对哈希函数的多重碰撞和第一次或第二次原像攻击有什么区别?
哈希函数中的多重碰撞与第一或第二原像之间有什么区别?
首次原像攻击:给定哈希 h,找到消息 m 使得
哈希值(m) = h。
第二次原像攻击:给定固定消息 m1,找到不同的消息 m2,使得
哈希值(m2) = 哈希值(m1)。
多重碰撞攻击:生成一系列消息 m1, m2, ... mN,使得
哈希值(m1) = 哈希值(m2) = ... = 哈希值(mN)。
维基百科告诉我们,原像攻击与碰撞攻击不同,因为存在固定的散列或正在被攻击的消息。
我对那些发表如下声明的论文感到困惑:
技术是 不仅搜索效率高 碰撞,也适用于 探索 MD4 的第二原像。 关于第二原像攻击,他们 表明随机消息是 概率为 2^–122 的弱消息 并且只需要一次性的MD4 计算找到 第二原像对应于 微弱的信息。
如果我明白作者所说的是什么他们开发了一种多重碰撞攻击,其中包含足够大的消息集,给定一条随机消息,它有很大的可能性(尽管极小)与其中一个多重碰撞重叠。
我在很多论文中都看到过类似的论点。 我的问题是,一次攻击何时不再是多重碰撞攻击,而是成为第二次原像攻击。
如果多次碰撞与 2^300 个其他消息发生碰撞,那么这会算作第二次原像攻击,因为多重碰撞可能会用于计算与其碰撞的消息之一的“原像”? 2^60、2^100、2^1000 的分界线在哪里?
如果您可以生成所有以 23 开头的哈希摘要的原像会怎么样? 当然,它不符合原像的严格定义,但它也非常肯定是加密哈希函数中的严重缺陷。
如果有人发生了大规模的多重碰撞,那么他们总是可以恢复与多重碰撞发生哈希冲突的任何消息的图像。 例如,
哈希值(m1) = 哈希值(m2) = 哈希值(m3) = h
有人请求 h 的原像,并且他们以 m2 响应。 什么时候这不再是愚蠢的行为而是真正的攻击?
经验法则? 知道评估哈希函数攻击的任何好资源吗?
相关链接:
What is the difference between a multi-collision in a hash function and a first or second preimage.
First preimage attacks: given a hash h, find a message m such that
hash(m) = h.
Second preimage attacks: given a fixed message m1, find a different message m2 such that
hash(m2) = hash(m1).
Multi-collision attacks: generate a series of messages m1, m2, ... mN, such that
hash(m1) = hash(m2) = ... = hash(mN).
Wikipedia tells us that a preimage attack differs from a collision attack in that there is a fixed hash or message that is being attacked.
I am confused by papers with which make statements like :
The techniques are
not only efficient to search for
collisions, but also applicable to
explore the second- preimage of MD4.
About the second-preimage attack, they
showed that a random message was a
weak message with probability 2^–122
and it only needed a one-time MD4
computation to find the
second-preimage corresponding to the
weak message.
The Second-Preimage Attack on MD4
If I understand what the authors seem to be saying is that they have developed a multi-collision attack which encompasses a large enough set of messages that given a random message there is a significant though extremely small chance it will overlap with one of their multi-collisions.
I seen similar arguments in many papers. My question when does an attack stop being a multi-collision attack and become a second preimage attack..
If a multi-collision collides with 2^300 other messages does that count as a second preimage, since the multi-collision could be used to calculate the "pre-image" of one of the messages it collides with? Where is the dividing line, 2^60, 2^100, 2^1000?
What if you can generate a preimage of all hash digests that begin with 23? Certainly it doesn't meet the strict definition of a preimage, but it is also very certainly a serious flaw in the cryptographic hash function.
If someone has a large multi-collision, then they could always recover the image of the any message which hash collided with the multi-collision. For instance,
hash(m1) = hash(m2) = hash(m3) = h
Someone requests the preimage of h, and they respond with m2. When does this stop being silly and becomes a real attack?
Rules of thumb? Know of any good resources on evaluating hash function attacks?
Related Links:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在发布问题之前您做了很多研究。 除了资源问题之外,我无法回答太多。 即:我使用应用密码学(Menezes/Oorschot)来处理几乎所有我想了解的密码学主题(包括哈希)。
也许您会在大学图书馆找到一本。 祝你好运。
You did a lot of research before posting the question. I cannot answer much aside the resources-question. Which is: I use Applied Cryptography be Menezes/Oorschot for almost everything I ever wanted to know on topics of cryptography, including hashes.
Maybe you'll find a copy at your universities library. Good luck.
这是关于攻击场景。 区别在于输入的选择。 在多重碰撞中,可以自由选择两个输入。 第二原像是关于找到与任何指定输入具有相同输出的任何第二个输入。
当一个函数不具有多重碰撞抵抗能力时,可能会发现某些类型的消息发生碰撞——而不是全部消息。 所以这并不意味着第二原像弱点。
It is about an attack scenario. The difference lies in the choice of input. In multi-collision there is free choice of both inputs. 2nd preimage is about finding any second input which has the same output as any specified input.
When a function doesn't have multi-collision resistance, it may be possible to find collision for some kind of messages - not all of them. So this doesn't imply 2nd preimage weakness.