[Cryptography] Cryptanalyzing a whole-message cipher and a double-tree hash function
Jacob Christian Munch-Andersen
nohat at nohatcoder.dk
Tue Dec 26 05:41:39 EST 2023
On Mon, Dec 25, 2023, at 10:54 AM, Pierre Abbat wrote:
> I've invented a cipher and a hash function and am trying to cryptanalyze them.
>
For the hash function it is mostly about getting the difference of two blocks that you want to collide to be chopped off at the end of `round_compress`. Parts of this can be secured with a calculated setup, but hitting the same value of `acc` is mostly luck. Trying many blocks at once that have all been set up to possibly shift the difference off in the first round will accelerate the collision generation, and with that trick it might end up taking a bit less than 2^64 tries.
Over all this is a very poor construction stuffed with beginner mistakes and plenty cargo cult. It mostly operates on single bytes, making a poor utilization of modern CPUs. It utilizes loads of operations that are cryptographically simple, yet take a lot of CPU time, like `rot_bitcount`, it is just a rotation, but you manage to call modulo with a variable divider twice per byte processed. The way `compress` removes 4 bytes per iteration means that you end up calling all this slow code a lot of times. Yet one can plausibly generate a collision within the first iteration, thus bypassing most of the computation.
Regards
Jacob Christian Munch-Andersen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20231226/920352b0/attachment.htm>
More information about the cryptography
mailing list