## New Second Preimage Attacks on Hash Functions (2008)

### BibTeX

@MISC{Andreeva08newsecond,

author = {Elena Andreeva and Charles Bouillaguet and Orr Dunkelman and Pierre-Alain Fouque and Jonathan J. Hoch and John Kelsey and Adi Shamir and Sebastien Zimmer},

title = {New Second Preimage Attacks on Hash Functions },

year = {2008}

}

### OpenURL

### Abstract

In this work we present new generic second preimage attacks on hash functions. Our first attack is based on the herding attack, and applies to various Merkle-Damgård-based iterative hash functions. Compared to the previously known long-message second preimage attacks, our attack adds only a small computational overhead. In exchange, our attack gives the adversary a much greater control over the contents of the second message and in particular allows all the difference to be concentrated in a few message blocks. As a result, the new second preimage attack is applicable to hash function constructions such as the dithered hash proposal of Rivest, Shoup's UOWHF, and the ROX hash construction, which were thought to be immune to the earlier known second preimage attacks. We also suggest a few time-memory-data tradeo variants for this type of attacks, allowing for faster online computations, and attacking significantly shorter messages. Furthermore, we analyze the properties of the dithering sequence used in Rivest's hash function proposal, and develop a time-memory tradeo which allows us to apply our second preimage attack to a much stronger than those in Rivest's proposals. Parts of our results rely on the kite generator, a new time-memory tradeo tool. We also exhibit a time-memory-data tradeoff attack on tree hashes for second preimages. Finally, we show how both the existing second preimage attacks and our new attacks can be applied even more efficiently when given multiple short target messages rather than a single long target message.

### Citations

2326 |
An Introduction to Probability Theory and its Applications, volume 1
- Feller
- 1968
(Show Context)
Citation Context ...erse tree, starting from hi, and listing the expected 2 (n−κ)/2 values5 that may lead to it following the dither sequence. If there is a collision between the two lists (which happens with high 5 See =-=[18]-=- for a formal justi cation of this claim.h11 h12 h10 h13 h9 h14 h8 IV h7 h0 h6 h1 h5 h2 h3 h4 Fig. 9: A toy Kite-Generator with 16 nodes over a binary alphabet. Edges are labelled with a message bloc... |

322 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... generates a message M ′ ̸= M such that HK(M) = HK(M ′). This security property, also known as target collision security or everywhere preimage security [44] of a hash function, was rst introduced in =-=[40]-=-. Bellare and Rogaway studied the construction of variable input length TCR hash functions from xed input length TCR compression functions in [4]. They also demonstrated that the TCR property is su ci... |

312 |
A Design Principle for Hash Functions
- Damgård
- 1989
(Show Context)
Citation Context ...trengthening) appends to the original message a single '1' bit followed by as many '0' bits as needed to complete an m-bit block after embedding the message length at the end. Merkle [38] and Damgård =-=[12]-=- proved independently that the scheme is collision resistance preserving, in the sense that a collision on the hash function H f implies a collision on the compression function f. As a side e ect, the... |

187 |
One Way Hash Functions and DES
- Merkle
- 1989
(Show Context)
Citation Context ...nd preimages for the case of small alphabet dither sequences, as well as an adaptation of Dean's second preimage attack to these cases. We follow by presenting a second preimage attack on tree hashes =-=[38]-=-. The attack allows preimage of a 2κ-block message in time 2n−κ+1 . 2 nding a second Finally, we show that both the original second-preimage attacks of [16, 26] and our attacks can be extended to the ... |

104 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
(Show Context)
Citation Context ... name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks were more generic. The results of Dean [16], Joux =-=[22]-=-, Kelsey and Schneier [26], and Kelsey and Kohno [25], explore the resistance of the widely used Merkle-Damgård construction against several types of attacks, including multicollision attacks and seco... |

102 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...erkle-Damgård based constructions, such as pre x-free Merkle-Damgård [10], randomized hash [19], Enveloped Merkle-Damgård [3], etc. Keyed hash constructions like the linear and the XOR linear hash by =-=[4]-=- use unique per message block key, which foils this style of attacks in the connection step (as well as the attack of [26]). Complexity. The rst step allows for precomputation and its time and space c... |

