New Second Preimage Attacks on Hash Functions

New Second Preimage Attacks on Hash Functions (2008)

Cached

Download Links

by Elena Andreeva , Charles Bouillaguet , Orr Dunkelman , Pierre-Alain Fouque , Jonathan J. Hoch , John Kelsey , Adi Shamir , Sebastien Zimmer

BibTeX

@MISC{Andreeva08newsecond,
    author = {Elena Andreeva and Charles Bouillaguet and Orr Dunkelman and Pierre-Alain Fouque and Jonathan J. Hoch and John Kelsey and Adi Shamir and Sebastien Zimmer},
    title = {New Second Preimage Attacks on Hash Functions },
    year = {2008}
}

Bookmark

OpenURL

Abstract

In this work we present new generic second preimage attacks on hash functions. Our first attack is based on the herding attack, and applies to various Merkle-Damgård-based iterative hash functions. Compared to the previously known long-message second preimage attacks, our attack adds only a small computational overhead. In exchange, our attack gives the adversary a much greater control over the contents of the second message and in particular allows all the difference to be concentrated in a few message blocks. As a result, the new second preimage attack is applicable to hash function constructions such as the dithered hash proposal of Rivest, Shoup's UOWHF, and the ROX hash construction, which were thought to be immune to the earlier known second preimage attacks. We also suggest a few time-memory-data tradeo variants for this type of attacks, allowing for faster online computations, and attacking significantly shorter messages. Furthermore, we analyze the properties of the dithering sequence used in Rivest's hash function proposal, and develop a time-memory tradeo which allows us to apply our second preimage attack to a much stronger than those in Rivest's proposals. Parts of our results rely on the kite generator, a new time-memory tradeo tool. We also exhibit a time-memory-data tradeoff attack on tree hashes for second preimages. Finally, we show how both the existing second preimage attacks and our new attacks can be applied even more efficiently when given multiple short target messages rather than a single long target message.

Citations

1577	An Introduction to Probability Theory and Its Applications Volume I. 3rd edition - Feller - 1968
284	M.: Universal one-way hash functions and their cryptographic applications - Naor, Yung - 1989
231	A design principle for hash functions - Damgård - 1989
138	One way hash functions and DES - Merkle
88	P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical - Bellare, Rogaway - 1997
73	Multicollisions in Iterated Hash Functions: Application to Cascaded Constructions - Joux
70	Cryptanalytic time/memory/data tradeoffs for stream ciphers - Biryukov, Shamir - 2000
51	Merkle-Damgård Revisited: How to Construct a Hash Function - Coron, Dodis, et al. - 2005
43	Multi-property-preserving hash domain extension and the EMD transform - Bellare, Ristenpart - 2006
41	A Composition Theorem for Universal One-Way Hash Functions. In: EUROCRYPT’00 - Shoup - 2000
40	Strengthening digital signatures via randomized hashing - Halevi, Krawczyk - 2006
37	Formal Aspects of Mobile Code Security - Dean - 1999
34	A failure-friendly design principle for hash functions - Lucks - 2005
29	Preimages on n-Bit Hash Functions for Much Less than 2 - Kelsey, Schneier, et al. - 2005
29	Tunnels in Hash Functions: MD5 Collisions Within a Minute,” Cryptology ePrint Archive, Report 2006/105 - Klima
24	C.: Finding SHA-1 characteristics: General results and applications - Cannière, Rechberger
16	Subword complexities of various classes of deterministic developmental languages without interaction, Theoret - Ehrenfeucht, Lee, et al. - 1975
16	T.: Herding Hash Functions and the Nostradamus Attack - Kelsey, Kohno - 2006
12	Abelian squares are avoidable on 4 letters - Keränen
10	K.: Finding preimages in full MD5 faster than exhaustive search - Sasaki, Aoki
9	T.: Seven-Property-Preserving Iterated Hashing - Andreeva, Neven, et al. - 2007
8	Abelian Square-Free Dithering for Iterated Hash Functions. Presented at ECrypt Hash Function Workshop - Rivest
7	MD4 is not one-way - Leurent
6	A framework for iterative hash functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 - Biham, Dunkelman - 2007
6	Collisions for 70-step SHA-1: On the full cost of collision search - Canniere, Mendel, et al.
6	S.S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl - Mendel, Rechberger, et al. - 2009
5	C.: Preimages for reduced SHA-0 and SHA-1 - Cannière, Rechberger - 2008
5	On average sequence complexity - Janson, Lonardi, et al.
4	la complexite des suites in nies - Allouche, Sur - 1994
4	A Cryptanalytic Time-Memory Trade O . In - Hellman - 1980
2	Uniform tag seqences - Cobham - 1972
2	Practical key-recovery attack against APOP, an MD5-based challenge-response authentication, in "International - LEURENT
2	Schlä er, M.: Rebound Attack on the Full LANE Compression Function - Matusiewicz, Naya-Plasencia, et al.
1	Improved Generic Algorithms for 3-Collisions. [33] 347 363 - Joux, Lucks - 2007
1	Schlä er, M.: Improved Cryptanalysis of the Reduced Grøstl Compression Function - Mendel, Peyrin, et al. - 2009
1	Complexité des Facteurs des Mots In nis Engendrés Par Morphismes Itérés - Pansiot - 1984
1	T.: Cryptographic Hash-Function Basics: De nitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance - Rogaway, Shrimpton - 2004