# New Second-Preimage Attacks on Hash Functions

- 641 Downloads
- 5 Citations

## Abstract

In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle–Damgård-based iterative hash functions. Compared to the previously known long-message second-preimage attacks, our attack offers more flexibility in choosing the second-preimage message at the cost of a small computational overhead. More concretely, our attack allows the adversary to replace only a few blocks in the original target message to obtain the second preimage. As a result, our new attack is applicable to constructions previously believed to be immune to such second-preimage attacks. Among others, these include the dithered hash proposal of Rivest, Shoup’s UOWHF, and the ROX constructions. In addition, we also suggest several time-memory-data tradeoff attack variants, allowing for a faster online phase, and even finding second preimages for shorter messages. We further extend our attack to sequences stronger than the ones suggested in Rivest’s proposal. To this end we introduce the *kite generator* as a new tool to attack any dithering sequence over a small alphabet. Additionally, we analyse the second-preimage security of the basic *tree hash* construction. Here we also propose several second-preimage attacks and their time-memory-data tradeoff variants. Finally, we show how both our new and the previous second-preimage attacks can be applied even more efficiently when multiple short messages, rather than a single long target message, are available.

## Keywords

Cryptanalysis Hash function Dithering sequence Second-preimage attack Herding attack Kite Generator## Notes

### Acknowledgments

We thank Lily Chen and Barbara Guttman for their useful comments. We also thanks Jean-Paul Allouche, Jeffrey Shallit, and James D. Currie for pointing out the existence of abelian square-free sequences of high complexity. In addition, we are grateful for the anonymous reviewers for their constructive comments and suggestions. This work has been funded in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007) and OT/13/071, the IAP Program P6/26 BCRYPT of the Belgian State (Belgian Science Policy), and in part by the European Commission through the ICT program under contract ICT-2007-216676 ECRYPT II. The first author is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen). The third author was supported in part by the France Telecom Chair and in part by ISF Grant 827/12.

