Abstract
 1.Several generic preimage attacks on the XOR combiner:These attacks show a rather surprising result: regarding preimage resistance, the sum of two nbit narrowpipe hash functions following the considered constructions can never provide nbit security.

A first attack with a bestcase complexity of \( 2^{5n/6} \) obtained for messages of length \( 2^{n/3} \). It relies on a novel technical tool named interchange structure. It is applicable for combiners whose underlying hash functions follow the Merkle–Damgård construction or the HAIFA framework.

A second attack with a bestcase complexity of \( 2^{2n/3} \) obtained for messages of length \( 2^{n/2} \). It exploits properties of functional graphs of random mappings. It achieves a significant improvement over the first attack but is only applicable when the underlying hash functions use the Merkle–Damgård construction.

An improvement upon the second attack with a bestcase complexity of \( 2^{5n/8} \) obtained for messages of length \( 2^{5n/8} \). It further exploits properties of functional graphs of random mappings and uses longer messages.

 2.
A generic secondpreimage attack on the concatenation combiner of two Merkle–Damgård hash functions. This attack finds second preimages faster than \( 2^n \) for challenges longer than \( 2^{2n/7} \) and has a bestcase complexity of \( 2^{3n/4} \) obtained for challenges of length \( 2^{3n/4} \). It also exploits properties of functional graphs of random mappings.
 3.
The first generic secondpreimage attack on the Zipper hash with underlying hash functions following the Merkle–Damgård construction. The bestcase complexity is \( 2^{3n/5} \), obtained for challenge messages of length \( 2^{2n/5} \).
 4.
An improved generic secondpreimage attack on HashTwice with underlying hash functions following the Merkle–Damgård construction. The bestcase complexity is \( 2^{13n/22} \), obtained for challenge messages of length \( 2^{13n/22} \).
The last three attacks show that regarding secondpreimage resistance, the concatenation and cascade of two nbit narrowpipe Merkle–Damgård hash functions do not provide much more security than that can be provided by a single nbit hash function.
 1.
The interchange structure, which enables simultaneously controlling the behaviours of two hash computations sharing the same input.
 2.
The simultaneous expandable message, which is a set of messages of length covering a whole appropriate range and being multicollision for both of the underlying hash functions.
 3.
New ways to exploit the properties of functional graphs of random mappings generated by fixing the message block input to the underlying compression functions.
Keywords
Hash function Generic attack Hash combiner XOR combiner Concatenation combiner Zipper hash HashTwice (Second) Preimage attackNotes
Acknowledgements
This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore, under its Strategic Capability Research Centres Funding Initiative, Nanyang Technological University under research Grant M4082123 and Singapore’s Ministry of Education under Grant M4012049. Itai Dinur is supported in part by the Israeli Science Foundation through Grant No. 573/16. Lei Wang is supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th fiveyear National Development Fund of Cryptography (MMJJ20170114).
Supplementary material
References
 1.E. Andreeva, C. Bouillaguet, O. Dunkelman, P.A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, New secondpreimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
 2.E. Andreeva, C. Bouillaguet, O. Dunkelman, J. Kelsey, Herding, second preimage and trojan message attacks beyond Merkle–Damgård, in M.J. Jacobson Jr., V. Rijmen, R. SafaviNaini, editors, Selected Areas in Cryptography, 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5867 (Springer, 2009), pp. 393–414Google Scholar
 3.E. Andreeva, C. Bouillaguet, P.A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, Second preimage attacks on dithered hash functions, in N.P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 270–288Google Scholar
 4.L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors. Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 711, 2008, Proceedings, Part II—Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations. Lecture Notes in Computer Science, vol. 5126 (Springer, 2008)Google Scholar
 5.D. Boneh, X. Boyen. On the impossibility of efficiently combining collision resistant hash functions, in C. Dwork, editor, Advances in Cryptology—CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 570–583Google Scholar
 6.E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA. IACR Cryptol. ePrint Arch. 2007, 278 (2007)Google Scholar
 7.Z. Bao, J. Guo, L. Wang, Functional graphs and their applications in generic attacks on iterated hash constructions. IACR Trans. Symmetric Cryptol. 2018(1), 201–253 (2018)Google Scholar
