해쉬함수에 대한 충돌쌍 탐색 공격의 동향

  • 성수학 (배제대학교 전산정보수학과)
  • 발행 : 2006.08.01


중국의 Wang 교수 등은 2004년부터 차분 공격을 이용하여 대표적인 해쉬함수인 MD4, MD5, RIPEMD, HAVAL, SHA-0에 대한 충돌쌍을 찾았다. 그들은 아직까지 SHA-1에 대한 충돌쌍을 찾지는 못했지만 생일 공격보다 빠른 방법으로 SHA-1의 충돌쌍을 찾을 수 있음을 이론적으로 보였으며 58단계 SHA-1(SHA-1의 전체는 80단계)에 대해서는 구체적인 충돌쌍을 찾았다. 본 논문에서는 Wang 교수 등이 개발한 차분 공격법에 대해서 살펴보기로 한다.



  1. 강주성, 김재헌, 박상우, 박춘식, 지성택, 하길찬, 한재우, 현대암호학, 경문사, 2000
  2. 한국정보통신기술협회, '해쉬함수알고리즘표준(HAS-160)', TTAS.KO-12.0011/R1, TTA, 2000
  3. T.A. Berson, 'Differential cryptanalysis mod 2 32 with applications to MD5', Eurocrypt'92, pp. 71-80, 1993
  4. E. Biham and R. Chen, 'Near collision of SHA-0', Crypto'04, LNCS 3152, pp. 290-305, 2004
  5. E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, and W. Jalby, 'Collision of SHA-0 and reduced SHA-1', Eurocrypt'05, LNCS 3494, pp. 36-57, 2005
  6. F. Chabaud and A. Joux, 'Differential collisions in SHA-0', Crypto'98. LNCS 1462, pp. 56-71, 1999
  7. B. den Boer and A. Bosselaers, 'An attack on the last two rounds of MD4', Advances in Cryptology-Crypto'91, Lecture Notes in Computer Science, Springer-Verlag, pp. 194-203, 1991
  8. B. den Boer and A. Bosselaers, 'Collision for the compression function of MD5', Advances in Cryptology-Eurocrypt'93, Lecture Notes in Computer Science, Springer-Verlag, pp. 293-304, 1994
  9. H. Dobbertin, 'Cryptanalysis of MD4', Fast Software Encryption, LNCS 1039, pp. 53-69, 1996
  10. H. Dobbertin, 'Cryptanalysis of MD5 compress', Presented at the rump session of Eurocrypt'96
  11. H. Dobbertin, 'Cryptanalysis of MD4', J. Cryptology 11, pp. 253-271, 1998 https://doi.org/10.1007/s001459900047
  12. P.R. Kasselman and W.T. Penzhorn, 'Cryptanalysis of reduced version of HAVAL', Electronics Letters 36, pp. 30-31, 2000 https://doi.org/10.1049/el:20000017
  13. A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997
  14. NIST, 'Secure hash standard', Federal information processing standard, FIPS-180, 1993
  15. NIST, 'Secure hash standard', Federal information processing standard, FIPS-180-1, 1995
  16. S. Park, S.H. Sung, S. Chee, and J. Lim, 'On the Security of Reduced Versions of 3-pass HAVAL', LNCS 2384, pp. 406-419, 2002
  17. RIPE, 'Integrity primitive for secure information system', Final report of RACE integrity primitive evaluation (RIPE-RACE 1040), LNCS 1007, 1995
  18. R.L. Rivest, 'The MD4 message digest algorithm', Advance in Cryptology-Crypto'90, pp. 303-311, 1991
  19. R.L. Rivest, 'The MD5 message digest algorithm', Request for Comments(RFC) 1321, Internet Activities Board, Internet Privacy Task Force, 1992
  20. B. van Rompay, A. Biryukov, B. Preneel, and J. Vandewalle, 'Cryptanalysis of 3-pass HAVAL', Asiacrypt'03, pp. 228-245, 2003
  21. X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, 'Cryptanalysis of the hash functions MD4 and RIPEMD', Advances in Cryptology-Eurocrypt'05, Lecture Notes in Computer Science 3494, Springer-Verlag, pp. 1-18, 2005
  22. X. Wang, Y.L. Yin, and H. Yu, 'Finding collisions in the full SHA-1', Advances in Cryptology-Crypto'05, Lecture Notes in Computer Science 3621, Springer-Verlag, pp. 17-36, 2005
  23. X. Wang and H. Yu, 'How to break MD5 and other hash functions', Advances in Cryptology-Eurocrypt'05, Lecture Notes in Computer Science 3494, Springer-Verlag, pp. 19-35, 2005
  24. X. Wang, H. Yu, and Y.L. Yin, 'Efficient collision search attacks on SHA-0', Advances in Cryptology-Crypto'05, Lecture Notes in Computer Science 3621, Springer-Verlag, pp. 1-16, 2005
  25. A. Yun, S.H. Sung, S. Park, D. Chang, S. Hong, and H. Cho, 'Finding collision on 45-step HAS-160', LNCS 3935, 2006
  26. Y. Zheng, J. Pieprzyk, and J. Seberry, 'HAVAL-A one-way hashing algorithm with variable length of output', Auscrypt'92, pp. 83-104, 1993