A proposal of a criterion for collision resistance of hash functions

clear the advantage of the fact that an attacker can know all intermediate values in calculating an outIn this paper we revisit the tequniques for collision put. This fact is the most different assumption for attacks and study the relation between maximum an attacker from block cipher’s case. differential characteristic probability and a limit of However Wang et al. showed in the last two years applicability of collision attack. We show that a that almost all the currently proposed hash func­ cryptographic hash function is secure against col­ tions (including widely used MD5 and SHA-1) is lision attacks using a single message block based weak against their collision attacks [16, 17, 18, 19]. on differential attack if the unequality pD < (1 − Additionally Biham et al. provided a technique to e−1)2−nm−1 is satisfied, where nm is an input length improve the complexity of collision attacks and ap­ of a compression function and pD is the maximum plied it to SHA-0 and SHA-1 [1, 2]. Both of their differential characteristic probability. attacks are an application of differential attack pro