,(eds.). Proceedings of Fast Software Encryption1996, Proceedings, vol-ume1039of Lecture Notes in Computer Science. Springer,1996.89–97.
[66] Sasaki Y, Aoki K. Preimage Attacks on Step-Reduced MD5. In: MuY, Susilo W, Seberry J,(eds.). Proceedings of Australasian Conference onInformation Security and Privacy (ACISP)2008, Proceedings, volume5107of Lecture Notes in Computer Science. Springer,2008.282–296.
[67] Aumasson J P, Meier W, Mendel F. Preimage Attacks on3-Pass HAVALand Step-Reduced MD5. In: Avanzi R, Keliher L, Sica F,(eds.). Proceed-ings of Selected Areas in Cryptography2008, Proceedings, volume5381ofLecture Notes in Computer Science. Springer,2009.120–135.
[68] Sasaki Y, Aoki K. Finding Preimages in Full MD5Faster Than ExhaustiveSearch. In: Joux A,(eds.). Proceedings of Advances in Cryptology–EU-ROCRYPT2009, Proceedings, volume5479of Lecture Notes in ComputerScience. Springer,2009.134–152.
[69] Lee E, Chang D, Kim J, et al. Second Preimage Attack on3-Pass HAVALand Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL. In:Nyberg K,(eds.). Proceedings of Fast Software Encryption2008, Proceed-ings, volume5086of Lecture Notes in Computer Science. Springer,2008.189–206.
[70] Wang G, Wang S. Second Preimage Attack on5-Pass HAVAL and Par-tial Key-Recovery Attack on HMAC/NMAC-5-Pass HAVAL. In: PreneelB,(eds.). Proceedings of Progress in Cryptology–AFRICACRYPT2009,Proceedings, volume5580of Lecture Notes in Computer Science. Springer,2009.1–13.
[71] Sasaki Y. Meet-in-the-Middle Attacks Using Output Truncation in3-PassHAVAL. In: Samarati P, Yung M, Martinelli F, et al.,(eds.). Proceedingsof Information Security (ISC)2009, Proceedings, volume5735of LectureNotes in Computer Science. Springer,2009.79–94.
[72] Wang G, Wang S. Preimage attack on hash function RIPEMD. In: BaoF, Li H, Wang G,(eds.). Proceedings of Information Security Practice andExperience, volume5451of Lecture Notes in Computer Science. Springer,2009.274–284.
[73] Ohtahara C, Sasaki Y, Shimoyama T. Preimage Attacks on Step-ReducedRIPEMD-128and RIPEMD-160. In: Lai X, Yung M,(eds.). Proceedingsof Information Security and Cryptology (INSCRYPT)2010, Proceedings.Springer,2011.11.
[74] Wang L, Sasaki Y, Komatsubara W, et al.(Second) Preimage Attackson Step-Reduced RIPEMD/RIPEMD-128with a New Local-Collision Ap-proach. In: Kiayias A,(eds.). Proceedings of Topics in Cryptology–CT-RSA2011, volume6558of Lecture Notes in Computer Science. Springer,2011.197–212.
[75] De Canni`ere C, Rechberger C. Preimages for Reduced SHA-0and SHA-1.In: Wagner D,(eds.). Proceedings of Advances in Cryptology–CRYPTO2008, Proceedings, volume5157of Lecture Notes in Computer Science.Springer,2008.179–202.
[76] Aoki K, Sasaki Y. Meet-in-the-Middle Preimage Attacks Against ReducedSHA-0and SHA-1. In: Halevi S,(eds.). Proceedings of Advances in Cryp-tology–CRYPTO2009, Proceedings, volume5677of Lecture Notes inComputer Science. Springer,2009.70–89.
[77] Isobe T, Shibutani K. Preimage Attacks on Reduced Tiger and SHA-2.In: Dunkelman O,(eds.). Proceedings of Fast Software Encryption2009,Proceedings, volume5665of Lecture Notes in Computer Science. Springer,2009.139–155.
[78] Aoki K, Guo J, Matusiewicz K, et al. Preimages for Step-Reduced SHA-2. In: Matsui M,(eds.). Proceedings of Advances in Cryptology–ASI-ACRYPT2009, Proceedings, volume5912of Lecture Notes in ComputerScience. Springer,2009.578–597.
[79] Khovratovich D, Nikolic I, Weinmann R P. Meet-in-the-Middle Attacks onSHA-3Candidates. In: Dunkelman O,(eds.). Proceedings of Fast SoftwareEncryption2009, Proceedings, volume5665of Lecture Notes in ComputerScience. Springer,2009.228–245.