 8.G. Brassard, editor. Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 1989, Proceedings. Lecture Notes in Computer Science, vol. 435 (Springer, 1990)Google Scholar
 9.S.R. Blackburn, D.R. Stinson, J. Upadhyay, On the complexity of the herding attack and some related attacks on hash functions. Des. Codes Cryptogr. 64(1–2), 171–193 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Z. Bao, L. Wang, J. Guo, D. Gu, Functional graph revisited: updates on (second) preimage attacks on hash combiners, in J. Katz, H. Shacham, editors, Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10402 (Springer, 2017), pp. 404–427Google Scholar
 11.S. Chen, C. Jin, A second preimage attack on Zipper hash. Secur. Commun. Netw. 8(16), 2860–2866 (2015)CrossRefGoogle Scholar
 12.R. Cramer, editor. Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005)Google Scholar
 13.R. Canetti, R.L. Rivest, M. Sudan, L. Trevisan, S.P. Vadhan, H. Wee, Amplifying collision resistance: a complexitytheoretic treatment, in Menezes [43], pp. 264–283.Google Scholar
 14.R.D. Dean, A. Appel. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University Princeton (1999)Google Scholar
 15.T. Dierks, C. Allen, The TLS protocol version 1.0. RFC 2246, 1–80 (1999)Google Scholar
 16.I. Damgård, A design principle for hash functions, in Brassard [8], pp. 416–427Google Scholar
 17.I. Dinur. New attacks on the concatenation and XOR hash combiners, in M. Fischlin, J.S. Coron, editors, Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9665 (Springer, 2016), pp. 484–508Google Scholar
 18.I. Dinur, G. Leurent, Improved generic attacks against hashbased MACs and HAIFA, in Garay and Gennaro [27], pp. 149–168Google Scholar
 19.O. Dunkelman, B. Preneel, Generalizing the herding attack to concatenated hashing schemes, in In ECRYPT Hash Function Workshop (Citeseer, 2007)Google Scholar
 20.T. Dierks, E. Rescorla, The transport layer security (TLS) protocol version 1.2. RFC 5246, 1–104 (2008)Google Scholar
 21.A.O. Freier, P. Karlton, P.C. Kocher, The secure sockets layer (SSL) protocol version 3.0. RFC 6101:1–67 (2011)Google Scholar
 22.M. Fischlin, A. Lehmann, Securityamplifying combiners for collisionresistant hash functions, in Menezes [43], pp. 224–243Google Scholar
 23.M. Fischlin, A. Lehmann, Multiproperty preserving combiners for hash functions, in R. Canetti, editor, Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. Lecture Notes in Computer Science, vol. 4948 (Springer, 2008), pp. 375–392Google Scholar
 24.M. Fischlin, A. Lehmann, K. Pietrzak, Robust multiproperty combiners for hash functions revisited, in Aceto et al. [4], pp. 655–666Google Scholar
 25.M. Fischlin, A. Lehmann, K. Pietrzak, Robust multiproperty combiners for hash functions. J. Cryptol. 27(3), 397–428 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 26.P. Flajolet, A.M. Odlyzko, Random mapping statistics, in J.J. Quisquater, J. Vandewalle, editors, Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, April 10–13, 1989, Proceedings. Lecture Notes in Computer Science, vol. 434 (Springer, 1989), pp. 329–354Google Scholar
 27.J.A. Garay, R. Gennaro, editors. Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014)Google Scholar
 28.J. Guo, T. Peyrin, Y. Sasaki, L. Wang, Updates on generic attacks against HMAC and NMAC, in Garay and Gennaro [27], pp. 131–148Google Scholar
 29.M.E. Hellman, A cryptanalytic timememory tradeoff. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
 30.A. Herzberg, On tolerant cryptographic constructions, in A. Menezes, editor, Topics in Cryptology—CTRSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3376 (Springer, 2005), pp. 172–190Google Scholar
 31.A. Herzberg, Folklore, practice and theory of robust combiners. J. Comput. Secur. 17(2), 159–189 (2009)MathSciNetCrossRefGoogle Scholar
 32.J.J. Hoch, A. Shamir, Breaking the ICE—finding multicollisions in iterated concatenated and expanded (ICE) hash functions, in M.J.B. Robshaw, editor, Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4047 (Springer, 2006), pp. 179–194Google Scholar
 33.J.J. Hoch, A. Shamir. On the strength of the concatenated hash combiner when all the hash functions are weak, in Aceto et al. [4], pp. 616–630Google Scholar
 34.A. Jha, M. Nandi, Some cryptanalytic results on Zipper hash and concatenated hash. IACR Cryptol. ePrint Arch. 2015, 973 (2015)Google Scholar
 35.A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in M.K. Franklin, editor, Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings Lecture Notes in Computer Science, vol. 3152 (Springer, 2004), pp. 306–316Google Scholar
 36.A. Joux, Algorithmic Cryptanalysis (Chapman and Hall/CRC, Boca Raton, 2009)CrossRefzbMATHGoogle Scholar
 37.J. Kelsey, T. Kohno, Herding hash functions and the nostradamus attack, in Serge Vaudenay, editor, Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4004 (Springer, 2006), pp. 183–200Google Scholar