96 | Cryptanalytic time/memory/data tradeoffs for stream ciphers
- Biryukov, Shamir
- 1976
(Show Context)
Citation Context ...nd trying for each of the possible targets, the attack (i.e., apply the chain). This reduces the memory complexity (without a ecting the online time complexity or success rate), as long as m ≤ d (see =-=[7]-=- for more details concerning this constraint).3.2 Time-Memory-Data Tradeo s for Merkle-Damgård Second Preimage Attacks Both known long-message second preimage attacks and our newly proposed second pr... |

84 | Merkle-Damgård Revisited: How to Construct a Hash Function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...duce the same hash value with the added Merkle-Damgård strengthening. Our new second preimage attack applies identically to other Merkle-Damgård based constructions, such as pre x-free Merkle-Damgård =-=[10]-=-, randomized hash [19], Enveloped Merkle-Damgård [3], etc. Keyed hash constructions like the linear and the XOR linear hash by [4] use unique per message block key, which foils this style of attacks i... |

63 | Multi-property-preserving hash domain extension and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ...1 . Therefore, there are exactly 2 2 i −i−1 distinct elements of Ωκ containing κ − 1 in uκ (they are necessarily distinct because they all contain κ − 1 only once and at di erent locations). Now that =-=(3)-=- is established, we can unfold the recurrence relation. We note that we have for i ≥ 1, 2 i , and thus we obtain (assuming that κ ≥ 2 i ): |Ωκ| = ( κ − 2 i + 1 ) · 2 2i −i−1 ⌈ ( log2 22i )⌉ −1 i + 2 =... |

60 | Strengthening digital signatures via randomized hashing
- Halevi, Krawczyk
- 2006
(Show Context)
Citation Context ...ue with the added Merkle-Damgård strengthening. Our new second preimage attack applies identically to other Merkle-Damgård based constructions, such as pre x-free Merkle-Damgård [10], randomized hash =-=[19]-=-, Enveloped Merkle-Damgård [3], etc. Keyed hash constructions like the linear and the XOR linear hash by [4] use unique per message block key, which foils this style of attacks in the connection step ... |

51 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...34, 45], to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks were more generic. The results of Dean =-=[16]-=-, Joux [22], Kelsey and Schneier [26], and Kelsey and Kohno [25], explore the resistance of the widely used Merkle-Damgård construction against several types of attacks, including multicollision attac... |

47 | A composition theorem for universal one-way hash functions
- Shoup
- 2000
(Show Context)
Citation Context ...r less than the ideal 2160 second preimage resistance expected from the dithered construction. We further show the applicability of our attack to the universal one way hash function designed by Shoup =-=[46]-=-, which exhibits some similarities with dithered hashing. The attack applies as well to constructions that derive from this design, e.g., ROX [2]. Our technique yields the rst published attack against... |

46 | Finding SHA-1 Characteristics: General Results and Applications - Cannière, Rechberger - 2006 |

44 | Tunnels in hash functions: MD5 collisions within a minute. Cryptology ePrint Archive
- Klima
- 2006
(Show Context)
Citation Context ...larly active in the last few years, and led to the publication of many signi cant results. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima =-=[28]-=-, Joux et al. [24], Mendel et al. [35, 36], Leurent [30, 31], and Sasaki et al. [34, 45], to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some part... |

44 | A Failure-Friendly Design Principle for Hash Functions
- Lucks
(Show Context)
Citation Context ... long messages when the Merkle-Damgård strengthening is omitted. Variants of the Merkle-Damgård construction that attempt to preclude the aforementioned attacks are the widepipe construction by Lucks =-=[32]-=-, the Haifa [6] mode of operation proposed by Biham and Dunkelman, and the dithered iteration by Rivest [43]. The widepipe strategy achieves the added-security by maintaining a double sized internal s... |

43 |
Preimages on n-Bit Hash Functions for Much Less than 2n Work
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...f this variant is 2 (n+κ)/2+2 +2 n−κ +κ·2 n/2+1 +2 κ online compression function calls (note that 2 κ is also the size of the diamond structure). 2.4 Comparison with Dean [16] and Kelsey and Schneier =-=[26]-=- The attacks of [16, 26] are slightly more e cient than ours. We present the respective o ine and online complexities for the old and new variants of the attack in Table 1 and the the comparison of th... |