[80] Wang L, Sasaki Y. Finding Preimages of Tiger Up to23Steps. In: HongS, Iwata T,(eds.). Proceedings of Fast Software Encryption2010, Proceed-ings, volume6147of Lecture Notes in Computer Science. Springer,2010.116–133.
[81] Sasaki Y. Meet-in-the-Middle Preimage Attacks on AES Hashing Modesand an Application to Whirlpool. In: Joux A,(eds.). Proceedings of FastSoftware Encryption2011, Proceedings. Springer,2011.
[82] Barreto P S L M, Rijmen V. The Whirlpool Hashing Function. Submit-ted to NESSIE, September2000. Revised February2011. Available: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html (2011/02/27).
[83] Hong D, Chang D, Sung J, et al. A New Dedicated256-Bit Hash Func-tion: FORK-256. In: Robshaw M J B,(eds.). Proceedings of Fast SoftwareEncryption2006, Proceedings, volume4047of Lecture Notes in ComputerScience. Springer,2006.195–209.
[84] Association T T. Hash Function Standard Part2: Hash Function AlgorithmStandard, HAS-160. Technical report,2000.
[85] Shin S U, Rhee K H, Ryu D H, et al. A New Hash Function Based onMDx-Family and Its Application to MAC. In: Imai H, Zheng Y,(eds.).Proceedings of Public Key Cryptography1998, Proceedings, volume1431of Lecture Notes in Computer Science. Springer,1998.234–246.
[86] Park N K, Hwang J H, Lee P J. HAS-V: A New Hash Function with Vari-able Output Length. In: Stinson D R, Tavares S E,(eds.). Proceedings ofSelected Areas in Cryptography2000, Proceedings, volume2012of LectureNotes in Computer Science. Springer,2001.202–216.
[87] Saarinen M J O. A Meet-in-the-Middle Collision Attack Against the NewFORK-256. In: Srinathan K, Rangan C P, Yung M,(eds.). Proceedings ofProgress in Cryptology–INDOCRYPT2007, Proceedings, volume4859ofLecture Notes in Computer Science. Springer,2007.10–17.
[88] Sasaki Y, Aoki K. A Preimage Attack for52-Step HAS-160. In: Lee PJ, Cheon J H,(eds.). Proceedings of Information Security and Cryptology–ICISC2008, Proceedings, volume5461of Lecture Notes in ComputerScience. Springer,2009.302–317.
[89] Hong D, Koo B, Sasaki Y. Improved Preimage Attack for68-Step HAS-160.In: Lee D, Hong S,(eds.). Proceedings of Information, Security and Cryp-tology–ICISC2009, volume5984of Lecture Notes in Computer Science.Springer,2010.332–348.
[90] Sasaki Y, Mendel F, Aoki K. Preimage Attacks against PKC98-Hash andHAS-V. In: Rhee K, Nyang D,(eds.). Proceedings of Information, Securityand Cryptology–ICISC2010. Springer,2011.
[91] Dean R D. Formal Aspects of Mobile Code Security[Doctor Thesis]. Prince-ton University, January,1999.
[92] Kelsey J, Schneier B. Second Preimages on n-Bit Hash Functions for MuchLess than2nWork. In: Cramer R,(eds.). Proceedings of Advances inCryptology–EUROCRYPT2005, Proceedings, volume3494of LectureNotes in Computer Science. Springer,2005.474–490.
[93] Joux A. Multicollisions in Iterated Hash Functions. Application to Cas-caded Constructions. In: Franklin M K,(eds.). Proceedings of Advances inCryptology–CRYPTO2004, Proceedings, volume3152of Lecture Notesin Computer Science. Springer,2004.306–316.
[94] Kelsey J, Kohno T. Herding Hash Functions and the Nostradamus Attack.In: Vaudenay S,(eds.). Proceedings of Advances in Cryptology–EURO-CRYPT2006, Proceedings, volume4004of Lecture Notes in ComputerScience. Springer,2006.183–200.
[95] Daum M. Finding Diferential Patterns for the Wang Attack. Presentedat Conference on Hash Functions by hosted by the ECRYPT Network ofExcellence, June23–24,2005, Przegorzaly..
[96] Daum M. Cryptanalysis of Hash Functions of the MD4-Family[DoctorThesis]. Ruhr University Bochum, May,2005.
[97] Schla¨fer M, Oswald E. Searching for Diferential Paths in MD4. In: Rob-shaw M J B,(eds.). Proceedings of Fast Software Encryption2006, Proceed-ings, volume4047of Lecture Notes in Computer Science. Springer,2006.242–261.
[98] Fouque P A, Leurent G, Nguyen P. Automatic Search of Diferential Pathin MD4. Cryptology ePrint Archive, Report2007/206,2007. http://eprint.iacr.org/.
