## Abstract

Hash combiners are a practical way to make cryptographic hash functions more tolerant to future attacks and compatible with existing infrastructure. A combiner combines two or more hash functions in a way that is hopefully more secure than each of the underlying hash functions, or at least remains secure as long as one of them is secure. Two classical hash combiners are the exclusive-or (XOR) combiner \( \mathcal {H}_1(M) \oplus \mathcal {H}_2(M) \) and the concatenation combiner \( \mathcal {H}_1(M) \Vert \mathcal {H}_2(M) \). Both of them process the same message using the two underlying hash functions in parallel. Apart from parallel combiners, there are also cascade constructions sequentially calling the underlying hash functions to process the message repeatedly, such as Hash-Twice \(\mathcal {H}_2(\mathcal {H}_1(IV, M), M)\) and the Zipper hash \(\mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})\), where \(\overleftarrow{M}\) is the reverse of the message *M*. In this work, we study the security of these hash combiners by devising the best-known generic attacks. The results show that the security of most of the combiners is not as high as commonly believed. We summarize our attacks and their computational complexities (ignoring the polynomial factors) as follows:

- 1.
Several generic preimage attacks on the XOR combiner:

A first attack with a best-case complexity of \( 2^{5n/6} \) obtained for messages of length \( 2^{n/3} \). It relies on a novel technical tool named interchange structure. It is applicable for combiners whose underlying hash functions follow the Merkle–Damgård construction or the HAIFA framework.

A second attack with a best-case complexity of \( 2^{2n/3} \) obtained for messages of length \( 2^{n/2} \). It exploits properties of functional graphs of random mappings. It achieves a significant improvement over the first attack but is only applicable when the underlying hash functions use the Merkle–Damgård construction.

An improvement upon the second attack with a best-case complexity of \( 2^{5n/8} \) obtained for messages of length \( 2^{5n/8} \). It further exploits properties of functional graphs of random mappings and uses longer messages.

These attacks show a rather surprising result: regarding preimage resistance, the sum of two

*n*-bit narrow-pipe hash functions following the considered constructions can never provide*n*-bit security. - 2.
A generic second-preimage attack on the concatenation combiner of two Merkle–Damgård hash functions. This attack finds second preimages faster than \( 2^n \) for challenges longer than \( 2^{2n/7} \) and has a best-case complexity of \( 2^{3n/4} \) obtained for challenges of length \( 2^{3n/4} \). It also exploits properties of functional graphs of random mappings.

- 3.
The first generic second-preimage attack on the Zipper hash with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is \( 2^{3n/5} \), obtained for challenge messages of length \( 2^{2n/5} \).

- 4.
An improved generic second-preimage attack on Hash-Twice with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is \( 2^{13n/22} \), obtained for challenge messages of length \( 2^{13n/22} \).

The last three attacks show that regarding second-preimage resistance, the concatenation and cascade of two

*n*-bit narrow-pipe Merkle–Damgård hash functions do not provide much more security than that can be provided by a single*n*-bit hash function.

Our main technical contributions include the following:

- 1.
The interchange structure, which enables simultaneously controlling the behaviours of two hash computations sharing the same input.

- 2.
The simultaneous expandable message, which is a set of messages of length covering a whole appropriate range and being multi-collision for both of the underlying hash functions.

- 3.
New ways to exploit the properties of functional graphs of random mappings generated by fixing the message block input to the underlying compression functions.

## Introduction

A cryptographic hash function \(\mathcal {H}: \{0, 1\}^{*} \rightarrow \{0, 1\}^n\) maps arbitrarily long messages to *n*-bit digests. It is a fundamental primitive in modern cryptography and is among the main building blocks of many widely utilized cryptographic protocols and cryptosystems. There are three *basic* security requirements on a hash function \(\mathcal {H}\):

*Collision Resistance*It should be computationally infeasible to find a pair of different messages*M*and \( M' \) such that \(\mathcal {H}(M) = \mathcal {H}(M')\).*Preimage Resistance*Given an arbitrary*n*-bit value \(V\), it should be computationally infeasible to find any message*M*such that \(\mathcal {H}(M)=V\).*Second-Preimage Resistance*Given a challenge message*M*, it should be computationally infeasible to find any different message \(M'\) such that \(\mathcal {H}(M) = \mathcal {H}(M')\).

As the birthday and brute-force attack requires \(2^{n/2}\) and \(2^{n}\) computations, respectively, to find a collision and a (second) preimage, a secure hash function is expected to provide the same level of resistance.

Unfortunately, widely deployed standards (such as MD5 and SHA-1) fail to provide the expected resistance because of cryptographic weaknesses [58, 59]. Moreover, Kelsey and Schneier have demonstrated a generic second-preimage attack against all hash functions based on the classical Merkle–Damgård construction (such as MD5, SHA-1 and SHA-2) when the challenge message is long [38]. As a result, countermeasures have been proposed in order to build more tolerant hash functions and to protect oneself against future attacks, while keeping the same interface for compatibility. A practical way is to combine the outputs of two (or more) independent hash functions to provide better security in case one or even both hash functions are weak. In particular, this reasoning was used by the designers of SSL [21] and TLS [15], who combined MD5 and SHA-1 in various ways. More precisely, the key derivation function of TLS version 1.0/version 1.1 uses a sum of HMAC-MD5 and HMAC-SHA-1.^{Footnote 1} The designers explain [15], “In order to make the PRF as secure as possible, it uses two hash algorithms in a way which should guarantee its security if either algorithm remains secure”. Formally, we call the resulting construction a *hash function combiner* (or combiner for short). The goal of a hash combiner is to achieve *security amplification*, i.e., the hash combiner has higher security than its underlying hash functions, or to achieve *security robustness*, i.e., the hash combiner is secure as long as (at least) one of its underlying hash functions is secure.

There are two classical hash combiners: the concatenation combiner and the exclusive-or (XOR) combiner. Both of them process the same message using two (independent) hash functions \(\mathcal {H}_1\) and \(\mathcal {H}_2\) in parallel. Then, the former concatenates their outputs, \(\mathcal {H}_1(M) \Vert \mathcal {H}_2(M)\), and the latter XORs them, \(\mathcal {H}_1(M) \oplus \mathcal {H}_2(M)\). More generally,^{Footnote 2} cryptographers have also studied cascade constructions of two (or more) hash functions, that is, to compute \(\mathcal {H}_1\) and \(\mathcal {H}_2\) in sequential order. Examples are Hash-Twice, \(\mathcal {HT}(M) \triangleq \mathcal {H}_2(\mathcal {H}_1(IV, M), M)\),^{Footnote 3} and the Zipper hash [40], \(\mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})\), where \(\overleftarrow{M}\) is the message with the same blocks as *M* but in reversed order. Such kinds of cascade constructions are not strictly black-box hash combiners compared with the XOR combiner and the concatenated combiner. That is because the initial vector of the subsequent hash functions is not fixed as in their specifications. Instead, for such constructions, to get black-box access to the underlying hash functions, the initial vector of these hash functions is required to be an input parameter. However, apart from this point, other parts of the hash functions are all accessed as black boxes by the constructions. Considering that such constructions can be classified into the method of designing hash functions using multiple existing hash functions, and for the sake of conciseness, we regard these cascade constructions of hash functions as hash combiners in this paper. In the sequel, for these combiners, we call the computation of the first (resp. the second) hash function the first (resp. the second) computation pass (or simply, the *first pass*, resp. the *second pass*).

