Second Preimages on n-Bit Hash Functions for Much Less than 2 n Work

Kelsey, John; Schneier, Bruce

doi:10.1007/11426639_28

Cited by 245 publications

(276 citation statements)

References 19 publications

Supporting

Mentioning

271

Contrasting

Unclassified

Order By: Relevance

“…For example, a different type of message expansion which would be interesting to examine can use linear mixing of the message blocks, instead of pure repetition of the message blocks. Other research directions are to find other countermeasures against the Joux multicollision attack such as the scheme suggested by Lucks [9], or finding additional uses of multicollisions as building blocks in more general attacks as in [5], [7] and [8].…”

Section: Discussionmentioning

confidence: 99%

Breaking the ICE – Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions

Hoch

Shamir

2006

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security properties of such functions. At Crypto 2004 Joux showed that in any iterated hash function it is relatively easy to find exponential sized multicollisions, and thus the concatenation of several hash functions does not increase their security. However, in his proof it was essential that each message block is used at most once. In 2005 Nandi and Stinson extended the technique to handle iterated hash functions in which each message block is used at most twice. In this paper we consider the general case and prove that even if we allow each iterated hash function to scan the input multiple times in an arbitrary expanded order, their concatenation is not stronger than a single function. Finally, we extend the result to tree-based hash functions with arbitrary tree structures.

show abstract

Section: Discussionmentioning

confidence: 99%

Breaking the ICE – Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions

Hoch

Shamir

2006

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…The best known generic algorithm for finding second preimages for any MerkleDamgård construction of hash functions is due to Kelsey and Schneier [3]. The algorithm needs to undergo a slight adaptation in order to be applied to the special structure of Hamsi-256 (see [2]).…”

Section: Second Preimages For Longer Messages Of Hamsi-256mentioning

confidence: 99%

“…3. Use the Kelsey and Schneier [3] algorithm to generate a (p, q) expandable message for p = 4 · 5 = 20 and q = 4 · 5 + 2 5 − 1 = 51. 4.…”

Section: E Appendix: Details Of the Improved Short Messagementioning

confidence: 99%

An Improved Algebraic Attack on Hamsi-256

Dinur

Shamir

2011

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. Hamsi is one of the 14 second-stage candidates in NIST's SHA-3 competition. The only previous attack on this hash function was a very marginal attack on its 256-bit version published by Thomas Fuhr at Asiacrypt 2010, which is better than generic attacks only for very short messages of fewer than 100 32-bit blocks, and is only 26 times faster than a straightforward exhaustive search attack. In this paper we describe a different algebraic attack which is less marginal: It is better than the best known generic attack for all practical message sizes (up to 4 gigabytes), and it outperforms exhaustive search by a factor of at least 512. The attack is based on the observation that in order to discard a possible second preimage, it suffices to show that one of its hashed output bits is wrong. Since the output bits of the compression function of Hamsi-256 can be described by low degree polynomials, it is actually faster to compute a small number of output bits by a fast polynomial evaluation technique rather than via the official algorithm.

show abstract

“…Moreover the techniques can be applied to explore the second-preimage of MD4 [12], forgery and partial key-recovery attacks on HMAC and NMAC [3,4]. Kelsey and Schneier [5] provided a second preimage attack on the iterated hash functions with Merkle-Damgård strengthening, which shows a vulnerability of the Merkle-Damgård construction. Responding to advances in the cryptanalysis of hash functions, NIST held two hash workshops to evaluate the security of its approved hash functions and to solicit public comments on its cryptographic hash function policy and standard.…”

Section: Introductionmentioning

confidence: 99%

Pseudo-Cryptanalysis of Luffa

Jia

Desmedt

Han

et al. 2011

Information Security and Cryptology

View full text Add to dashboard Cite

Abstract. In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudocollisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iteration computations are needed to get a pseudo-preimage. For Luffa-384, finding a pseudo-preimage needs about 2 64 iteration computations with 2 67 bytes memory by the extended generalized birthday attack. For Luffa-512, the complexity is 2 128 iteration computations with 2 132 bytes memory. It is noted that, we can find the pseudo-collision pairs and the pseudo-second images only changing a few different bits of initial values. That is directly converted to the forgery attack on NMAC in related key cases.

show abstract

Second Preimages on n-Bit Hash Functions for Much Less than 2 n Work

Cited by 245 publications

References 19 publications

Breaking the ICE – Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions

Breaking the ICE – Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions

An Improved Algebraic Attack on Hamsi-256

Pseudo-Cryptanalysis of Luffa

Contact Info

Product

Resources

About