 38.J. Kelsey, B. Schneier, Second preimages on nbit hash functions for much less than \(2{}^{{\rm n}}\) work, in Cramer [12], pp. 474–490Google Scholar
 39.A. Lehmann. On the Security of Hash Function Combiners. PhD thesis, Darmstadt University of Technology (2010)Google Scholar
 40.M. Liskov, Constructing an ideal hash function from weak ideal compression functions, in E. Biham, A.M. Youssef, editors, Selected Areas in Cryptography, 13th International Workshop, SAC 2006, Montreal, Canada, August 1718, 2006 Revised Selected Papers. Lecture Notes in Computer Science, vol. 4356 (Springer, 2006), pp. 358–375Google Scholar
 41.G. Leurent, T. Peyrin, L. Wang, New generic attacks against hashbased MACs, in K. Sako, P. Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part II. Lecture Notes in Computer Science, vol. 8270 (Springer, 2013), pp. 1–20Google Scholar
 42.G. Leurent, L. Wang, The sum can be weaker than each part, in E. Oswald, M. Fischlin, editors, Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015), pp. 345–367Google Scholar
 43.A. Menezes, editor. Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4622. (Springer, 2007)Google Scholar
 44.R.C. Merkle. One way hash functions and DES, in Brassard [8], pp. 428–446Google Scholar
 45.A. Mittelbach. Hash combiners for second preimage resistance, target collision resistance and preimage resistance have long output, in I. Visconti, R. De Prisco, editors, Security and Cryptography for Networks—8th International Conference, SCN 2012, Amalfi, Italy, September 5–7, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7485 (Springer, 2012), pp. 522–539Google Scholar
 46.A. Mittelbach, Cryptophia’s short combiner for collisionresistant hash functions, in M.J. Jacobson Jr., M.E. Locasto, P. Mohassel, R. SafaviNaini, editors, Applied Cryptography and Network Security—11th International Conference, ACNS 2013, Banff, AB, Canada, June 25–28, 2013. Proceedings. Lecture Notes in Computer Science, vol. 7954 (Springer, 2013), pp. 136–153Google Scholar
 47.B. Mennink, B. Preneel, Breaking and fixing cryptophia’s short combiner, in D. Gritzalis, A. Kiayias, I.G. Askoxylakis, editors, Cryptology and Network Security—13th International Conference, CANS 2014, Heraklion, Crete, Greece, October 22–24, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8813 (Springer, 2014), pp. 50–63Google Scholar
 48.F. Mendel, C. Rechberger, M. Schläffer, MD5 is weaker than weak: attacks on concatenated combiners, in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5912 (Springer, 2009), pp. 144–161Google Scholar
 49.M. Nandi, D. R. Stinson, Multicollision attacks on some generalized sequential hash functions. IEEE Trans. Inf. Theory 53(2), 759–767 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
 50.K. Pietrzak, Nontrivial blackbox combiners for collisionresistant hashfunctions don’t exist, in M. Naor, editor, Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4515 (Springer, 2007), pp. 23–33Google Scholar
 51.K. Pietrzak, Compression from collisions, or Why CRHF combiners have a long output, in D.A. Wagner, editor, Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings. Lecture Notes in Computer Science, vol. 5157 (Springer, 2008), pp. 413–432Google Scholar
 52.L. Perrin, D. Khovratovich, Collision spectrum, entropy loss, Tsponges, and cryptanalysis of GLUON64, in C. Cid, C. Rechberger, editors, Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, March 3–5, 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540 (Springer, 2014), pp. 82–103Google Scholar
 53.B. Preneel, Analysis and Design of Cryptographic Hash Functions. PhD thesis, Katholieke Universiteit te Leuven (1993)Google Scholar
 54.T. Peyrin, L. Wang, Generic universal forgery attack on iterative hashbased MACs, in P.Q. Nguyen, E. Oswald, editors, Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441 (Springer, 2014), pp. 147–164Google Scholar
 55.M. Rjasko, On existence of robust combiners for cryptographic hash functions. In P. Vojtás, editor, Proceedings of the Conference on Theory and Practice of Information Technologies, ITAT 2009, Horský hotel Kralova studna, Slovakia, September 25–29, 2009, volume 584 of CEUR Workshop Proceedings (CEURWS.org, 2009), pp. 71–76Google Scholar
 56.P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 57.D.A. Wagner, A generalized birthday problem, in M. Yung, editor, Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings. Lecture Notes in Computer Science, vol. 2442 (Springer, 2002), pp. 288–303Google Scholar
 58.X. Wang, H. Yu, How to break MD5 and other hash functions, in Cramer [12], pp. 19–35Google Scholar
 59.X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA1, in V. Shoup, editor, Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3621 (Springer, 2005), pp. 17–36Google Scholar