Second Preimage Attacks on Dithered Hash Functions
نویسندگان
چکیده
The goal of this paper is to analyze the security of dithered variants of the Merkle-Damgård mode of operation that use a third input to indicate the position of a block in the message to be hashed. These modes of operation for hash functions have been proposed to avoid some structural weaknesses of the Merkle-Damgard paradigm, e.g. that second preimages can be constructed in much less than 2 work, as pointed out by Kelsey and Schneier [17]. Among the modes of operation that use such a third input are Rivest's dithered hashing [26] and Biham and Dunkelman's Haifa proposal [24]. We propose several new second preimage attacks on the Merkle-Damgård mode of operation, which can also attack Rivest's dithered hash with almost the same complexity. When applied to Shoup's UOWHF [27], these attacks can be shown to be optimal since their complexity matches Shoup's security bound. However, our attacks cannot be applied to HAIFA.
منابع مشابه
New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity
Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damg̊ard hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second prei...
متن کاملPractical (Second) Preimage Attacks on TCS_SHA-3
TCS SHA-3 is a family of four cryptographic hash functions that are covered by an US patent (US 2009/0262925). The digest sizes are 224, 256, 384 and 512 bits. The hash functions use bijective functions in place of the standard, compression functions. In this paper we describe first and second preimage attacks on the full hash functions. The second preimage attack requires negligible time and t...
متن کاملPractical (Second) Preimage Attacks on the TCS_SHA-3 Family of Cryptographic Hash Functions
TCS_SHA-3 is a family of four cryptographic hash functions that are covered by a United States patent (US 2009/0262925). The digest sizes are 224, 256, 384 and 512 bits. The hash functions use bijective functions in place of the standard compression functions. In this paper we describe first and second preimage attacks on the full hash functions. The second preimage attack requires negligible t...
متن کاملPractical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound
Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg̊ard from 1989 states that a collision on the hash function cannot be found without finding a collisio...
متن کاملBreaking the Even-Mansour Hash Function: Collision and Preimage Attacks on JH and Grøstl
The Even-Mansour structure and the chopMD mode are two widely-used strategies in hash function designs. They are adopted by many hash functions including two SHA-3 finalists, the JH hash function and the Grøstl hash function. The Even-Mansour structure combining the chopMD mode is supposed to enhance the security of hash functions against collision and preimage attacks, while our results show t...
متن کامل