Advertisement

On hash functions using checksums

  • Praveen Gauravaram
  • John Kelsey
  • Lars R. Knudsen
  • Søren S. Thomsen
Regular Contribution

Abstract

We analyse the security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation. We show that a large class of such schemes, including those using non-linear or even one-way checksum functions, is not secure against the second preimage attack of Kelsey and Schneier, the herding attack of Kelsey and Kohno and the multicollision attack of Joux. Our attacks also apply to a large class of cascaded hash functions. Our second preimage attacks on the cascaded hash functions improve the results of Joux presented at Crypto’04. We also apply our attacks to the MD2 and GOST hash functions. Our second preimage attacks on the MD2 and GOST hash functions improve the previous best known short-cut second preimage attacks on these hash functions by factors of at least 226 and 254, respectively. Our herding and multicollision attacks on the hash functions based on generic checksum functions (e.g., one-way) are a special case of the attacks on the cascaded iterated hash functions previously analysed by Dunkelman and Preneel and are not better than their attacks. On hash functions with easily invertible checksums, our multicollision and herding attacks (if the hash value is short as in MD2) are more efficient than those of Dunkelman and Preneel.

Keywords

Iterated hash functions Checksums Generic attacks 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) Advances in Cryptology—EUROCRYPT’97, Proceedings, Lecture Notes in Computer Science, Vol. 1233, pp. 163–192 (1997)Google Scholar
  2. 2.
    Coppersmith, D.: Two broken hash functions. IBM research report RC 18397, IBM T. J. Watson Research Center, Yorktown Heights, N.Y., 10598, USA, October (1992)Google Scholar
  3. 3.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) Advances in Cryptology—CRYPTO ’89, Proceedings, Lecture Notes in Computer Science, vol. 435 pp. 416–427. Springer (1990)Google Scholar
  4. 4.
    Dean, R.D.: Formal aspects of mobile code security. PhD thesis, Princeton University, January (1999)Google Scholar
  5. 5.
    Dunkelman, O., Preneel, B.: Generalizing the herding attack to concatenated hashing schemes. Presented at ECRYPT hash function workshop, May 24–25, 2007, Barcelona, Spain. Available: http://events.iaik.tugraz.at/HashWorkshop07/program.html (2009/11/27)
  6. 6.
    Filho, D., Barreto, P., Rijmen, V.: The MAELSTROM-0 hash function. Published at 6th Brazilian Symposium on Information and Computer System Security (2006)Google Scholar
  7. 7.
    Gauravaram P., Kelsey J.: Linear-XOR and additive checksums don’t protect Damgård-Merkle hashes from generic attacks. In: Malkin, T. (eds) Topics in Cryptology—CT-RSA 2008, Lecture Notes in Computer Science, vol. 4964, pp. 36–51. Springer, Berlin (2008)Google Scholar
  8. 8.
    Gauravaram, P., Millan, W., Dawson, E., Viswanathan, K.: Constructing secure hash functions by enhancing Merkle-Damgård construction. In: Batten, L.M., R. Safavi-Naini, L.M. (eds.) Australasian Conference on Information Security and Privacy 2006, Proceedings, Lecture Notes in Computer Science, vol. 4058, pp. 407–420. Springer (2006) The full version of this paper is available at http://www.isi.qut.edu.au/research/publications/technical/qut-isi-tr-2006-013.pdf. (Accessed on 2009/11/27)
  9. 9.
    Gazzoni Filho, D.L., Barreto, P.S.L.M., Rijmen, V.: The maelstrom-0 hash function. Published at 6th Brazilian Symposium on Information and Computer System Security, August 28–September 1, Santos, Brazil (2006)Google Scholar
  10. 10.
    Hoch J., Shamir A.: Breaking the ICE: finding multicollisions in iterated concatenated and expanded (ICE) hash functions. In: Robshaw, M. (eds) Fast Software Encryption 2006, Lecture Notes in Computer Science, vol. 4047, pp. 179–194. Springer, Berlin (2006)Google Scholar
  11. 11.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M.K. (ed.) Advances in Cryptology—CRYPTO 2004, Proceedings, Lecture Notes in Computer Science, vol. 3152, pp 306–316. Springer (2004)Google Scholar
  12. 12.
    Kaliski B.S. Jr.: The MD2 message-digest algorithm, April 1992. RFC 1319. Available: http://www.ietf.org/rfc/rfc1319.txt (2009/11/27) (1992)
  13. 13.
    Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) Advances in Cryptology—EUROCRYPT 2006, Proceedings, Lecture Notes in Computer Science, vol. 4004, pp. 183–200. Springer (2006)Google Scholar