In this paper, we study the security of these hash combiners. We focus on combiners of *iterated* hash functions. Iterated hash functions commonly first pad and split the message *M* into message blocks of fixed length (e.g., *b*-bit), i.e., \(M = m_1\Vert m_2\Vert \ldots \Vert m_L\). They then process message blocks by iteratively applying a series of compression function \(h_i\). Those compression functions update an internal state, initialized with a public value *IV*, using the previous state value and the current message block, i.e., \(x_{i} = h_i(x_{i-1},m_{i})\). Finally, the internal state is updated by a finalization function which can be either the compression function or another independent function, and the output of the finalization function is outputted as the hash digest. For simplicity of description, we assume that the finalization function is the same as the compression function in the rest of the paper, but we stress that our attacks also work in a straightforward way with an independent finalization function. In this work, we mainly focus on hash functions whose internal state size is equal to its output size, which are known as “narrow-pipe” designs. We will discuss the applicability of our proposed attacks on “wide-pipe” designs whose internal state size is (not much) larger than its output size at the end of the paper. In particular, we consider hash functions following the classical Merkle–Damgård construction [16, 44] and the more general HAIFA framework [6], for which we naturally take the length padding mentioned next as the message padding scheme. The Merkle–Damgård construction (MD) applies the same compression function *h* in all iterations (see Fig. 1) and adds a padding of the message length to the final message block (known as length padding, or Merkle–Damgård strengthening). The HAIFA framework is similar to the MD construction but uses extra inputs to the compression function with the number of message bits hashed so far and a salt value; this is equivalent to using a different compression function for each block. The primary goal of that construction is to thwart some narrow-pipe attacks (e.g., Kelsey and Schneier’s long message second-preimage attack on MD hash [38]). HAIFA framework is formally defined as follows:^{Footnote 4}

### Related Works

Combiners have been studied in several settings, including generic attacks and security proof. For generic attacks, the compression functions are modelled as random functions to devise attacks that do not use any weakness of the compression function. Thus, they provide upper bounds on the security of the combiners.

Security proof, which is more theoretical work, focuses on the notion of *robustness* and *security amplification*. A robust combiner is secure regarding property \(\alpha \) as long as one of the underlying hash functions is secure regarding \(\alpha \). Lines of research for those security notions include the study of advanced combiners in [13, 22,23,24,25, 30, 31, 39]. A series of studies on the minimum output length of robust combiners have shown that robust combiners for collision resistance and preimage resistance cannot have an output length significantly shorter than the sum of the output length of the underlying hash functions [5, 50, 51, 55] (more recent works include [45, 47]).

There are also some works that assume that the compression function is a *weak* random oracle (i.e., the attacker is given additional interfaces to receive random preimages of the compression functions) and prove that some constructions are still secure in this model [33, 40] or provide efficient attacks on the combiners by exploiting weakness of the underlying hash functions [11, 34].

#### Analysis of the Concatenation Combiner

The concatenation combiner \(\mathcal {H}_1(M) \Vert \mathcal {H}_2(M)\) (see Fig. 2) is probably the most well-known and most studied hash combiner. This combiner was described already in 1993 [53].

*Generic Attacks* In 2004, Joux [35] described surprising attacks on the concatenation of two narrow-pipe iterated hash functions using multi-collisions: while the output size is 2*n* bits, the concatenation combiner merely provides at most *n* / 2-bit security for collision resistance and *n*-bit security for preimage resistance^{Footnote 5} (see Sect. 2.1 for a description). In particular, the concatenation combiner is not security-amplifying. (It does not increase collision and preimage resistance.)

Following the results of Joux (which showed that the concatenation combiner does not increase collision and preimage resistance) and the later results of Kelsey and Schneier (which showed that the second-preimage resistance of the MD construction is less than \(2^n\)), a natural question is whether there exists a second-preimage attack on the concatenation combiner of MD hash functions that is faster than \(2^n\). Interestingly, the problem of devising such an attack remained open for a long time despite being explicitly mentioned in several papers including [19]. In fact, although the works of [35, 38] have attracted a significant amount of follow-up research on countermeasures against second-preimage attacks (such as Hash-Twice or dithered hash) and attacks that break them [1,2,3], there has been no progress concerning second-preimage attacks on the basic concatenation combiner. In this paper, we try to provide an answer to this question by devising the first second-preimage attack on the concatenation combiner of MD hash functions, which is faster than \(2^n\).

*Security Proof* From the theoretical side, the concatenation combiner is robust for collision resistance, e.g., a collision \(\mathcal {H}_1(M) \Vert \mathcal {H}_2(M) = \mathcal {H}_1(M') \Vert \mathcal {H}_2(M')\) implies \(\mathcal {H}_1(M) = \mathcal {H}_1(M')\) and \(\mathcal {H}_2(M) = \mathcal {H}_2(M')\).

Hoch and Shamir [33] evaluated the security of the concatenation combiner with two weak hash functions. More precisely, the two hash functions are narrow-pipe MD, and the compression functions are modelled as weak random oracles (as defined by Liskov [40]), i.e., the adversary is given additional interfaces to receive (random) preimages of the compression functions. They have proved that in this model, the concatenation combiner is still indifferentiable from a random oracle with *n* / 2-bit security, implying (at least) the same security bound for collision resistance and preimage resistance. The bound is matched by Joux’s attack for collisions, but there is a gap with Joux’s attack for preimages, with complexity \(2^{n}\), which might be interesting to investigate further.

*Analysis of Dedicated Instantiations* Mendel *et al.* analysed some dedicated instantiations of the concatenation combiner [48], in particular using the hash function MD5. We omit the details and refer interested readers to [48].

#### Analysis of the XOR Combiner

The XOR combiner \(\mathcal {H}_1(M) \oplus \mathcal {H}_2(M)\) (see Fig. 3) has received less analysis.

*Generic Attacks* To the best of our knowledge, no preimage attacks have been shown against the XOR combiner. Therefore, the preimage security of the XOR combiner against generic attacks is still an open problem and will be one of the main topics of our work.

*Security Proof* Theoretically, the XOR combiner is robust concerning PRF (pseudo-random function) and MAC (message authentication code) in the black-box reduction model [39]. Since the XOR combiner is length-preserving, from the conclusions regarding the minimum output length of robust combiners, it is not robust for collision resistance and preimage resistance. However, the work of Hoch and Shamir [33] actually proves the security of the XOR combiner as an intermediate result: it is also indifferentiable from a random oracle up to \(2^{n/2}\) queries in the weak random oracle model. In particular, this proves there are no generic attacks with complexity less than \(2^{n/2}\). For collision resistance, the bound is tight, since it is matched with the generic birthday attack bound. On the other hand, for preimage resistance, there exists a gap between the *n* / 2-bit proven bound and the *n*-bit expected ideal security bound. Note that the non-robustness result regarding preimage security does not imply that the XOR of two concrete hash functions is weak, and the simplicity and short output of this construction still make it quite attractive.

#### Analysis of Hash-Twice

Hash-Twice is a folklore hash construction that hashes a (padded) message twice, with the output of the first hash value as the value of the initialization vector of the second hash. In its original definition [2], the two underlying hash functions are identical, i.e., \(\mathcal {HT}(M) \triangleq \mathcal {H}(\mathcal {H}(IV, M), M) \); here, we consider a generalized version, where the underlying hash functions are independent, i.e., \(\mathcal {HT}(M) \triangleq \mathcal {H}_2(\mathcal {H}_1(IV, M), M) \) (see Fig. 4).

*Generic Attacks* Towards the three basic security requirements, a second-preimage attack on Hash-Twice (\(\mathcal {HT}(M) \triangleq \mathcal {H}(\mathcal {H}(IV, M), M) \)) has been published by Andreeva *et al.* in [2]. The attack is based on a herding attack, which exploits the diamond structure originally used in the herding attack on a single hash function [37] (see Sect. 2.3 for an introduction). The complexity of the attack is approximately \( 2^{(n + t)/2} + 2^{n - {\ell }} + 2^{n - t} \), where \( 2^t \) is the width of the diamond structure and \( 2^{\ell } \) is the length of the challenge.

*Security Proof* To the best of our knowledge, there is no published formal proof regarding the security of Hash-Twice. However, we can claim that they are at least as secure as the original functions: a generic collision attack requires at least \( 2^{n/2} \) (because we need a collision in one of the compression functions); a preimage attack requires at least \( 2^{n} \) (because we need a preimage for the finalization function); and a second preimage requires at least \( 2^{n/2} \) (because it implies a collision).

