Advertisement

Journal of Cryptology

, Volume 23, Issue 1, pp 72–90 | Cite as

Cryptanalysis of MD2

  • Lars R. Knudsen
  • John Erik Mathiassen
  • Frédéric Muller
  • Søren S. Thomsen
Article

Abstract

This paper considers the hash function MD2 which was developed by Ron Rivest in 1989. Despite its age, MD2 has withstood cryptanalytic attacks until recently. This paper contains the state-of-the-art cryptanalytic results on MD2, in particular collision and preimage attacks on the full hash function, the latter having complexity 273, which should be compared to a brute-force attack of complexity 2128.

Keywords

Cryptographic hash function MD2 Collision attack Preimage attack 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    R.P. Brent, An improved Monte Carlo factorization algorithm. BIT, 20(2), 176–184 (1980) zbMATHCrossRefMathSciNetGoogle Scholar
  2. [2]
    I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO ’89, Proceedings, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 416–427 CrossRefGoogle Scholar
  3. [3]
    R.W. Floyd, Nondeterministic algorithms. J. Assoc. Comput. Mach. 14(4), 636–644 (1967) zbMATHGoogle Scholar
  4. [4]
    A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in Advances in Cryptology—CRYPTO 2004, Proceedings, ed. by M.K. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 306–316 Google Scholar
  5. [5]
    B.S. Kaliski Jr., The MD2 Message-Digest Algorithm, April 1992. Network Working Group, Request for Comments: 1319 Google Scholar
  6. [6]
    L.R. Knudsen, J.E. Mathiassen, Preimage and collision attacks on MD2, in Fast Software Encryption 2005, Proceedings, eds. by H. Gilbert, H. Handschuh. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin, 2005), pp. 255–267 Google Scholar
  7. [7]
    X. Lai, J.L. Massey, Hash functions based on block ciphers, in Advances in Cryptology—EUROCRYPT ’92, Proceedings, ed. by R.A. Rueppel. Lecture Notes in Computer Science, vol. 658 (Springer, Berlin, 1993), pp. 55–70 Google Scholar
  8. [8]
    F. Mendel, V. Rijmen, Weaknesses in the HAS-V compression function, in International Conference on Information Security and Cryptology (ICISC) 2007, Proceedings, ed. by K.-H. Nam, G. Rhee. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 335–345 CrossRefGoogle Scholar
  9. [9]
    F. Mendel, N. Pramstaller, C. Rechberger, A (second) preimage attack on the GOST hash function, in Fast Software Encryption 2008, Proceedings, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp. 224–234 CrossRefGoogle Scholar
  10. [10]
    F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, J. Szmidt, Cryptanalysis of the GOST hash function, in Advances in Cryptology—CRYPTO 2008, Proceedings, ed. by D. Wagner. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 162–178 CrossRefGoogle Scholar
  11. [11]
    R.C. Merkle, One way hash functions and DES, in Advances in Cryptology—CRYPTO ’89, Proceedings, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446 CrossRefGoogle Scholar
  12. [12]
    F. Muller, The MD2 hash function is not one-way, in Advances in Cryptology—ASIACRYPT 2004, Proceedings, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004), pp. 214–229 Google Scholar
  13. [13]
    National Institute of Standards and Technology. FIPS PUB 180-2, Secure Hash Standard, 1 August 2002 Google Scholar
  14. [14]
    G. Nivasch, Cycle detection using a stack. Inf. Process. Lett. 90(3), 135–140 (2004) zbMATHCrossRefMathSciNetGoogle Scholar
  15. [15]
    B. Preneel, Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven, January 1993 Google Scholar
  16. [16]
    J.-J. Quisquater, J.-P. Delescaille, How easy is collision search. New results and applications to DES, in Advances in Cryptology—CRYPTO ’89, Proceedings, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 408–413 CrossRefGoogle Scholar
  17. [17]
    R.L. Rivest, The MD4 message digest algorithm, in Advances in Cryptology—CRYPTO ’90, Proceedings, eds. by A. Menezes, S.A. Vanstone. Lecture Notes in Computer Science, vol. 537 (Springer, Berlin, 1991), pp. 303–311 Google Scholar
  18. [18]
    R.L. Rivest, The MD5 Message-Digest Algorithm, April 1992. Network Working Group, Request For Comments: 1321 Google Scholar
  19. [19]
    N. Rogier, P. Chauvaud, MD2 is not secure without the checksum byte. Des. Codes Cryptogr. 12(3), 245–251 (1997) zbMATHCrossRefMathSciNetGoogle Scholar
  20. [20]
    RSA Laboratories, PKCS #1: RSA Cryptography Standard (Version 2.1, June 14, 2002). Available: http://www.rsa.com/rsalabs/node.asp?id=2125 [2009/1/28]
  21. [21]
    P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999) zbMATHCrossRefGoogle Scholar
  22. [22]
    Verisign, Inc. Status Responder Certificate. Class 3 Public Primary Certification Authority. Serial number: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF. Issued 1996/01/29, expires 2028/08/02. http://www.verisign.com/repository/root.html#c3pca [2009/08/17]

Copyright information

© International Association for Cryptologic Research 2009

Authors and Affiliations

  • Lars R. Knudsen
    • 1
  • John Erik Mathiassen
    • 2
  • Frédéric Muller
    • 3
  • Søren S. Thomsen
    • 4
  1. 1.Department of MathematicsTechnical University of DenmarkKgs. LyngbyDenmark
  2. 2.Avenir ASBergenNorway
  3. 3.HSBCParisFrance
  4. 4.Department of MathematicsTechnical University of DenmarkKgs. LyngbyDenmark

Personalised recommendations