  14. 14.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) Advances in Cryptology—EUROCRYPT 2005, Proceedings, Lecture Notes in Computer Science, vol. 3494, pp. 474–490. Springer (2005)Google Scholar
  15. 15.
    Knudsen, L.R., Mathiassen J.E.: Preimage and Collision Attacks on MD2. In: Gilbert, H., Handschuh, H. (eds.) Fast Software Encryption 2005, Proceedings, volume 3557 of Lecture Notes in Computer Science, pp. 255–267. Springer (2005)Google Scholar
  16. 16.
    Knudsen, L.R., Mathiassen, J.E., Muller, F., Thomsen S.S.: Cryptanalysis of MD2. (2009). doi: 10.1007/s00145-009-9054-1
  17. 17.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) Advances in Cryptology—EUROCRYPT ’92, Proceedings, Lecture Notes in Computer Science, vol. 658, pp. 55–70. Springer (1993)Google Scholar
  18. 18.
    Lei, D.: F-HASH: securing hash functions using feistel chaining. Cryptology ePrint Archive, Report 2005/430, Available: http://eprint.iacr.org/2005/430.pdf (2009/11/27) (2005)
  19. 19.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B.K. (ed.) Advances in Cryptology—ASIACRYPT 2005, Proceedings, Lecture Notes in Computer Science, vol. 3788, pp. 474–494. Springer (2005)Google Scholar
  20. 20.
    Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST hash function. In: Wagner, D. (ed.) Advances in Cryptology—CRYPTO 2008, Proceedings, Lecture Notes in Computer Science, vol. 5157, pp. 162–178. Springer (2008)Google Scholar
  21. 21.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) Advances in Cryptology—CRYPTO’89, Proceedings, Lecture Notes in Computer Science, vol. 435, pp. 428–446. Springer (1990)Google Scholar
  22. 22.
    Muller, F.: The MD2 hash function is not one-way. In: Lee, P.J. (ed.) Advances in cryptology—ASIACRYPT 2004, Proceedings, Lecture Notes in Computer Science vol. 3329, pp. 214–229. Springer (2004)Google Scholar
  23. 23.
    Nandi M., Stinson D.: Multicollision attacks on some generalized sequential hash functions. IEEE Trans. Inf. Theory 53(2), 759–767 (2007)CrossRefMathSciNetGoogle Scholar
  24. 24.
    National Institute of Standards and Technology: FIPS PUB 180-1, Secure Hash Standard, (17 April 1995)Google Scholar
  25. 25.
    National Institute of Standards and Technology: FIPS PUB 180-2, Secure Hash Standard, (1 August 2002)Google Scholar
  26. 26.
    National Institute of Standards and Technology: FIPS PUB 180-3, Secure Hash Standard, (June 2007)Google Scholar
  27. 27.
    Preneel, B.: Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven, (February 1993)Google Scholar
  28. 28.
    Quisquater, J.-J., Girault, M.: 2n-Bit hash-functions using n-bit symmetric block cipher algorithms. In: Quisquater, J.-J., Vandewalle, J. (eds.) Advances in Cryptology—EUROCRYPT ’89, Proceedings, Lecture Notes in Computer Science, vol. 434, pp. 102–109. Springer (1990)Google Scholar
  29. 29.
    Rivest, R.L.: The MD5 message-digest algorithm, April 1992. RFC 1321. Available: http://www.ietf.org/rfc/rfc1321.txt (2009/11/27) (1992)
  30. 30.
    Rogier N., Chauvaud P.: MD2 is not secure without the checksum byte. Des. Codes Cryptogr. 12(3), 245–251 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    Rostekhregulirovaniye (Russia’s Federal Agency for Technical Regulation and Metrology): GOST R 34.11-94: Information technology— cryptographic data security—hashing function (1994)Google Scholar
  32. 32.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002, Proceedings, Lecture Notes in Computer Science, vol. 2442, pp. 288–303. Springer (2002)Google Scholar
  33. 33.
    Wang, X., Yin, Y., Yu, H.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005, Proceedings, Lecture Notes in Computer Science, vol. 3621, pp. 1–16. Springer (2005)Google Scholar
  34. 34.
    Wang, X., Yin, Y., Yu, H.: Finding collisions in the full SHA-1. In: Shoup V. (ed.) CRYPTO 2005, Proceedings, Lecture Notes in Computer Science, vol. 3621, pp. 17–36. Springer (2005)Google Scholar
  35. 35.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005, Proceedings, Lecture Notes in Computer Science, vol. 3494, pp. 19–35. Springer (2005)Google Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  • Praveen Gauravaram
    • 1
  • John Kelsey
    • 2
  • Lars R. Knudsen
    • 1
  • Søren S. Thomsen
    • 1
  1. 1.Department of MathematicsTechnical University of Denmark (DTU)Kgs.LyngbyDenmark
  2. 2.Computer Security DivisionNational Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations