## Second Preimage Attacks on Dithered Hash Functions

### Cached

### Download Links

- [www.di.ens.fr]
- [www.di.ens.fr]
- [homes.esat.kuleuven.be]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [hal.archives-ouvertes.fr]
- [www.wisdom.weizmann.ac.il]
- DBLP

### Other Repositories/Bibliography

Citations: | 9 - 1 self |

### BibTeX

@MISC{Andreeva_secondpreimage,

author = {Elena Andreeva and Charles Bouillaguet and Pierre-alain Fouque and Jonathan J. Hoch and John Kelsey and Adi Shamir and Sebastien Zimmer},

title = {Second Preimage Attacks on Dithered Hash Functions},

year = {}

}

### OpenURL

### Abstract

Abstract. We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Merkle-Damgård construction with only slightly more work than the previously known attack, but allow enormously more control of the contents of the second preimage found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup’s UOWHF[26] and the ROX hash construction [2]. We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, including sequences which are much stronger than those in Rivest’s proposals. Finally, we show that both the existing second preimage attacks [8,16] and our new attack can be applied even more efficiently to multiple target messages; in general, given a set of many target messages with a total of 2 R message blocks, these second preimage attacks can find a second preimage for one of those target messages with no more work than would be necessary to find a second preimage for a single target message of 2 R message blocks.

### Citations

2365 |
An introduction to probability theory and its applications. Vol. II. Second edition
- Feller
- 1971
(Show Context)
Citation Context ...ding at hi. Since the number of leaves in each tree is O � 2 (n−k)/2� and they 3 We call it a kite generator since we use it to generate kites of the form IV = IV h1 h2 ht (· · ·) Fig.3: A Kite 4 See =-=[10]-=- for a formal justification of this claim. hi = hi (· · ·) h 2 k Messagesare labelled by only 2 n−k possible values, we expect by the birthday paradox to find a common chaining value among the two set... |

321 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...i compute hi = F (hi−1,xi). – Output H F (M) = hr. The padding is usually done by appending a single ’1’ bit followed by as many ’0’ bits as needed to complete an m-bit block. Merkle [21] and Damgård =-=[7]-=- independently proved in 1989 that making the binary encoding of the message length part of the padding improves the security of the construction: with this socalled strengthening, the scheme is prove... |

192 |
One way hash functions and des
- Merkle
- 1989
(Show Context)
Citation Context ...ch message block i compute hi = F (hi−1,xi). – Output H F (M) = hr. The padding is usually done by appending a single ’1’ bit followed by as many ’0’ bits as needed to complete an m-bit block. Merkle =-=[21]-=- and Damgård [7] independently proved in 1989 that making the binary encoding of the message length part of the padding improves the security of the construction: with this socalled strengthening, the... |

143 |
A Cryptanalytic Time-Memory Trade-off
- Hellman
- 1980
(Show Context)
Citation Context ...exity too high. To bypass this difficulty, we will use the classic time-memory tradeoff of Hellman tables. Hellman’s TMTO attack. Time/memory Tradeoffs (TMTO) were first introduced in 1980 by Hellman =-=[11]-=-. The idea is to improve brute force attacks by trading time for memory when inverting a function f : {0,1} n → {0,1} n . Suppose we have an image element y and wish to find a pre-image x ∈ f −1 (y). ... |

107 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ... applications of hash functions fail when collisions can be found. Second, efficiently found collisions permit additional attacks on hash functions using the Merkle-Damgård construction, as in Joux’s =-=[13]-=- multicollision attack on cascade hashes, and the long-message second preimage attacks of Dean [8] and Kelsey and Schneier [16]. After Kelsey and Schneier published their attack, several researchers p... |

52 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...tute of Standards and Technology, john.kelsey@nist.gov Abstract. We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean =-=[8]-=- and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Merkle-Damgård construction with only slightly more... |

47 | A composition theorem for universal one-way hash functions
- Shoup
- 2000
(Show Context)
Citation Context ...iolates the Target Collision Resistance (TCR) of H, that is if she generates a message M ′ different from M that collides with M for the key K (i.e., such that HK(M) = HK(M ′ ) with M �= M ′ ). Shoup =-=[26]-=- proposed a simple construction for a UOWHF that hashes messages of arbitrary size, given a UOWHF that hashes messages of fixed size. It is a Merkle-Damgård-like mode of operation, but before every it... |

44 | Tunnels in hash functions: MD5 collisions within a minute. Cryptology ePrint Archive
- Klima
- 2006
(Show Context)
Citation Context ...ion A number of recent attacks on hash functions have highlighted weaknesses of both specific hash functions, and the general Merkle-Damgård construction. Wang et al. [28–31], Biham et al. [3], Klima =-=[19]-=- and Joux et al. [14] all show that differential attacks can be used to efficiently find collisions in specific hash functions based on the MD4 design, such as MD5, RIPEMD, SHA-0 and SHA-1. Thisstype ... |