[99] Stevens M, Lenstra A K, Weger B. Chosen-Prefix Collisions for MD5andColliding X.509Certificates for Diferent Identities. In: Naor M,(eds.).Proceedings of Advances in Cryptology–EUROCRYPT2007, Proceedings,volume4515of Lecture Notes in Computer Science. Springer,2007.1–22.
[100] Sasaki Y, Naito Y, Yajima J, et al. How to Construct Sufcient Condi-tions for Hash Functions. In: Nguyen P Q,(eds.). Proceedings of Progressin Cryptology–VIETCRYPT2006, Proceedings, volume4341of LectureNotes in Computer Science. Springer,2006.243–259.
[101] Yajima J, Sasaki Y, Naito Y, et al. A New Strategy for Finding a Difer-ential Path of SHA-1. In: Pieprzyk J, Ghodosi H, Dawson E,(eds.). Pro-ceedings of Australasian Conference on Information Security and Privacy(ACISP)2007, Proceedings, volume4586of Lecture Notes in ComputerScience. Springer,2007.45–58.
[102] Leurent G. Message Freedom in MD4and MD5Collisions: Application toAPOP. In: Biryukov A,(eds.). Proceedings of Fast Software Encryption2007, Proceedings, volume4593of Lecture Notes in Computer Science.Springer,2007.309–328.
[103] Sasaki Y, Wang L, Ohta K, et al. Security of MD5Challenge and Response:Extension of APOP Password Recovery Attack. In: Malkin T,(eds.). Pro-ceedings of Topics in Cryptology–CT-RSA2008, volume4964of LectureNotes in Computer Science. Springer,2008.1–18.
[104] Wang L, Sasaki Y, Sakiyama K, et al. Bit-Free Collision: Application toAPOP Attack. In: Takagi T, Mambo M,(eds.). Proceedings of Advancesin Information and Computer Security, volume5824of Lecture Notes inComputer Science. Springer,2009.3–21.
[105] Lenstra A K, Weger B. On the Possibility of Constructing Meaningful HashCollisions for Public Keys. In: Boyd C, Nieto J M G,(eds.). Proceedingsof Australasian Conference on Information Security and Privacy (ACISP)2005, Proceedings, volume3574of Lecture Notes in Computer Science.Springer,2005.267–279.
[106] Stevens M, Sotirov A, Appelbaum J, et al. Short Chosen-Prefix Collisionsfor MD5and the Creation of a Rogue CA Certificate. In: Halevi S,(eds.).Proceedings of Advances in Cryptology–CRYPTO2009, Proceedings,volume5677of Lecture Notes in Computer Science. Springer,2009.55–69.
[107] Gebhardt M, Illies G, Schindler W. A Note on Practical Value of SingleHash Collisions for Special File Formats. Presented at NIST CryptographicHash Workshop, October31–November1,2005, Gaithersburg, Maryland,USA.
[108] Kim J, Biryukov A, Preneel B, et al. On the Security of HMAC and NMACBased on HAVAL, MD4, MD5, SHA-0and SHA-1(Extended Abstract).In: De Prisco R, Yung M,(eds.). Proceedings of Security and Cryptographyfor Networks, volume4116of Lecture Notes in Computer Science. Springer,2006.242–256.
[109] Contini S, Yin Y L. Forgery and Partial Key-Recovery Attacks on HMACand NMAC Using Hash Collisions. In: Lai X, Chen K,(eds.). Proceedingsof Advances in Cryptology–ASIACRYPT2006, Proceedings, volume4284of Lecture Notes in Computer Science. Springer,2006.37–53.
[110] Fouque P A, Leurent G, Nguyen P. Full Key-Recovery Attacks onHMAC/NMAC-MD4and NMAC-MD5. In: Menezes A,(eds.). Proceed-ings of Advances in Cryptology-CRYPTO2007, volume4622of LectureNotes in Computer Science. Springer,2007.13–30.
[111] Wang L, Ohta K, Kunihiro N. New Key-Recovery Attacks onHMAC/NMAC-MD4and NMAC-MD5. In: Smart N,(eds.). Proceedingsof Advances in Cryptology–EUROCRYPT2008, volume4965of LectureNotes in Computer Science. Springer,2008.237–253.
[112] Wang X, Yu H, Wang W, et al. Cryptanalysis on HMAC/NMAC-MD5and MD5-MAC. In: Joux A,(eds.). Proceedings of Advances in Cryptol-ogy–EUROCRYPT2009, Proceedings, volume5479of Lecture Notes inComputer Science. Springer,2009.121–133.