## References

- 1.J.P. Allouche, Sur la complexité des suites infinies.
*Bull. Belg. Math. Soc.***1**, 133–143 (1994). citeseer.ist.psu.edu/allouche94sur.html - 2.E. Andreeva, C. Bouillaguet, P. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, Second preimage attacks on dithered hash functions, in ed. by N.P. Smart.
*Advances in Cryptology EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings*. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 270–288. doi: 10.1007/978-3-540-78967-3_16 - 3.E. Andreeva, B. Mennink, Provable chosen-target-forced-midfix preimage resistance, in eds. by A. Miri, S. Vaudenay.
*Selected Areas in Cryptography—18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011*. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7118 (Springer, 2011), pp. 37–54. doi: 10.1007/978-3-642-28496-0_3 - 4.E. Andreeva, G. Neven, B. Preneel, T. Shrimpton, Seven-property-preserving iterated hashing: ROX, in ed. by K. Kurosawa.
*ASIACRYPT’07*. Lecture Notes in Computer Science, vol. 4833 (Springer, 2007), pp. 130–146Google Scholar - 5.J.P. Aumasson, L. Henzen, W. Meier, R.C.W. Phan, SHA-3 proposal BLAKE. Submission to NIST (2008). http://131002.net/blake/blake.pdf
- 6.M. Bellare, T. Ristenpart, Multi-property-preserving hash domain extension and the EMD transform, in eds. by X. Lai, K Chen.
*Advances in Cryptology—ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3–7, 2006, Proceedings*. Lecture Notes in Computer Science, vol. 4284 (Springer, 2006), pp. 299–314Google Scholar - 7.M. Bellare, P. Rogaway, Collision-resistant hashing: towards making UOWHFs practical, in ed. by Jr., B.S.K.
*CRYPTO*. Lecture Notes in Computer Science, vol. 1294 (Springer, 1997), pp. 470–484Google Scholar - 8.E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, W. Jalby, Collisions of SHA-0 and reduced SHA-1, in ed. by R. Cramer.
*Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings*. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005), pp. 36–57Google Scholar - 9.E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA (2006). http://www.csrc.nist.gov/pki/HashWorkshop/2006/Papers/DUNKELMAN_NIST3.pdf, presented at the second NIST hash workshop (August 24–25, 2006)
- 10.A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in ed. by T. Okamoto.
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 1976 (Springer, 2000), pp. 1–13Google Scholar - 11.C. de Cannière, F. Mendel, C. Rechberger, Collisions for 70-step SHA-1: on the full cost of collision search, in eds. by C.M. Adams, A. Miri, M.J. Wiener.
*Selected Areas in Cryptography*. Lecture Notes in Computer Science, vol. 4876 (Springer, 2007), pp. 56–73Google Scholar - 12.C. de Cannière, C. Rechberger, Finding SHA-1 characteristics: general results and applications, in X. Lai, K. Chen (eds.),
*Advances in Cryptology—ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3–7, 2006, Proceedings*. Lecture Notes in Computer Science, vol. 4284 (Springer, 2006), pp. 1–20Google Scholar - 13.C. de Cannière, C. Rechberger, Preimages for reduced SHA-0 and SHA-1, in ed by D. Wagner.
*CRYPTO*. Lecture Notes in Computer Science, vol. 5157 (Springer, 2008), pp. 179–202Google Scholar - 14.Cobham, A.: Uniform tag sequences. Mathematical Systems Theory 6(3), 164–192 (1972)MathSciNetCrossRefMATHGoogle Scholar
- 15.J.S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-damgård revisited: How to construct a hash function, in
*CRYPTO’05*(2005), pp. 430–448Google Scholar - 16.I. Damgård, A design principle for hash functions, in ed. by G. Brassard.
*CRYPTO ’89, Santa Barbara, California, USA, August 20–24, 1989, Proceedings*. Lecture Notes in Computer Science, vol. 435 (Springer, 1990), pp. 416–427Google Scholar - 17.R.D. Dean, Formal Aspects of Mobile Code Security. Ph.D. thesis, Princeton University (January 1999)Google Scholar
- 18.Ehrenfeucht, A., Lee, K.P., Rozenberg, G.: Subword Complexities of Various Classes of Deterministic Developmental Languages without Interactions. Theor. Comput. Sci. 1(1), 59–75 (1975).MathSciNetCrossRefMATHGoogle Scholar
- 19.W. Feller,
*An Introduction to Probability Theory and Its Applications*, vol. 1, chap. 12. (Wiley, 1971)Google Scholar - 20.N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas, J. Walker, The Skein hash function family. Submission to NIST (2008). http://www.skein-hash.info/sites/default/files/skein.pdf
- 21.N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas, J. Walker, The Skein hash function family. Submission to NIST (Round 1) (2008). http://www.skein-hash.info/sites/default/files/skein1.1.pdf
- 22.S. Halevi, H. Krawczyk, Strengthening digital signatures via randomized hashing, in ed. by C. Dwork.
*CRYPTO*. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 41–59Google Scholar - 23.Hellman, M.E.: A Cryptanalytic Time-Memory Trade Off. In: IEEE Transactions on Information Theory. vol. 26, pp. 401–406 (1980).MathSciNetCrossRefMATHGoogle Scholar
- 24.Janson, S., Lonardi, S., Szpankowski, W.: On average sequence complexity. Theor. Comput. Sci. 326(1–3), 213–227 (2004).MathSciNetCrossRefMATHGoogle Scholar
- 25.A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in ed. by M.K. Franklin.
