2007 Reports : Cryptology ePrint Archive Forum

**Re: 2007/476: Dynamic SHA has weak expansion ME2**

**Re: 2007/476: Dynamic SHA has weak expansion ME2**

**Re: 2007/476: Dynamic SHA has weak expansion ME2**

Discussion forum for Cryptology ePrint Archive reports posted in 2007.
Please put the report number in the subject.

2007/476: Dynamic SHA has weak expansion ME2

Posted by: **Vlastimil Klima** (IP Logged)

Date: 26 December 2007 10:09

2007/476: Dynamic SHA has weak expansion ME2

Note that the expansion ME2 is weak.

(i) Dynamic SHA-224/256:

For every message block M = M[0], ..., M[15], where (M[0] xor M[1]...xor M[7] = 0xfedcba98) and (M[8] xor M[9]...xor M[15] = 0x76543210) the expansion ME2(M) ''expands'' M to 16 32-bit zero words

(ii) Dynamic SHA-384/512:

For every message block M = M[0], ..., M[15], where M[0] xor M[1]... xor M[15] = 0x76543210fedcba98, the expansion ME2(M) ''expands'' M to 16 64-bit zero words

Vlastimil Klima

Note that the expansion ME2 is weak.

(i) Dynamic SHA-224/256:

For every message block M = M[0], ..., M[15], where (M[0] xor M[1]...xor M[7] = 0xfedcba98) and (M[8] xor M[9]...xor M[15] = 0x76543210) the expansion ME2(M) ''expands'' M to 16 32-bit zero words

(ii) Dynamic SHA-384/512:

For every message block M = M[0], ..., M[15], where M[0] xor M[1]... xor M[15] = 0x76543210fedcba98, the expansion ME2(M) ''expands'' M to 16 64-bit zero words

Vlastimil Klima

Posted by: **xuzijie** (IP Logged)

Date: 28 December 2007 10:12

when i write the paper, i know this.

1, i get the idea at september, complete it at october. i had not think over all thing.

2, even we can find "collide" for ME2, but the system has function G, R. our target is the last hash value. when we get "collide" for ME2, the different in {M[0], ..., M[31]} will will change the last hash value.

3,if we design a "hard" ME2, the workload of system will be increased.

4, give me some time. .

the function G,R,ME2 divide message space into many parts. in differnt part, the hash value is calculated with different formula. the "collides" will be divide into different part too. so in a part, the "collides" is lesser. if someone choice a part,it is harder to find "collide".

(my english is not good, i hope you know what mean, thank you for your suggestion)

1, i get the idea at september, complete it at october. i had not think over all thing.

2, even we can find "collide" for ME2, but the system has function G, R. our target is the last hash value. when we get "collide" for ME2, the different in {M[0], ..., M[31]} will will change the last hash value.

3,if we design a "hard" ME2, the workload of system will be increased.

4, give me some time. .

the function G,R,ME2 divide message space into many parts. in differnt part, the hash value is calculated with different formula. the "collides" will be divide into different part too. so in a part, the "collides" is lesser. if someone choice a part,it is harder to find "collide".

(my english is not good, i hope you know what mean, thank you for your suggestion)

Posted by: **Vlastimil Klima** (IP Logged)

Date: 28 December 2007 15:16

The main questions are, IF you NEED variables W32,..., W47 and WHY?

(i) If you donīt need W32, ..., W47:

Easily you can set directly W32 = ... = W47 = 0 without calculation ME2 and your algorithm will be faster (in Table 6 you can avoid using W32 = ... = W47 = 0 from calculations in step 3).

(ii) If you really need W32, ..., W47:

You can (for instance) redesign ME2 with the same complexity and speed,but cryptographically stronger. But, you should know WHY. Then you would better know HOW.

IMHO, it isnīt easy to answer those questions.

Vlastimil Klima

(i) If you donīt need W32, ..., W47:

Easily you can set directly W32 = ... = W47 = 0 without calculation ME2 and your algorithm will be faster (in Table 6 you can avoid using W32 = ... = W47 = 0 from calculations in step 3).

(ii) If you really need W32, ..., W47:

You can (for instance) redesign ME2 with the same complexity and speed,but cryptographically stronger. But, you should know WHY. Then you would better know HOW.

IMHO, it isnīt easy to answer those questions.

Vlastimil Klima

Posted by: **xuzijie** (IP Logged)

Date: 29 December 2007 15:40

hi.

The reason i need ME2 is i want to bring a real nonlinear function and the ANFs have many monomials. Someone may think that functions like ME1 is nonlinear function. but i do not think so, bijection is not dependable. And in the paper, the equations (2) keep the size of equations (3) and (4), and equations (2) is a restriction for the solutions for the equations (3) and (4), At last the message expansion is a element that we can use to divide the message space. why not use "Dynamic function" to divide the message space.

I need partner. I wellcome anyone join me. ^_^

The reason i need ME2 is i want to bring a real nonlinear function and the ANFs have many monomials. Someone may think that functions like ME1 is nonlinear function. but i do not think so, bijection is not dependable. And in the paper, the equations (2) keep the size of equations (3) and (4), and equations (2) is a restriction for the solutions for the equations (3) and (4), At last the message expansion is a element that we can use to divide the message space. why not use "Dynamic function" to divide the message space.

I need partner. I wellcome anyone join me. ^_^

Please log in for posting a message. Only registered users may post in this forum.