{"title":"SHA1压缩函数的差分故障分析","authors":"Ludger Hemme, Lars Hoffmann","doi":"10.1109/FDTC.2011.16","DOIUrl":null,"url":null,"abstract":"In FDTC 2009, Li et al. published a DFA attack [20] against the symmetric block cipher SHACAL1 [11]. This block cipher substantially consists of the compression function of the hash function SHA1 [16] except for the final addition operation. When using the SHA1 compression function as a primitive in a keyed hash function like HMAC-SHA1 [17] or in a key derivation function it might be of some interest if the attack of Li et al. also applies to the SHA1 compression function. However, the final addition operation turns out to completely prevent this direct application. In this paper we extend the attack of Li et al. in order to overcome the problem of the final addition and to extract the secret inputs of the SHA1 compression function by analysing faulty outputs. Our implementation of the new attack needs about 1000 faulty outputs and a computation time of three hours on a normal PC to fully extract the secret inputs with high probability.","PeriodicalId":150423,"journal":{"name":"2011 Workshop on Fault Diagnosis and Tolerance in Cryptography","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2011-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"37","resultStr":"{\"title\":\"Differential Fault Analysis on the SHA1 Compression Function\",\"authors\":\"Ludger Hemme, Lars Hoffmann\",\"doi\":\"10.1109/FDTC.2011.16\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In FDTC 2009, Li et al. published a DFA attack [20] against the symmetric block cipher SHACAL1 [11]. This block cipher substantially consists of the compression function of the hash function SHA1 [16] except for the final addition operation. When using the SHA1 compression function as a primitive in a keyed hash function like HMAC-SHA1 [17] or in a key derivation function it might be of some interest if the attack of Li et al. also applies to the SHA1 compression function. However, the final addition operation turns out to completely prevent this direct application. In this paper we extend the attack of Li et al. in order to overcome the problem of the final addition and to extract the secret inputs of the SHA1 compression function by analysing faulty outputs. Our implementation of the new attack needs about 1000 faulty outputs and a computation time of three hours on a normal PC to fully extract the secret inputs with high probability.\",\"PeriodicalId\":150423,\"journal\":{\"name\":\"2011 Workshop on Fault Diagnosis and Tolerance in Cryptography\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-09-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"37\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2011 Workshop on Fault Diagnosis and Tolerance in Cryptography\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/FDTC.2011.16\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 Workshop on Fault Diagnosis and Tolerance in Cryptography","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FDTC.2011.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Differential Fault Analysis on the SHA1 Compression Function
In FDTC 2009, Li et al. published a DFA attack [20] against the symmetric block cipher SHACAL1 [11]. This block cipher substantially consists of the compression function of the hash function SHA1 [16] except for the final addition operation. When using the SHA1 compression function as a primitive in a keyed hash function like HMAC-SHA1 [17] or in a key derivation function it might be of some interest if the attack of Li et al. also applies to the SHA1 compression function. However, the final addition operation turns out to completely prevent this direct application. In this paper we extend the attack of Li et al. in order to overcome the problem of the final addition and to extract the secret inputs of the SHA1 compression function by analysing faulty outputs. Our implementation of the new attack needs about 1000 faulty outputs and a computation time of three hours on a normal PC to fully extract the secret inputs with high probability.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