[113] Barreto P, Nikov V, Nikova S, et al. Whirlwind: a new cryptographic hashfunction. Designs, Codes and Cryptography,2010,56:141–162.
[114] Preneel B. The First30Years of Cryptographic Hash Functions and theNIST SHA-3Competition. Invited Talk. In: Pieprzyk J,(eds.). Proceedingsof Topics in Cryptology–CT-RSA2010, Proceedings, volume5985ofLecture Notes in Computer Science. Springer,2010.1–14.
[115] Mendel F, Rechberger C, Schla¨fer M, et al. The Rebound Attack: Crypt-analysis of Reduced Whirlpool and Gr stl. In: Dunkelman O,(eds.).Proceedings of Fast Software Encryption2009, Proceedings, volume5665of Lecture Notes in Computer Science. Springer,2009.260–276.
[116] Matusiewicz K, Naya-Plasencia M, Nikolic I, et al. Rebound Attack onthe Full Lane Compression Function. In: Matsui M,(eds.). Proceedings ofAdvances in Cryptology–ASIACRYPT2009, Proceedings, volume5912of Lecture Notes in Computer Science. Springer,2009.106–125.
[117] Lamberger M, Mendel F, Rechberger C, et al. Rebound Distinguishers:Results on the Full Whirlpool Compression Function. In: Matsui M,(eds.).Proceedings of Advances in Cryptology–ASIACRYPT2009, Proceedings,volume5912of Lecture Notes in Computer Science. Springer,2009.126–143.
[118] Mendel F, Rechberger C, Schl¨afer M, et al. Rebound Attacks on the Re-duced Gr stl Hash Function. In: Pieprzyk J,(eds.). Proceedings of Topicsin Cryptology–CT-RSA2010, Proceedings, volume5985of Lecture Notesin Computer Science. Springer,2010.350–365.
[119] Rijmen V, Toz D, Varici K. Rebound Attack on Reduced-Round Versions ofJH. In: Hong S, Iwata T,(eds.). Proceedings of Fast Software Encryption2010, Proceedings, volume6147of Lecture Notes in Computer Science.Springer,2010.286–303.
[120] Gilbert H, Peyrin T. Super-Sbox Cryptanalysis: Improved Attacks forAES-Like Permutations. In: Hong S, Iwata T,(eds.). Proceedings of FastSoftware Encryption2010, Proceedings, volume6147of Lecture Notes inComputer Science. Springer,2010.365–383.
[121] Sasaki Y, Li Y, Wang L, et al. Non-full-active Super-Sbox Analysis: Appli-cations to ECHO and Gr stl. In: Abe M,(eds.). Proceedings of Advancesin Cryptology-ASIACRYPT2010, volume6477of Lecture Notes in Com-puter Science. Springer,2010.38–55.
[122] Khovratovich D, Nikolic I, Rechberger C. Rotational Rebound Attacks onReduced Skein. In: Abe M,(eds.). Proceedings of Advances in Cryptology-ASIACRYPT2010, volume6477of Lecture Notes in Computer Science.Springer,2010.1–19.
[123] Administration S C. SM3Cryptographic Hash Algorithm.http://www.oscca.gov.cn/UpFile/20101222141857786.pdf,2010.
[124] Lee J, Chang D, Kim H, et al. A New256-bit Hash Function DHA-256–Enhancing the Security of SHA-256. Presented at NIST CryptographicHash Workshop, October31–November1,2005, Gaithersburg, Maryland,USA.
[125] Sanadhya S K, Sarkar P. A new hash family obtained by modifying theSHA-2family. Proceedings of Proceedings of the4th International Sym-posium on Information, Computer, and Communications Security. ACM,2009.353–363.
[126] Sanadhya S K. A Study of the SHA-2Cryptographic Hash Family[DoctorThesis]. Indian Statistical Institute, February,2009.
[127] Khovratovich D, Rechberger C, Savelieva A. Bicliques for Preimages: At-tacks on Skein-512and the SHA-2family. Cryptology ePrint Archive, Re-port2011/286,2011. http://eprint.iacr.org/.
[128] Group I K. Preliminary Analysis of DHA-256. Cryptology ePrint Archive,Report2005/398,2005. http://eprint.iacr.org/.
[129] Hong D, Koo B, Kim W H, et al. Preimage Attacks on Reduced Stepsof ARIRANG and PKC98-Hash. In: Lee D, Hong S,(eds.). Proceedingsof Information, Security and Cryptology–ICISC2009, volume5984ofLecture Notes in Computer Science. Springer,2010.315–331.
[130] NIST SHA-3Competition. http://csrc.nist.gov/groups/ST/hash/.