43 |
Preimages on n-Bit Hash Functions for Much Less than 2n Work
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ... when ℓ = (n − 2)/3, and in this setting, the total cost of our attack is about 5 · 2 2n/3 + 2 n−k . 2.3 Comparison With Kelsey and Schneier On the original Merkle-Damgård construction, the attack of =-=[16]-=- is more efficient than ours (on SHA-1, they can find a second preimage of a message of size 2 55 with 2 105 work, whereas we need 2 109 calls to the compression function to obtain the same result). H... |

42 |
A Framework for Iterative Hash Functions
- Biham, Dunkelman
- 2006
(Show Context)
Citation Context ... used to carry out the attack despite the Merkle-Damgård strengthening. Variants of the Merkle-Damgård construction that attempt to preclude the aforementioned second preimage attacks are the Haifa 2 =-=[23]-=- construction proposed by Biham and Dunkelman and the “dithered” Merkle-Damgård hash by Rivest [25]. Haifa includes the number of message bits hashed so far in the message block. The simplest way to i... |

34 | la complexité des suites infinies - Sur - 1994 |

30 | Herding Hash Functions and the Nostradamus Attack
- Kelsey, Kohno
- 2006
(Show Context)
Citation Context ... new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno =-=[15]-=-. We show that these generic attacks apply to hash functions using the Merkle-Damgård construction with only slightly more work than the previously known attack, but allow enormously more control of t... |

17 | Complexité des facteurs des mots infinis engendrés par morphismes itérés - Pansiot - 1984 |

16 | Subword complexities of various classes of deterministic developmental languages without interaction, Theoret. Comput. Sci. 1 - Lee, Rozenberg - 1975 |

16 |
Hash Functions and the (Amplified) Boomerang Attack
- Joux, Peyrin
- 2004
(Show Context)
Citation Context ...t attacks on hash functions have highlighted weaknesses of both specific hash functions, and the general Merkle-Damgård construction. Wang et al. [28–31], Biham et al. [3], Klima [19] and Joux et al. =-=[14]-=- all show that differential attacks can be used to efficiently find collisions in specific hash functions based on the MD4 design, such as MD5, RIPEMD, SHA-0 and SHA-1. Thisstype of result is importan... |

16 |
Abelian squares are avoidable on 4 letters
- Keränen
- 1992
(Show Context)
Citation Context ...abelian square-free) if none of its factors is a square (resp. an abelian square). Note that abelian square-free words are also square-free. An Infinite Abelian Square-Free Sequence. In 1992, Keränen =-=[17]-=- exhibited an infinite abelian square-free word k over a four-letter alphabet (there are no infinite abelian square-free words over a ternary alphabet). In this paper, we call this infinite abelian sq... |

13 |
SevenProperty-Preserving Iterated Hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context ...es to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup’s UOWHF[26] and the ROX hash construction =-=[2]-=-. We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, inclu... |

13 |
Abelian Square-Free Dithering for Iterated Hash Functions. Pre- sented at ECrypt Hash Function Workshop
- Rivest
(Show Context)
Citation Context ...found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest =-=[25]-=-, Shoup’s UOWHF[26] and the ROX hash construction [2]. We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage... |

10 | Y.L.: Efficient Collision Search Attacks on SHA-0. [27] 1–16 A Some Sequence-Complexity Related Results Sequences Generated by Morphisms. We say that a function τ : A ∗ → A ∗ is a morphism if for all words x and y, τ(x.y) = τ(x).τ(y). A morphism is then e - Wang, Yu, et al. - 1972 |

7 | On average sequence complexity
- Janson, Lonardi, et al.
- 2004
(Show Context)
Citation Context ...most maximal. Suppose the alphabet has size � � A � � = 2 i . Then the expected number of ℓ-letter factors in a pseudo random word of size 2 k is lower-bounded by: 2 i·ℓ · � 1−exp −2 k−i·ℓ� (refer to =-=[12]-=-, theorem 2, for a proof of this claim)). The total optimal cost of the online attack is then at least 2 n−k/(i+1)+2 and is obtained with ℓ = k/(i + 1). With 8-bit dithering symbols and if k = 55, as ... |

3 |
On abelian square-free DT0L-languages over 4 letters
- Keränen
(Show Context)
Citation Context ...are no infinite abelian square-free words over a ternary alphabet). In this paper, we call this infinite abelian square-free word the Keränen sequence. Details about this construction can be found in =-=[17,18,25]-=-.sSequence Complexity. The number of factors of a given size of an infinite word gives an intuitive notion of its complexity: a sequence is more complex (or richer) if it possesses a large number of d... |

2 | Uniform tag seqences - Cobham - 1972 |

2 | H.: How to Break MD5 and Other Hash Functions. [6 - Wang, Yu |