30 | Herding Hash Functions and the Nostradamus Attack
- Kelsey, Kohno
- 2006
(Show Context)
Citation Context ...ctrum of hash functions. These attacks target some particular constructions, while other attacks were more generic. The results of Dean [16], Joux [22], Kelsey and Schneier [26], and Kelsey and Kohno =-=[25]-=-, explore the resistance of the widely used Merkle-Damgård construction against several types of attacks, including multicollision attacks and second preimage attacks. Our research on second preimage ... |

27 |
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
- Mendel, Rechberger, et al.
- 2009
(Show Context)
Citation Context ...d led to the publication of many signi cant results. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima [28], Joux et al. [24], Mendel et al. =-=[35, 36]-=-, Leurent [30, 31], and Sasaki et al. [34, 45], to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks ... |

26 | Finding Preimages in Full MD5 Faster than Exhaustive Search
- Sasaki, Aoki
- 2009
(Show Context)
Citation Context ...sults. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima [28], Joux et al. [24], Mendel et al. [35, 36], Leurent [30, 31], and Sasaki et al. =-=[34, 45]-=-, to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks were more generic. The results of Dean [16], J... |

17 | A Framework for Iterative Hash Functions — HAIFA
- Biham, Dunkelman
(Show Context)
Citation Context ...hen the Merkle-Damgård strengthening is omitted. Variants of the Merkle-Damgård construction that attempt to preclude the aforementioned attacks are the widepipe construction by Lucks [32], the Haifa =-=[6]-=- mode of operation proposed by Biham and Dunkelman, and the dithered iteration by Rivest [43]. The widepipe strategy achieves the added-security by maintaining a double sized internal state (which con... |

16 |
Subword complexities of various classes of deterministic developmental languages without interaction, Theoret. Comput. Sci. 1
- Lee, Rozenberg
- 1975
(Show Context)
Citation Context ...e exact set of factors of a given length ℓ can be deduced from the proof of this theorem. It is worth mentioning that similar results exist in the case of sequences generated by non-uniform morphisms =-=[17, 41]-=-, although the upper bound can be quadratic in ℓ. The bound given by this theorem, although attained by certain sequences, is relatively rough. For example, since the Keranen sequence is 85-uniform, t... |

16 | Abelian squares are avoidable on 4 letters - Keränen - 1992 |

15 | MD4 is not one-way
- Leurent
- 2008
(Show Context)
Citation Context ...cation of many signi cant results. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima [28], Joux et al. [24], Mendel et al. [35, 36], Leurent =-=[30, 31]-=-, and Sasaki et al. [34, 45], to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks were more generic.... |

13 |
SevenProperty-Preserving Iterated Hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context ...the following upper bound may be tighter: Lemma 1. Let z be an in nite sequence over the alphabet A generated by an r-uniform morphism τ. For all ℓ, 1 ≤ ℓ ≤ r, we have : ( ) [ ] F actz(ℓ) ≤ ℓ · F actz=-=(2)-=- − |A| + (r + 1) · |A| − F actz(2) . Proof. If ℓ ≤ r, then any factor of z of size ℓ falls in one of these two classes: Either it is a factor of τ(α) for some letter α ∈ A. There are no more than |A| ... |

12 |
Abelian Square-Free Dithering for Iterated Hash Functions. Presented at
- Rivest
- 2005
(Show Context)
Citation Context ... that attempt to preclude the aforementioned attacks are the widepipe construction by Lucks [32], the Haifa [6] mode of operation proposed by Biham and Dunkelman, and the dithered iteration by Rivest =-=[43]-=-. The widepipe strategy achieves the added-security by maintaining a double sized internal state (which consumes more memory and resources). A di erent approach is taken by the designers of Haifa and ... |

9 | Collisions for 70-step sha-1: On the full cost of collision search - Cannière, Mendel, et al. - 2007 |

8 | Preimages for reduced SHA0 and SHA-1 - Cannière, Rechberger - 2008 |

7 | On average sequence complexity
- Janson, Lonardi, et al.
- 2004
(Show Context)
Citation Context ...maximal. Suppose that the alphabet has size ∣ ∣A ∣ ∣ = 2 i . Then the expected number of ℓ-letter factors in a pseudo random word of size 2 κ is lower-bounded by: 2 i·ℓ · ( 1 − exp −2κ−i·ℓ) (refer to =-=[21]-=-, theorem 2, for a proof of this claim). The total optimal cost of the online attack is then at least 2 n−κ/(i+1)+2 and is obtained with ℓ = κ/(i + 1). With 8-bit dithering symbols for κ = 55, the com... |