*CRYPTO’04*. Lecture Notes in Computer Science, vol. 3152 (Springer, 2004), pp. 306–316Google Scholar - 26.A. Joux, S. Lucks, Improved generic algorithms for 3-collisions, in ed. by M. Matsui.
*Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings*. Lecture Notes in Computer Science, vol. 5912 (Springer, 2009), pp. 347–363Google Scholar - 27.A. Joux, T. Peyrin, Hash functions and the (amplified) boomerang attack, in ed. by A. Menezes.
*CRYPTO*. Lecture Notes in Computer Science, vol. 4622. (Springer, 2007), pp. 244–263Google Scholar - 28.J. Kelsey, T. Kohno, Herding hash functions and the nostradamus attack, in ed. by S. Vaudenay.
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 4004 (Springer, 2006), pp. 183–200Google Scholar - 29.J. Kelsey, B. Schneier, Second preimages on n-bit hash functions for much less than 2\(^{\text{ n }}\) work, in ed. by R. Cramer,
*Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings*. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005), pp. 474–490Google Scholar - 30.V. KeränenKeränen, Abelian squares are avoidable on 4 letters, in ed. by W. Kuich.
*ICALP*. Lecture Notes in Computer Science, vol. 623 (Springer, 1992), pp. 41–52Google Scholar - 31.V. Klima, Tunnels in hash functions: MD5 collisions within a minute. Cryptology ePrint Archive, Report 2006/105 (2006). http://eprint.iacr.org/
- 32.G. Leurent, Md4 is not one-way, in ed. by Nyberg, K.
*FSE*. Lecture Notes in Computer Science, vol. 5086 (Springer, 2008), pp. 412–428Google Scholar - 33.Leurent, G.: Practical key-recovery attack against APOP, an MD5-based challenge-response authentication. IJACT 1(1), 32–46 (2008).MathSciNetCrossRefMATHGoogle Scholar
- 34.S. Lucks, A failure-friendly design principle for hash functions, in ed. by B.K. Roy.
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 3788 (Springer, 2005), pp. 474–494Google Scholar - 35.K. Matusiewicz, M. Naya-Plasencia, I. Nikolic, Y. Sasaki, M. Schläffer, Rebound attack on the full lane compression function, in ed. by M. Matsui.
*Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings*. Lecture Notes in Computer Science, vol. 5912 (Springer, 2009), pp. 106–125Google Scholar - 36.F. Mendel, T. Peyrin, C. Rechberger, M. Schläffer, Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher, in eds. by Jr., M.J.J., Rijmen V., Safavi-Naini R.
*Selected Areas in Cryptography. Lecture Notes in Computer Science*, vol. 5867 (Springer, 2009), pp. 16–35Google Scholar - 37.F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, The rebound attack: cryptanalysis of reduced whirlpool and Grøstl, in ed. by O. Dunkelman.
*FSE*. Lecture Notes in Computer Science, vol. 5665 (Springer, 2009), pp. 260–276Google Scholar - 38.A. Menezes, P. van Oorschot, S. Vanstone,
*Handbook of Applied Cryptography*. citeseer.ist.psu.edu/428600.html - 39.R.C. Merkle, One way hash functions and DES, in ed. by G. Brassard,
*CRYPTO ’89, Santa Barbara, California, USA, August 20–24, 1989, Proceedings*. Lecture Notes in Computer Science, vol. 435 (Springer, 1990), pp. 428–446Google Scholar - 40.M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications. in
*STOC*(ACM, 1989), pp. 33–43Google Scholar - 41.J.J. Pansiot, Complexité des Facteurs des Mots Infinis Engendrés Par Morphismes Itérés, in ed. by J. Paredaens.
*11th ICALP, Antwerpen*. LNCS, vol. 172 (Springer, july 1984), pp. 380–389. http://lsiit.u-strasbg.fr/Publications/1984/Pan84a - 42.Pleasants, P.A.: Non-repetitive sequences. Mat. Proc. Camb. Phil. Soc. 68, 267–274 (1970).MathSciNetCrossRefMATHGoogle Scholar
- 43.R.L. Rivest, Abelian square-free dithering for iterated hash functions. Presented at ECRYPT Hash Function Workshop, June 21, 2005, Krakow, and at the Cryptographic Hash workshop, November 1, 2005, Gaithersburg, Maryland (2005)Google Scholar
- 44.P. Rogaway, T. Shrimpton, Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance, in eds. by B.K., Roy, W. Meier.
*FSE*. Lecture Notes in Computer Science, vol. 3017 (Springer, 2004), pp. 371–388Google Scholar - 45.Y. Sasaki, K. Aoki, Finding preimages in full md5 faster than exhaustive search, in ed. by A. Joux.
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 5479 (Springer, 2009), pp. 134–152Google Scholar - 46.V. Shoup, A composition theorem for universal one-way hash functions, in ed. by B. Preneel.
*EUROCRYPT’00*. Lecture Notes in Computer Science, vol. 1807 (Springer, 2000), pp. 445–452Google Scholar - 47.X. Wang, X. Lai, D., Feng, H. Chen, X. Yu, Cryptanalysis of the hash functions MD4 and RIPEMD, in ed. by R. Cramer,
*Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings*. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005), pp. 1–18Google Scholar - 48.X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in ed. by V. Shoup.
*Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings.*Lecture Notes in Computer Science, vol. 3621 (Springer, 2005), pp. 17–36Google Scholar - 49.X. Wang, H. Yu, How to break MD5 and other hash functions, in ed. by R. Cramer,
- 50.X. Wang, H. Yu, Y.L. Yin, Efficient collision search attacks on SHA-0, in ed. by V. Shoup.
*Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings.*Lecture Notes in Computer Science, vol. 3621 (Springer, 2005), pp. 1–16Google Scholar