## Breaking the ICE - finding multicollisions in iterated concatenated and expanded (ICE) hash functions (2006)

Venue: | In Proceedings of FSE ’06 |

Citations: | 9 - 0 self |

### BibTeX

@INPROCEEDINGS{Hoch06breakingthe,

author = {Jonathan J. Hoch and Adi Shamir},

title = {Breaking the ICE - finding multicollisions in iterated concatenated and expanded (ICE) hash functions},

booktitle = {In Proceedings of FSE ’06},

year = {2006},

pages = {179--194}

}

### OpenURL

### Abstract

Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security properties of such functions. At Crypto 2004 Joux showed that in any iterated hash function it is relatively easy to find exponential sized multicollisions, and thus the concatenation of several hash functions does not increase their security. However, in his proof it was essential that each message block is used at most once. In 2005 Nandi and Stinson extended the technique to handle iterated hash functions in which each message block is used at most twice. In this paper we consider the general case and prove that even if we allow each iterated hash function to scan the input multiple times in an arbitrary expanded order, their concatenation is not stronger than a single function. Finally, we extend the result to tree-based hash functions with arbitrary tree structures.

### Citations

229 | Payword and MicroMint – two simple micropayment schemes
- Rivest, Shamir
- 1996
(Show Context)
Citation Context ...which is much smaller than the 2 n complexity of the birthday paradox applied to the 2n−bit concatenated state. Other possible applications of multicollisions are in the MicroMint micropayment scheme =-=[14]-=- and in distinguishing iterated hash functions from random functions. IV 1 IV 2 IV 3 m 1 m 2 m 1 m 2 f 1 1 1 1 m 2 m 1 m 1 m 2 f 2 f 2 f 2 2 m 2 m 1 m 2 m 1 f 3 f f 3 Fig. 1. An example of an ICE hash... |

115 | Analysis and Design of Cryptographic Hash Functions - Preneel - 1993 |

77 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, secondpreimage resistance, and collision resistance - Rogaway, Shrimpton - 2004 |

76 | Hash functions based on block ciphers: a synthetic approach - Preneel, Govaerts, et al. - 1994 |

40 |
Preimages on n-Bit Hash Functions for Much Less than 2 n Work”, EUROCRYPT
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...r countermeasures against the Joux multicollision attack such as the scheme suggested by Lucks [9], or finding additional uses of multicollisions as building blocks in more general attacks as in [5], =-=[7]-=- and [8]. 6 Acknowledgments The authors would like to thank Mridul Nandi and Douglas Stinson whose paper[10] motivated our research and contributed to its development. In addition, we would like to th... |

29 | Design principles for iterated hash functions. Cryptology ePrint Archive, Report 2004/253
- Lucks
- 2004
(Show Context)
Citation Context ...sage blocks, instead of pure repetition of the message blocks. Other research directions are to find other countermeasures against the Joux multicollision attack such as the scheme suggested by Lucks =-=[9]-=-, or finding additional uses of multicollisions as building blocks in more general attacks as in [5], [7] and [8]. 6 Acknowledgments The authors would like to thank Mridul Nandi and Douglas Stinson wh... |

16 | A framework for the design of one-way hash functions including cryptanalysis of damgard’s one-way function based on a cellular automaton
- Daemen, Govaerts, et al.
- 1991
(Show Context)
Citation Context ...the successive permutations case. First we state some definitions and prove a useful lemma. Definition 3. Let α be a sequence over L: freq(x, α) = |{i : αi = x}| (1) freq(α) = max{freq(x, α) : x ∈ L} =-=(2)-=- Definition 4. Let T = t1, ..., tt be a (not necessary contiguous) sequence of indices in α. Then : α[T ] = αt1 , ..., αtt (3) In particular if T = [t1, t2] is an interval then the definition coincide... |

8 | A.C.: A Simple and Provably Good Code for SHA Message Expansion. IACR Cryptology ePrint Archive 2005
- Jutla, Patthak
- 2005
(Show Context)
Citation Context ... flaws in almost all the hash functions proposed so far ([18], [5], [1]) made the analysis of the security properties of these functions extremely important. Some researchers (e.g., Jutla and Patthak =-=[6]-=-) proposed clever ways to strengthen the internal components of standard hash functions in order to make them provably resistant against some types of attacks. A different line of research (which was ... |

6 | Multicollision attacks on a class of hash functions. Cryptology ePrint Archive, Report 2004/330
- Nandi, Stinson
- 2004
(Show Context)
Citation Context ...in a compression function at one point is very unlikely to create another collision later when they are mixed with a different state. This difficulty was partially resolved in 2005 by Nandi & Stinson =-=[10]-=-. They considered the special case of ICE hash functions in which each message block is used at most twice in the expanded message, and extended Joux’s original technique in a highly specialized way t... |

3 | A.: Nonlinear Analysis
- Gilbert, Mikelic
(Show Context)
Citation Context ...t (3) In particular if T = [t1, t2] is an interval then the definition coincides with definition 1. Definition 5. Given any subsequence α[T ] of α, we define S(α[T ]) = |{x ∈ L : freq(x, α[T ]) ≥ 1}| =-=(4)-=- Definition 6. A set of disjoint intervals I1, ..., Ij is called independent over α if there exists a set of distinct elements x1, ..., xj in α such that all the appearances of xi in α are in α[Ii]. W... |

3 | Design principles for dedicated hash functions," Fast Software Encryption, it FSE'93, Springer LNCS volume 809 - Preneel - 1994 |