4 |
la complexite des suites in nies
- Allouche, Sur
- 1994
(Show Context)
Citation Context ...n ∈ N. Let τ ∞ (α) denote the limit of this sequence: it is the only xed point of τ that begins with the letter α. Such in nite sequences are called uniform tag sequences [9] or r-automatic sequences =-=[1]-=-. An In nite Abelian Square-Free Sequence. In nite square-free sequences have been known to exist since 1906, when Axel Thue exhibited the Thue-Morse word over a ternary alphabet (there are no square-... |

4 |
A Cryptanalytic Time-Memory Trade O . In
- Hellman
- 1980
(Show Context)
Citation Context ...llowing similar ideas, we suggest a second preimage attack techniques for tree hashes. 3.1 Hellman's Time-Memory Tradeo Attack Time-memory Tradeo attacks (TMTO) were rst introduced in 1980 by Hellman =-=[20]-=-. The idea is to improve brute force attacks by trading the online time for memory and precomputation when inverting a function f : {0, 1} n → {0, 1} n . Suppose we have an image element y and we wish... |

3 |
Schlä er, M.: Rebound attack on the full lane compression function
- Matusiewicz, Naya-Plasencia, et al.
- 2009
(Show Context)
Citation Context ...sults. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima [28], Joux et al. [24], Mendel et al. [35, 36], Leurent [30, 31], and Sasaki et al. =-=[34, 45]-=-, to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks were more generic. The results of Dean [16], J... |

2 |
Uniform tag seqences
- Cobham
- 1972
(Show Context)
Citation Context ...trict pre x of un+1, for all n ∈ N. Let τ ∞ (α) denote the limit of this sequence: it is the only xed point of τ that begins with the letter α. Such in nite sequences are called uniform tag sequences =-=[9]-=- or r-automatic sequences [1]. An In nite Abelian Square-Free Sequence. In nite square-free sequences have been known to exist since 1906, when Axel Thue exhibited the Thue-Morse word over a ternary a... |

2 |
Practical key-recovery attack against APOP, an MD5-based challenge-response authentication, in "International
- LEURENT
(Show Context)
Citation Context ...cation of many signi cant results. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima [28], Joux et al. [24], Mendel et al. [35, 36], Leurent =-=[30, 31]-=-, and Sasaki et al. [34, 45], to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks were more generic.... |

2 |
Complexite des facteurs des mots in nis engendres par morphismes iteres
- Pansiot
- 1984
(Show Context)
Citation Context ...e exact set of factors of a given length ℓ can be deduced from the proof of this theorem. It is worth mentioning that similar results exist in the case of sequences generated by non-uniform morphisms =-=[17, 41]-=-, although the upper bound can be quadratic in ℓ. The bound given by this theorem, although attained by certain sequences, is relatively rough. For example, since the Keranen sequence is 85-uniform, t... |

1 |
Improved Generic Algorithms for 3-Collisions. [33] 347 363
- Joux, Lucks
- 2007
(Show Context)
Citation Context ... to the diamond structure takes 2 as before. The memory required for storing the diamond structure is O ( |A| · 2ℓ) . We note that the generation of the |A|-collision can be done using the results of =-=[23]-=-, which allow balancing between the preprocessing's time and its memory consumption. Finally, given the huge precomputation step, it may be useful to consider a time-memory-data tradeo for the rst con... |

1 |
Schlä er, M.: Improved Cryptanalysis of the Reduced Grøstl Compression Function
- Mendel, Peyrin, et al.
- 2009
(Show Context)
Citation Context ...d led to the publication of many signi cant results. New techniques, such as the ones by Wang et al. [48 51], Biham et al. [5], De Canniére et al. [13 15], Klima [28], Joux et al. [24], Mendel et al. =-=[35, 36]-=-, Leurent [30, 31], and Sasaki et al. [34, 45], to name a few, have been developed to attack a wide spectrum of hash functions. These attacks target some particular constructions, while other attacks ... |

1 |
T.: Cryptographic Hash-Function Basics: De nitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ...andom and given to A. The adversary wins if she generates a message M ′ ̸= M such that HK(M) = HK(M ′). This security property, also known as target collision security or everywhere preimage security =-=[44]-=- of a hash function, was rst introduced in [40]. Bellare and Rogaway studied the construction of variable input length TCR hash functions from xed input length TCR compression functions in [4]. They a... |