#### Analysis of the Zipper Hash

The Zipper hash has been proposed with the goal of constructing an ideal hash function from weak ideal compression functions. (By “weak ideal”, it means that the compression function is vulnerable to strong forms of attack but is otherwise random.) Similar to Hash-Twice, it cascades two independent hash functions evaluating the same (padded) message. The difference is that the second hash processes the message blocks in reverse order, i.e., \( \mathcal {ZH} \triangleq \mathcal {H}_2(\mathcal {H}_1(IV_1, M), \overleftarrow{M}) \) (see Fig. 5). Note that the messages are first padded by a padding scheme and split into message blocks, and then, they are processed in forward and reverse order sequentially. Thus, the padded message block \( m_L \) is processed at the end of the first hash computation and at the beginning of the second hash computation, i.e., in the middle of the whole processing procedure. The padding scheme of Zipper was specified to be any injective function of the message [40]. In this paper, and as for all other combiners, we take the length padding of the MD construction as the padding scheme.

*Generic Attacks* To the best our knowledge, no generic attacks on the Zipper hash regarding the three basic security notions have been shown. However, there are a number of works that consider other security notions, such as multi-collision, herding attack or attacks assuming weak compression functions. Examples include [2, 11, 32, 34, 49], some of which also consider the corresponding security of Hash-Twice.

*Security Proof* Zipper hash is proved ideal in the sense that the overall hash function is indistinguishable from a random oracle (up to the birthday bound) when instantiated with weak ideal compression functions. More precisely, its provable security is \( 2^{\min (b, n)/2} \) for collision resistance and \( 2^{\min (b,n)} \) for (second-) preimage resistance, where *b* is the size of the message block and *n* is the size of the internal state and the hash value (considering “narrow-pipe” design).

### Our Results

In this work, we study the upper bound of the security of these hash combiners by devising the best-known generic preimage attacks and second-preimage attacks with a long challenge. We do not assume any weakness of the compression functions, i.e., they are accessed as black boxes in our attacks. The compression functions are chosen uniformly at random from all \(n+b\) to *n*-bit functions, which implies that our analysis applies to most compression functions. Table 1 summarizes the updated security status of various hash combiners after integrating our new results. It shows that the security of most combiners is not as high as commonly believed. Regarding certain basic security requirements, these combiners of two (or even more) *n*-bit hash functions fail to provide more (or even the same) security than that provided by a single *n*-bit ideal hash function.

Next, we briefly introduce our main attacks on combiners of two narrow-pipe hash functions and their computational complexities (ignoring the polynomial factors). In addition to the attacks summarized next, we also present improved but more complex attacks and apply our techniques to attack combiners of more than two hash functions.

#### Preimage Attacks on the XOR Combiner

We present several generic attacks:

*A first attack with a best-case complexity of*\( 2^{5n/6} \)*computations obtained for messages of length*\( 2^{n/3} \). This attack involves a meet-in-the-middle procedure enabled by building a novel technical tool named*interchange structure*. This structure consists of a sequence of basic building modules named*switches*among different hash computation lanes such that it breaks the pairwise dependency between the internal states of these hash computations on the same message. This attack is applicable for the XOR combiner with underlying hash functions following a wide range of iterated constructions (e.g., the classical MD construction and the more general HAIFA framework) and for the Cryptophia’s short combiner [46, 47].*A second attack with a best-case complexity of*\( 2^{2n/3} \)*computations obtained for messages of length*\( 2^{n/2} \). This attack also involves a meet-in-the-middle procedure, but instead of using the interchange structure, it exploits properties of functional graphs of random mappings. The random mappings are generated by fixing the message block input to the underlying compression functions. The functional graphs of these random mappings are formed by successive iteration of the mappings, whose nodes are all possible values of input/output and whose edges are all from preimages to images. We exploited special nodes that are images of a large number of iterations of the mappings. We named them*deep iterates*because they are located at deep strata in the functional graphs. By exploiting such deep iterates, the variability of the number of iterations provides extra freedom to find a linking message fragment mapping a pair of starting states to a predefined pair of states. When using this freedom, to overcome the hurdle set by the length padding, we construct a structure named*simultaneous expandable message*, which is a set of messages of length covering a whole appropriate range and being multi-collisions for both of the underlying hash functions. This attack achieves a trade-off of \(2^{n} \cdot L^{-2/3}\) between the maximal allowed message length*L*and the time complexity of attack. This improves the trade-off of \(2^{n} \cdot L^{-1/2}\), obtained by the first interchange structure-based attack. On the other hand, it only applies when both underlying hash functions combined use the MD construction.*An improvement upon the second attack with a best-case complexity of*\( 2^{5n/8} \)*obtained for messages of length*\( 2^{5n/8} \). In this attack, we exploit more special nodes in functional graphs of random mappings, which are called cyclic nodes, and we utilize a technique named*multi-cycles*. Linking pairs of states through cyclic nodes and allowing to loop around the cycles make the attack more efficient. The complexity improvement of the resulting preimage attack is \( 2^{n/24} \). We point out that this attack has the limitation that the length of the message must be at least \(2^{n/2}\) blocks. Therefore, its practical impact is limited and its main significance is theoretical. This attack shows that the security level regarding preimage resistance of the XOR combiner is quite close to the provable security level \( 2^{n/2} \), which is also the level of collision resistance.

These attacks on the XOR combiner show a rather surprising result—regarding preimage resistance, the sum of two *n*-bit iterated hash functions can never provide *n*-bit security. In general, the sum is *weaker* than each of the two hash functions.

#### Second-Preimage Attack on the Concatenation Combiner

We describe the first generic second-preimage attack faster than \( 2^n \) on the concatenation combiner of two MD hash functions. The general framework follows that of the long message second-preimage attack on a single MD hash [38]. It is faster than \( 2^n \) computations by overcoming two main challenges. The first is to overcome the length padding. We solve this by using the *simultaneous expandable message*. The second is to speed up the connection from a crafted message to the challenge message on chaining states. In the case of hash combiners, one must connect to the challenge message on *a pair of**n*-bit states, while in the second-preimage attack on a single MD hash, one needs only to connect on a single *n*-bit state. Thus, the attempt is essentially to reach a 2*n*-bit state (in a set of *L* states, where *L* is the message length in blocks, and thus \( L < 2^n \)) faster than \( 2^n \) computations. We solve this by exploiting again deep iterates in functional graphs. In this attack, we choose a pair of deep iterates as target chaining states, such that the connection from our crafted message to the challenge message is more efficient. Indeed, this attack is closely related to our deep iterate-based preimage attack on the XOR combiners.

We obtain a trade-off between the complexity of the attack and the length of the challenge message. This second-preimage attack is faster than \(2^n\) for input messages of length at least^{Footnote 6}\(2^{2n/7}\). The best-case complexity^{Footnote 7} is \(2^{3n/4}\), obtained for (very) long challenges of length \(2^{3n/4}\). Again, due to these constraints, the practical impact of our second-preimage attack is limited and its main significance is theoretical. Namely, it shows that regarding second-preimage resistance, the concatenation of two *n*-bit MD hash functions is not as strong as a single *n*-bit ideal hash function.

#### Second-Preimage Attack on the Zipper Hash

We show the first generic second-preimage attack on the Zipper hash. This attack combines multiple tools, including Joux’s multi-collision, the simultaneous expandable message, deep iterates and multi-cycles in functional graph of random mappings. The general framework is similar to that of above ones on combiners of MD hashes. However, some special specifications of the Zipper hash allow the attacker to choose an optimal configuration on message length for the attack and to launch a more efficient meet-in-the-middle connecting procedure in the attack. The best-case complexity of this attack is \( 2^{3n/5} \), obtained for challenge message of length \( 2^{2n/5} \). This result shows that combination of two MD hash functions using a Zipper can be vulnerable to second-preimage attack with long challenges.

#### Second-Preimage Attack on Hash-Twice

We give an improved second-preimage attack on Hash-Twice. This attack also combines multiple tools including Joux’s multi-collision, the diamond structure, the interchange structure, the simultaneous expandable message, deep iterates and multi-cycles in functional graphs. Like all our previous functional graph-based attacks, it improves a previous attack from [2] because of the efficiency brought by exploiting the special nodes in the functional graphs. The best-case complexity of this attack is \( 2^{13n/22} \), obtained for challenge message of length \( 2^{13n/22} \). This attack shows that regarding second-preimage resistance, hashing a message twice using two Merkle–Damgård hash functions does not provide much more security compared with hashing the message only once.

Finally, we highlight the technical interests of this paper. We believe that the tools introduced in this paper—the interchange structure, the simultaneous expandable message, deep iterates and multi-cycles in random functional graphs—are important technical advances and will hopefully have further applications or lead to new technical developments in related settings. Particularly, we point out that we can use the interchange structure in order to optimize the complexity of functional graph-based attacks on the XOR combiner, concatenation combiner and Hash-Twice. Although this does not lead to a very big improvement, it further demonstrates the wide applicability of this structure in cryptanalysis of hash function combiners.

### Notations and Roadmap of the Rest of Paper

#### Notations

We summarize below notations shared across various attacks.

\(\mathcal {H}_1\), \(\mathcal {H}_2\) | Underlying hash functions in a hash combiner |

\(IV_1\), \(IV_2\) | Initialization vectors of \(\mathcal {H}_1\) and \(\mathcal {H}_2\), respectively |

\(h_1\), \(h_2\) | Compression functions of \(\mathcal {H}_1\) and \(\mathcal {H}_2\), respectively |

\(h_1^*\), \(h_2^*\) | Compression functions iterated over several blocks (in particular, \(\mathcal {H}_i(\varvec{M}) = h_i^*(IV_i, \varvec{M})\) for \( i \in \{1,2\} \)) |

\(V\) | Targeted image |

m | Message block |

M | Message chunk |

\([m]^{q}\) | Message chunk formed by concatenating q message blocks m, with \( [m] = [m]^1 \) |

\(M_{\Vert q}\) | Message chunk with q message blocks |

\(\varvec{M}= m_1 \Vert \ldots \Vert m_L \) | Target message or computed preimage ( of L massage blocks) |

L | Length of \( \varvec{M}\) (measured in the number of blocks) |

\({\ell }\) | The binary logarithm of the length of the message \( \varvec{M}\), i.e., denote \( L = 2^{\ell } \) |

\( \varvec{M}' \) | Computed second preimage |

\(L'\) | Length of \( \varvec{M}' \) (measured in the number of blocks) |

\( a_0,\ldots ,a_L \) | Sequence of internal states computed during the invocation of \( h_1 \) on \(\varvec{M}\), \( a_0 = IV_1 \) |

\( b_0,\ldots ,b_L \) | Sequence of internal states computed during the invocation of \( h_2 \) on \(\varvec{M}\), \( b_0 = IV_2 \) |

x, y | Computed internal states |

\(\vec {a}_j,\vec {b}_k\) | Chains of internal states for \(\mathcal {H}_1\) and \(\mathcal {H}_2\), respectively. \(\vec {a}_j\) denotes a generic chain, while \(\vec {a}_{j_{0}}\) denotes a particular chain |

\(A_j,B_k\) | End points (final states) of the chains |

n | Bit size of the output of each underlying hash function (\( \mathcal {H}_1 \) and \( \mathcal {H}_2 \)); in addition, we suppose their compression functions \( h_1 \) and \( h_2 \) have n-bit internal states (i.e., suppose the underlying hash functions are narrow-pipe) |

b | Bit size of a message block |

N | The considered random mappings are from a finite N-set domain to a finite N-set range, and \( N = 2^n \) |

\( \mathcal {FG}_{f_1} \), \( \mathcal {FG}_{f_2} \) | The functional graphs of random mappings \( f_1(\cdot ) \triangleq h_1(\cdot , m) \) and \( f_2(\cdot ) \triangleq h_2(\cdot , m) \) generated by fixing a message block m to the compression functions |

\( \mathcal {M} \) | A set of messages |

\( \mathcal {M}_\mathtt{MC/EM/SEM/DS/IS} \) | The set of messages in a standard Joux’s multi-collision or an expandable message or a simultaneous expandable message or a diamond structure or an interchange structure |

\( x \xrightarrow {m} x' \), \( x \xrightarrow {\hat{M}} x' \) | We say that m (resp. \( \hat{M} \)) maps state x to state \( x' \) if \( x'=h(x,m) \) (resp. \( x'=h^{*}(x,\hat{M}) \)) and denote this by \( x \xrightarrow {m} x'\) (resp. \( x \xrightarrow {\hat{M}} x' \), the compression function \( h\) is clear from the context). |

\( h_{[m]} \) | An n-bit random mapping obtained by feeding an arbitrary fixed message block m into a compression function h with n-bit state. |

\( \tilde{O} \) | Soft-O is used as a variant of big O notation that ignores logarithmic factors. Thus, \( f(n) \in \tilde{O}(g(n)) \) is shorthand for \( \exists k: f(n) \in O(g(n)\log ^k g(n)) \) |

#### Roadmap

Section 2 exhibits preliminaries including generic tools and known attacks on hash constructions. Particularly, Sects. 2.5, 2.6 and 2.7 demonstrate those new tools—the interchange structure, the simultaneous expandable message, deep iterates and multi-cycles in random functional graphs—which make the presented attacks possible. Sections 3, 4 and 5 illustrate preimage attacks on the XOR combiner using interchange structure, deep iterates and multi-cycles in functional graphs, respectively. Sections 6, 7 and 8 describes the second-preimage attacks on the concatenation combiner, Zipper hash and Hash-Twice, respectively. Within the description of each attack, we provide an overview followed by detailed steps. In Sect. 9, we discuss more applications and extensions of the proposed attacks, including applications to combiners of wide-pipe hash functions and extensions to the combination of more than two hash functions. Section 10 summarizes attacks presented in this paper and discusses open problems.

## Preliminaries

In this section, we introduce the technical tools and general concepts used in our attacks. Those tools briefly introduced in Sect. 2.1 through Sect. 2.4 are all existing and well-known tools. Those tools described in detail in Sect. 2.5 through Sect. 2.7 are our new tools exploited in different attacks.

### Joux’s Multi-collision (MC) and Its Applications in Attacks on the Concatenation Combiner [35]

In 2004, Joux introduced multi-collisions on narrow-pipe Merkle–Damgård hash functions. Given a hash function \(\mathcal {H}\), a multi-collision refers to a set of messages \(\mathcal {M} =\{M_1, M_2, \ldots \}\) whose hash digests are all the same, i.e., \(\mathcal {H}(M_i)=\mathcal {H}(M_j)\) for any pair \(M_i,M_j \in \mathcal {M} \). The computational complexity of generic brute-force search increases exponentially when the target size \(|\mathcal {M}|\) increases; more precisely, it is approximately \(2^{(|\mathcal {M}|-1) \cdot n/|\mathcal {M}|}\). Utilizing the iterative nature of Merkle–Damgård structure, Joux’s algorithm (see Algorithm 1, whose pseudo-code is given in Appendix A) is able to find multi-collision of size \(2^t\) with a complexity of \(t\cdot 2^{n/2}\), i.e., a complexity not much greater than that of finding a single collision.

It is trivial to see the message set \(\mathcal {M} = \{\overline{m}_1 \Vert \overline{m}_2 \Vert \cdots \Vert \overline{m}_t ~~|~~ \overline{m}_i=m_i\text { or }m'_i \text { for }i = 1,2, \ldots , t\}\) forms a multi-collision of size \(2^t\), and the overall complexity is \(\mathcal {O}(t\cdot 2^{n/2})\). Moreover, a data structure \( \mathcal {M}_\mathtt{MC}\) of *t* pairs of message blocks can fully define the set \( \mathcal {M} \) of \( 2^t \) colliding messages.

With Joux’s multi-collision at hand, one can immediately deploy a collision attack and a preimage attack on concatenation combiner with complexities \( n\cdot 2^{n/2} \) and \( n\cdot 2^n \), respectively. The collision attack goes as follows: first, build a \( 2^{n/2} \)-Joux’s multi-collision for one of the underlying hash functions (iterated), and then, exploit the messages in the structure to launch a birthday attack for the other hash function to find a collision among the outputs. The preimage attack follows a similar framework (see [7] for an illustration and Joux’s original paper [35] for more details).

Since its invention, Joux’s multi-collisions have been employed in numerous cryptanalysis of hash functions, including the following most relevant ones and works such as [32, 49].

### Expandable Message (EM) and the Long Message Second-Preimage Attack [38]

In [14], Dean devised a second-preimage attack for long messages on specific Merkle–Damgård hash functions for which it is easy to find fixed points in their compression function. Given a challenge message \(\varvec{M}= m_1\Vert m_2\Vert \ldots \Vert m_L\), the attacker computes the sequence of internal states \(a_0,a_1,\ldots ,a_L\) generated during the invocation of the compression function on \(\varvec{M}\). A simplified attack would now start from the state \(x_0 = IV\) and evaluate the compression function with arbitrary message blocks until a collision \(h(x_0,m) = a_p\) is found for some message block *m* and index *p*. The attacker can now append the message suffix \(m_{p+1}\Vert \ldots \Vert m_L\) to *m*, hoping to obtain the target hash value \(\mathcal {H}(\varvec{M})\). However, this approach does not work due to the final padding of the message length, which will be different if the message prefixes are of different lengths. The solution of Dean was to compute an *expandable message* that consists of the initial state \(x_0\) and another state \(\hat{x}\) such that for each length \(\kappa \) (in some range), there is a message \(M_{\Vert \kappa }\) of \(\kappa \) blocks that maps \(x_0\) to \(\hat{x}\). Thus, the algorithm first finds a collision \(h(\hat{x},m) = a_p\), and the second preimage is computed as \(M_{\Vert p-1}\Vert m\Vert m_{p+1}\Vert \ldots \Vert m_L\). The assumption that it is easy to find fixed points in the compression function is used in efficient construction of the expandable message.

In [38], Kelsey and Schneier described a more generic attack that uses multi-collisions of a special form to construct an expandable message, removing the restriction of Dean regarding fixed points. As in Joux’s original algorithm, the multi-collisions are constructed iteratively in *t* steps. In the *i*th step, we find a collision between some \(m_i\) and \(m'_i\) such that \(|m_i|=1\) (it is a single block) and \(|m'_i|=2^{i-1}+1\), namely \(h(x_{i-1},m_i) = h(x_{i-1},m'_i)\). This is done by firstly picking an arbitrary prefix of size \(2^{i-1}\) of \(m'_i\) denoted by \( \hat{m}_i \), say \( [0]^{2^{i-1}} \), computing \(h(x_{i-1}, \hat{m}_i) = x'_i\) and then looking for a collision \(h(x_{i-1},m_i) = h(x'_i,\check{m}_i)\) using a final block \(\check{m}_i\) (namely \(m'_i = \hat{m}_i \Vert \check{m}_i\)) (see Fig. 6).

The construction of Kelsey and Schneier gives an expandable message that can be used to generate messages starting from \(x_0\) and reaching \(\hat{x} = x_t\) whose (integral) sizes are in the interval \([t,2^t+t-1]\). (Such a message structure is denoted as a \((t,2^t+t-1)\)-expandable message.) A message of length \(t \le \kappa \le 2^t+t-1\) is generated by looking at the *t*-bit binary representation of \(\kappa -t\). In iteration \(i \in \{1,2,\ldots ,t\}\), we select the long message fragment \(m'_i\) if the *i*th LSB of \(\kappa -t\) is set to 1 (otherwise, we select the single block \(m_i)\). In the sequel, we denote this type of expandable message by \( \mathcal {M}_\mathtt{EM}\). Given that the challenge message \(\varvec{M}\) is of \(L \le 2^{n/2}\) blocks, the construction of the expandable message in the first phase of the attack requires less than \(n \cdot 2^{n/2}\) computations, while obtaining the collision with one of the states computed during the computation of \(\varvec{M}\) requires approximately \(1/L \cdot 2^{n}\) computations according to the birthday paradox.

### Diamond Structure (DS) [37]

Like Joux’s multi-collisions and expandable message, the diamond structure is also a type of multi-collision. The difference is that instead of mapping a common starting state to a final state, each message in a diamond maps a different state to a final state. A \( 2^t \)-diamond contains \( 2^t \) specially structured messages mapping \( 2^t \) starting states to a final state, and it forms a complete binary tree of depth *t*. The \( 2^t \) starting states are leaves, and the final state is the root. A \( 2^t \)-diamond can be built by launching several collision attacks requiring about \( \sqrt{t}\cdot 2^{\frac{(n+t)}{2}} \) messages and \( n\cdot \sqrt{t}\cdot 2^{\frac{(n+t)}{2}} \) computations in total [9]. In the sequel, we denote the set of messages in a diamond by \( \mathcal {M}_\mathtt{DS}\). The diamond was primarily invented by Kelsey and Kohno to devise herding attacks against MD hash functions [37], in which the attacker first commits to the digest value of a message using the root of his diamond and later “herds” any given prefix of a message to his commitment by choosing an appropriate message from his diamond as the suffix. Later, Andreeva *et al.* successfully exploited it to launch herding and/or second-preimage attack beyond MD hash constructions, such as the dithered hash, Hash-Twice, the Zipper hash and hash trees [1,2,3]. Concretely, the second-preimage attack on Hash-Twice in [2] leverages techniques in herding attack and techniques in the above-mentioned second-preimage attack. One key point of this attack is that it builds a long Joux’s multi-collision in the first pass, exploits messages in this multi-collision to build a diamond structure in the second pass and finally uses the diamond as a connector to connect one crafted message to the challenge message on some states. Let \( 2^t \) be the width of the diamond and \( 2^{\ell } \) be the length of the message; the complexity of this attack is approximately \( 2^{(n + t)/2} + 2^{n - \ell } + 2^{n - t} \).

### Distinguished Points (DP)

The memory complexity of many algorithms that are based on functional graphs (e.g., parallel collision search [56]) can be reduced by utilizing the *distinguished points* method (which is attributed to Ron Rivest). Assume that our goal is to detect a collision of a chain (starting from an arbitrary node) with the nodes of \(\mathcal {G}\) computed in Algorithm 5, but without storing all the \(2^{t}\) nodes in memory. The idea is to define a set of \(2^{t}\) distinguished points (nodes) using a simple predicate (e.g., the \(n-t\) LSBs of a node are zero). The nodes of \(\mathcal {G}\) contain approximately \(2^{t} \cdot 2^{t-n} = 2^{2t-n}\) distinguished points, and only they are stored in memory. A collision of an arbitrary chain with \(\mathcal {G}\) is expected to occur at depth of about \(2^{n-t}\) and will be detected at the next distinguished point which is located (approximately) after traversing additional \(2^{n-t}\) nodes. Consequently, we can detect the collision with a small overhead in time complexity, but a significant saving factor of \(2^{n-t}\) in memory.

Interestingly, in the specific attack of Sect. 4, the distinguished points method is essential for reducing the time complexity of the algorithm.

### Interchange Structure (IS)

In this subsection, we present how to build a structure that enables us to simultaneously control two (or more) hash computation lanes sharing the same input message and succeed in further relaxing the pairwise relation between the internal states of computation lanes. We name the structure the *interchange structure*.

The main idea is to consider several chains of internal states reached by processing a common message \(\varvec{M}\) from different starting points. (Note that the message \(\varvec{M}\) is not fixed in advance, but will be determined when building the structure.) More precisely, the message \(\varvec{M}\) is denoted as the *primary* message and divided into several chunks: \(\varvec{M}= M_0\Vert M_1\Vert \ldots \). (As discussed later, a chunk consists of approximately *n* / 2 message blocks.) We denote chains of internal states for \(\mathcal {H}_1\) as \(\vec {a}_j\) and the individual states of the chain as \(\vec {a}_j^{i}\), with \(h^*_1(\vec {a}_j^{i}, M_i) = \vec {a}_j^{i+1}\). Similarly, we denote chains for \(\mathcal {H}_2\) as \(\vec {b}_k\), with \(h^*_2(\vec {b}_k^{i}, M_i) = \vec {b}_k^{i+1}\). When considering both hash functions, message block \(M_i\) leads from the pair of states \((\vec {a}_j^{i},\vec {b}_k^{i})\) to \((\vec {a}_j^{i+1},\vec {b}_k^{i+1})\), which is denoted as

#### Switch Structure

To construct a desired interchange structure, we first create the basic building blocks to jump between chains in a controlled way; we named them *switches*. A switch allows to jump from a specific pair of chains \((\vec {a}_{j_0}, \vec {b}_{k_0})\) to a different pair of chains \((\vec {a}_{j_0}, \vec {b}_{k_1})\) using a secondary message chunk \(M_i'\), in addition to the normal transitions using chunk \(M_i\) of the primary message \(\varvec{M}\):

To simplify the notation, we often omit the chunk index to show only the chains that are affected by the switch.

The main message chunk \(M_i\) and the secondary message chunk \(M_i'\) are determined when building the switch, and the main message defines the next state of all the chains. We note that the secondary message chunk \(M'_i\) should only be used when the state is \((\vec {a}_{j_0}^{i}, \vec {b}_{k_0}^{i})\). A simple example is depicted in Fig. 7.

Alternatively, a switch can be designed to jump from \((\vec {a}_{j_0}, \vec {b}_{k_0})\) to \((\vec {a}_{j_1}, \vec {b}_{k_0})\). It can be built with a complexity of \(\tilde{O}(2^{n/2})\).

We now explain how to build the switch structure at the core of some of our attacks. This construction is strongly based on the multi-collision technique of Joux presented in Sect. 2.1.

Given states \(\vec {a}_{j_0}^i\), \(\vec {b}_{k_0}^i\) and \(\vec {b}_{k_1}^i\), we want to build message chunks \(M_i\) and in order to have the following transitions:

The main message chunk \(M_i\) is used to define the next state of all the remaining chains, while the secondary message chunk will be used to jump from chains \((\vec {a}_{j_0}, \vec {b}_{k_0})\) to \((\vec {a}_{j_0}, \vec {b}_{k_1})\). We note that will only be used when the state is \((\vec {a}_{j_0}^{i},\vec {b}_{k_0}^{i})\). In particular, \(M_i\) and must satisfy the following:

The full building procedure is shown in Algorithm 2 whose pseudo-code is given in Appendix A; it requires approximately \(n/2 \cdot 2^{n/2}\) evaluations of the compression functions.

#### Interchange Structure

By combining several simple switches, we can build an interchange structure with starting points \(IV_1\) and \(IV_2\) and ending points \(\big \{ A_j \mid j=0 \ldots 2^t-1\big \}\) and \(\big \{ B_k \mid k=0 \ldots 2^t-1\big \}\), so that we can select a message ending in any state \((A_j, B_k)\). An interchange structure with \(2^t\) chains for each function requires about \(2^{2t}\) switches. Since we can build a switch for a cost of \(\tilde{O}(2^{n/2})\), the total structure is built with \(\tilde{O}(2^{2t+n/2})\) operations.

Let us now describe the combination of switch structures into an interchange structure. The goal of this structure is to select the final value of the \(\mathcal {H}_1\) computation and the \(\mathcal {H}_2\) computation independently. More precisely, the structure defines two sets of final values \(A_j\) and \(B_k\), and a set of messages \(\varvec{M}_{jk}\) such that

Algorithm 3 describes the combination of switches to build an interchange structure. Its pseudo-code is given in Appendix A, where the Interchange functions builds the structure and the SelectMessage function extracts the message reaching \((\vec {a}_j, \vec {b}_k)\).

The structure can be somewhat optimized using the fact that the extra chains have no prespecified initial values. We show how to take advantage of this in Appendix B, using multi-collision structures in addition to the switch structures. However, this does not significantly change the complexity: we need \((2^t-1)(2^t-1)\) switches instead of \(2^{2t}-1\). In total, we need approximately \(n/2 \cdot 2^{2t+n/2}\) evaluations of the compression functions to build a \(2^t\)-interchange structure.

We believe that a \(2^{t}\)-interchange structure based on switches will need at least \(\varTheta (2^{2t})\) switches, because every switch can only increase the number of reachable pairs \((\vec {a}_j,\vec {b}_k)\) by one. As shown in Appendix B, some switches can be saved in the beginning, but it seems that new ideas are needed to reduce the total complexity below \(\varTheta (2^{2t+n/2})\).

### Simultaneous Expandable Messages (SEMs)

In this subsection, we build a *simultaneous expandable message* for two MD hash functions basing on the multi-collision described in Sect. 2.1 and the expandable message for a single MD hash function described in Sect. 2.2. This expandable message consists of the initial states \((IV_1,IV_2)\) and final states \((\hat{x},\hat{y})\) such that for each length \(\kappa \) in some appropriate range (determined below), there is a message \(M_{\Vert \kappa }\) of \(\kappa \) blocks that maps \((IV_1,IV_2)\) to \((\hat{x},\hat{y})\). A similar construction of an expandable message over two hash functions was proposed in the independent paper [34] by Jha and Nandi, which analyses the Zipper hash assuming weak compression functions. We describe our construction approach of this simultaneous expandable message in detail next.

We set \(C \approx n/2 + \log (n)\) as a parameter that depends on the state size *n*. Our basic building block consists of two pairs of states \((x_0,y_0)\) and \((x_1,y_1)\) and two message fragments *ms* and *ml* that map the state pair \((x_0,y_0)\) to \((x_1,y_1)\). The message *ms* is the (shorter) message fragment of fixed size *C*, while *ml* is of size \(i > C\). We will show how to construct this building block for any state pair \((x_0,y_0)\) and length \(i > C\) in Algorithm 4.

Given this building block and a positive parameter *t*, we build an expandable message in the range of \([C(C-1)+tC, C^2-1+C(2^t+t-1)]\). This is done by utilizing a sequence of \(C-1+t\) basic building blocks. The first \(C-1\) building blocks are built with parameters \(i \in \{C+1,C+2,\ldots ,2C-1\}\). It is easy to see that these structures give a \((C(C-1),C^2-1)\)-expandable message by selecting at most one longer message fragment from the sequence, where the remaining \(C-2\) (or \(C-1\)) fragments are of length *C*. The final *t* building blocks give a standard expandable message, but it is built in intervals of *C*. These *t* building blocks are constructed with parameters \(i = C(2^{j-1}+1)\) for \(j \in \{1,\ldots ,t\}\). See Fig. 8 for a visual illustration.

Given a length \(\kappa \) in the range of \([C(C-1)+tC, C^2-1+C(2^t+t-1)]\), we can construct a corresponding message by first computing \(\kappa \text{(modulo } C)\). We then select the length \(\kappa ' \in [C(C-1),C^2-1]\) such that \(\kappa ' \equiv \kappa \text{(modulo } C)\), defining the first \(C-1\) message fragment choices. Finally, we compute \((\kappa -\kappa ')/C\), which is an integer in the range of \([t,2^t+t-1]\), and select the final *t* message fragment choices as in a standard expandable message using the binary representation of \((\kappa -\kappa ')/C\).

#### Construction of the Building Block

Given state pair \((x_0,y_0)\) and length \(i > C\), the algorithm for constructing the building block for the expandable message is based on multi-collisions, as described below; its pseudo-code is given in Appendix A.

The complexity of Step 1 is less than *i* compression function evaluations. The complexity of Step 2 is approximately \(2^{n/2}\), while the complexity of Step 3 is approximately \(C \cdot 2^{n/2} \approx n \cdot 2^{n/2}\). The complexity of Step 4 is approximately \(i + n \cdot 2^{n/2}\). In total, the complexity of constructing the basic building block is approximately \(i + n \cdot 2^{n/2}\) (ignoring small factors).

#### Complexity Analysis of the Full Building Procedure

The full expandable message requires computing \(C-1+t\) building blocks whose sum of length parameters (dominated by the final building block) is approximately \(C\cdot {2^t} \approx n \cdot 2^t\). Assuming that \(t<n\), we construct \(C-1+t \approx n\) building blocks, and the total time complexity of constructing the expandable message is approximately \(n\cdot 2^t + n^2 \cdot 2^{n/2}\). Our attacks require the \((C(C-1)+tC, C^2-1+C(2^t+t-1))\)-expandable message to extend up to length *L*, implying that \(L \approx n\cdot 2^t\) and giving a time complexity of approximately

### Functional Graph (FG) of Random Mappings

In many of our attacks, we evaluate a compression function \(h\) with a fixed message input block *m* (e.g., the zero block) and simplify our notation by defining \(f(x)= h_{[m]}(x) = h(x,m)\). The mapping *f* yields a directed functional graph.

The functional graph of a random mapping *f* is defined via successive iteration on this mapping.

Let

fbe an element in \(\mathcal {F}_N\) that is the set of all mappings with the setNas both the domain and range. The functional graph offis a directed graph whose nodes are the elements \(0, \dots , N-1\) and whose edges are the ordered pairs \(\langle x, f(x) \rangle \), for all \(x\in \{0, \dots , N-1\}\). If starting from any \(x_0\) and iteratingf, that is \(x_1 = f(x_0), x_2 = f(x_1),\dots ,\) we will find that beforeNiterations, a value \(x_j\) equal to one of \(x_0, x_1, \dots , x_{j-1}\); suppose that the collided one is \( x_i \). In this case, we say the path \(x_0\rightarrow x_1\rightarrow \dots \rightarrow x_{i-1}\rightarrow x_{i}\) connects to acycle\( x_i \rightarrow x_{i+1} \rightarrow \cdots \rightarrow x_{j - 1} \rightarrow x_i \). If we consider all possible starting points \(x_0\), paths exhibit confluence and form trees; trees grafted on cycles form components; a collection of components forms a functional graph. That is, a functional graph can be viewed as a set of connected components; a component is a cycle of trees; a tree is recursively defined by appending a node to a set of trees; a node is a basic atomic object and is labelled by an integer [26].

Structures of functional graph of random mappings have been studied for a long time, and some parameters have accurate asymptotic evaluations [26]. Below, we list some of the most relevant ones. These properties have been extensively studied and exploited in cryptography, e.g., in the classical works of Hellman [29] and van Oorschot and Wiener [56], and much more recently in generic attacks on hash-based MACs [18, 28, 41, 52, 54] (refer to [7] for a systematization of knowledge regarding the applications of random functional graphs in generic attacks).

### Theorem 1

[26]. The expected number of components, number of cyclic nodes (nodes belong to a cycle), number of terminal nodes (nodes without preimage: \(f^{-1}(x) = \emptyset \)), number of image nodes (nodes with preimage) and number of *k*th iterate image nodes (image nodes of the *k*th iterate \(f^{k}\) of *f*) in a random mapping of size *N* have the following asymptotic forms as \(N\rightarrow \infty \):

- 1.
# Components \(\frac{1}{2}\log N = 0.5 \cdot n\)

- 2.
# Cyclic nodes \(\sqrt{\pi N /2} \approx 1.2 \cdot 2^{n/2}\)

- 3.
# Terminal nodes \(e^{-1} N \approx 0.37 \cdot 2^n\)

- 4.
# Image nodes \((1 - e^{-1}) N \approx 0.62 \cdot 2^n\)

- 5.
#

*k*th iterate image nodes \((1 - \tau _k) N\), where \(\tau _k\) satisfies the recurrence relation \(\tau _0=0\), \(\tau _{k+1} = e^{-1 + \tau _k}\)

Seen from an arbitrary node \( x_0 \), we call the length (measured by the number of edges) of the path starting from \( x_0 \) and before entering a cycle the *tail length* of \( x_0 \) and denote it by \( \lambda (x_0) \); term the length of the cycle connected with \( x_0 \) the *cycle length* of \( x_0 \) and denote it by \( \mu (x_0) \); name the length of the non-repeating trajectory of the node \( x_0 \) the *rho length* of \( x_0 \) and denote it by \( \rho (x_0) = \lambda (x_0) + \mu (x_0) \).

### Theorem 2

[26]. Seen from a random point (any of the *N* nodes in the associated functional graph is taken equally likely) in a random mapping of \(\mathcal {F}_N\), the expected tail length, cycle length and rho length have the following asymptotic forms:

- 1.
Tail length (\(\lambda \)) \( \sqrt{\pi N / 8} \approx 0.62 \cdot 2^{n/2}\)

- 2.
Cycle length (\( \mu \)) \( \sqrt{\pi N / 8} \approx 0.62 \cdot 2^{n/2}\)

- 3.
Rho length (\( \rho \)) \( \sqrt{\pi N / 2} \approx 1.2 \cdot 2^{n/2}\)

### Theorem 3

[26]. The expected maximum cycle length (\(\mu ^{max}\)), maximum tail length (\( \lambda ^{max} \)) and maximum rho length (\( \rho ^{max} \)) in the functional graph of a random mapping of \(\mathcal {F}_N\) satisfy the following:

- 1.
\(\mathbf {E}\{\mu ^{max}\mid \mathcal {F}_N\} = 0.78248 \cdot 2^{n/2}\)

- 2.
\(\mathbf {E}\{\lambda ^{max}\mid \mathcal {F}_N\} = 1.73746 \cdot 2^{n/2} \)

- 3.
\(\mathbf {E}\{\rho ^{max}\mid \mathcal {F}_N\} = 2.41490 \cdot 2^{n/2}\)

### Theorem 4

[26]. Assuming the smoothness condition, the expected value of the size of the largest tree and the size of the largest connected component in a random mapping of \(\mathcal {F}_N\) are asymptotically

- 1.
Largest tree: \(0.48 \cdot 2^{n}\)

- 2.
Largest component: \(0.75782 \cdot 2^{n}\)

The results from these theorems indicate that in a random mapping, most of the points tend to be grouped together in a single giant component. This component is therefore expected to have very tall trees and a large cycle [26].

A useful algorithm for expanding the functional graph of *f* is given below (see Algorithm 5 whose pseudo-code is given in Appendix A). This algorithm is not new and has been previously used (for example, in [28, 54]). It takes an input parameter \(t \ge n/2\) that determines the number of expanded nodes (and the running time of the algorithm).

#### Deep Iterates in the Functional Graphs (FGDI)

Next, we describe our observations on functional graph of random mappings. The efficiencies of our following attacks are mostly based on these observations on special nodes in functional graphs.

In our attacks, we are particularly interested in nodes of *f* that are located deep in the functional graph. More specifically, \(x'\) is an iterate of depth *i* if there exists some ancestor node *x* such that \(x' = f^i(x)\), i.e., \( x' \) is an *i*th iterate image node (or say *i**th iterate* for short). If *i* is relatively large, we say that \( x' \) is a deep iterate. Deep iterates are usually obtained using *chains* evaluated from an arbitrary starting point \(x_0\) by computing a sequence of nodes using the relation \(x_{i+1} = f(x_i)\). We denote this sequence by \(\vec {x}\). The following two observations regarding deep iterates make them helpful in the proposed attacks:

### Observation 1

It is easy to obtain a large set of deep iterates. Specifically, by running Algorithm 5 with input parameter *t* (\( t\ge n/2 \)), one can obtain a set of \( 2^t \) nodes, among which a constant fraction (\( \varTheta (2^t) \)) are \( 2^{n - t} \)th iterates. The theoretical reasoning is as follows. After we have executed the algorithm and developed \(2^t\) nodes, then another chain from an arbitrary starting point is expected to collide with the evaluated graph at depth of roughly \(2^{n - t}\). This is a direct consequence of the birthday paradox. Moreover, for two chains from two different starting points *x* and *y*, the probability that \( \Pr [f^{2^{n - t}}(x) = f^{2^{n - t}}(y)] = \varTheta (2^{-t}) \) [18, Lemma 1] (note that \( n - t < n/2 \)). That is, for \( t \ge n/2 \), when the number of new chains (of length \( 2^{n - t} \) and from arbitrary starting points) is less than \( 2^{t} \), they are expected to collide with the evaluated graph at distinct points. In particular, this observation implies that most chains developed by the algorithm will be extended to depth \(\varOmega (2^{n-t})\) (without colliding with \(\mathcal {G}\) of cycling); therefore, a constant fraction of the developed nodes is iterates of depth \(2^{n-t}\). In total, the algorithm develops \(\varTheta (2^t)\) iterates of *f* of depth \(2^{n-t}\) in \(2^t\) time. This conclusion was also verified experimentally.

### Observation 2

A deep iterate has a relatively high probability to be encountered during the evaluation of a chain from an arbitrary starting node. Let \( f_1 \) and \( f_2 \) be two independent *n*-to-*n*-bit mappings. Suppose \( \bar{x} \) (resp. \( \bar{y} \)) is an iterate of depth \( 2^{g} \) in \( \mathcal {FG}_{f_1} \) (resp. \( \mathcal {FG}_{f_2} \)); then, it is an endpoint of a chain of states of length \( 2^g \). Let *d* be in the interval \( [1, 2^g] \) and \( x_0 \) (resp. \( y_0 \)) be a random point. Then, according to Lemma 1, \( \Pr [x_d = \bar{x} \approx d\cdot 2^{-n}] \) (resp. \( \Pr [y_d = \bar{y} \approx d\cdot 2^{-n}] \) ), which is the probability that \( \bar{x} \) (resp. \( \bar{y} \)) will be encountered at distance *d* from \( x_0 \) (resp. \( y_0 \)). Due to the independence of \( f_1 \) and \( f_2 \), \(\Pr [x_d = \bar{x} \bigwedge y_d = \bar{y}] \approx (d \cdot 2^{-n})^2\). Summing the probabilities of the (disjoint) events over all distances *d* in the interval \([1,2^{g}]\), we conclude that the probability that \(\bar{x}\) and \(\bar{y}\) will be encountered at the same distance is approximately \((2^{g})^3 \cdot 2^{-2n} = 2^{3g - 2n}\).

The probability calculation in Observation 2 yields the conclusion that we need to compute approximately \( 2^{2n - 3g} \) chains from different starting points to find a pair of starting points \( (x_0, y_0) \) reaching a pair of \( 2^g \)th iterates \( (\bar{x}, \bar{y})\) at the same distance. This conclusion was verified experimentally. Note that since various trials performed by selecting different starting points for the chains are dependent, the proof of this conclusion is incomplete. However, this dependency is negligible in our attacks, and thus, we can ignore it. More details are given in Appendix C.

### Lemma 1

Let *f* be an *n*-bit random mapping and \(x'_0\) an arbitrary point. Let \(D \le 2^{n/2}\) and define the chain \(x'_{i} = f(x'_{i-1})\) for \(i \in \{1,\ldots , D\}\) (namely \(x'_D\) is an iterate of depth *D*). Let \(x_0\) be a randomly chosen point, and define \(x_{d} = f(x_{d-1})\) for integer \( d \ge 1 \). Then, for any \(d \in \{1,\ldots , D\}\), \(\Pr [x_d = x'_D] = \varTheta (d \cdot 2^{-n})\).

### Proof

(Sketch.) We can assume that the chains do not cycle (i.e., each chain contains distinct nodes), as \(D \le 2^{n/2}\). For \(x_d = x'_D\) to occur, \(x_{d-i}\) should collide with \(x'_{D-i}\) for^{Footnote 8} some \(0 \le i \le d\). For a fixed *i*, the probability for this collision is roughly^{Footnote 9}\(2^{-n}\), and summing over all \(0 \le i \le d\) (all events are disjointed), we get that the probability is approximately \(d \cdot 2^{-n}\). \(\square \)

#### Multi-cycles in Functional Graphs (FGMC)

Next, we study a property of some more special nodes—*cyclic nodes* in random functional graphs. There are efficient cycle search algorithms (with \( O(2^{n/2}) \) time complexity) to detect the cycle length and collect cyclic nodes in the largest component of a random functional graph [36, Chapter 7], and cycles have been exploited in generic attacks on hash-based MACs [28, 41]. Here, we exploit them in a new way. Each cyclic node in a functional graph defined by *f* loops along the cycle when computed by *f* iteratively and goes back to itself after a (multi-)cycle length number of function calls. This property can be utilized to provide extra degrees of freedom when estimating the distance of other nodes to a cyclic node in the functional graph, i.e., it can be expanded to a set of discrete values by using multi-cycles. For example, let *x* and \(x'\) be two nodes in a component of the functional graph defined by *f*, *x* be a cyclic node, and the cycle length of the component be denoted as *L*. Clearly, there exists a path from \(x'\) to *x* as they are in the same component, and the path length is denoted by *d*. Then, we have the following:

Suppose it is limited to use at most *t* cycles (limitation imposed by the length of the message). Then, the distance from \(x'\) to *x* is expanded to a set of \(t+1\) values \(\{d+i\cdot L \mid i=0, 1, 2,..., t\}\).

Now, let us consider a special case of reaching two deep iterates from two random starting nodes: *select two cyclic nodes within the largest components in the functional graphs as the deep iterates*. More specifically, let \( \mathcal {FG}_{f_1} \) and \( \mathcal {FG}_{f_2} \) be two functional graphs defined by \(f_1\) and \(f_2\). Let \(\bar{x}\) and \(x_0\) be two nodes in a common largest component of \(\mathcal {FG}_{f_1}\), where \(\bar{x}\) is a cyclic node. Let \(L_1\) denote the cycle length of the component and \(d_1\) denote the path length from \(x_0\) to \(\bar{x}\). Similarly, we define notations \(\bar{y}\), \(y_0\), \(L_2\) and \(d_2\) in \(\mathcal {FG}_{f_2}\). We are interested in the probability of linking \(x_0\) to \(\bar{x}\) and \(y_0\) to \(\bar{y}\) at a common distance. Thanks to the usage of multiple cycles, the distance values from \(x_0\) to \(\bar{x}\) and from \(y_0\) to \(\bar{y}\) can be selected from two sets \(\{ d_1+i\cdot L_1 \mid i=0, 1, 2, \ldots , t\}\) and \(\{ d_2+j\cdot L_2 \mid j=0, 1, 2, \ldots \, t\}\), respectively. Hence, as long as there exists a pair of integers (*i*, *j*) such that \(0 \le i, j \le t\) and \(d_1+i\cdot L_1=d_2+j\cdot L_2\), we obtain a common distance \(d=d_1+i\cdot L_1=d_2+j\cdot L_2\) such that

Next, we evaluate the probability amplification of reaching \((\bar{x}, \bar{y})\) from a random pair \((x_0, y_0)\) at the same distance. Without loss of generality, we assume \(L_1 \le L_2\). Let \(\varDelta L \triangleq L_2 \mod L_1\). Then, it follows that

Letting *j* range over all integer values in internal [0, *t*], we will collect a set of \(t+1\) values \(\mathcal {D}=\{ j\cdot \varDelta L \mod L_1 \mid j=0, 1, \ldots , t\}\).^{Footnote 10} Since \(d_1 = \mathcal {O}(2^{n/2})\), \(d_2=\mathcal {O}(2^{n/2})\) and \(L_1=\varTheta (2^{n/2})\), it follows that \(|d_1-d_2| =\mathcal {O}(L_1)\), and we assume \(|d_1-d_2| < L_1\) by ignoring the constant factor. Therefore, for a randomly sampled pair \((x_0, y_0)\) that encounters \((\bar{x}, \bar{y})\), we are able to derive a pair of (*i*, *j*) such that \(d_1+i\cdot L_1=d_2+j\cdot L_2\), as long as their distance bias \(d_1-d_2\) is in the set \(\mathcal {D}\). In other words, we are able to *correct such a distance bias by using multi-cycles.* Hereafter, the set \(\mathcal {D}\) is referred to as the set of *correctable distance bias*. Thus, the probability of reaching \((\bar{x}, \bar{y})\) from a random pair \((x_0, y_0)\) at a common distance is amplified by roughly *t* times, where *t* is the number of cycles to the maximum.

## Preimage Attack on XOR Combiners Based on the Interchange Structure

In this section, we introduce our first attack—the preimage attack on the XOR combiner. In this attack, we are given an *n*-bit target value *V*, and our goal is to find a message \(\varvec{M}\) such that \(\mathcal {H}_1(\varvec{M}) \oplus \mathcal {H}_2(\varvec{M}) = V\). Notice that, if the goal is to find two messages \( \varvec{M}_1 \) and \( \varvec{M}_2 \) such that \(\mathcal {H}_1(\varvec{M}_1) \oplus \mathcal {H}_2(\varvec{M}_2) = V\), we can immediately launch a meet-in-the-middle procedure to find a solution of the equation \( \mathcal {H}_1(\varvec{M}_1) = \mathcal {H}_2(\varvec{M}_2) \oplus V\) with \( 2^{n/2} \) computations. That is because in the last equation, the left-hand side and right-hand side are independent. By separately computing \( 2^{n/2} \) values on each side, we obtain \( 2^n \) pairs and will find a match with high probability due to the birthday paradox. Thus, the above is essentially to find a collision, which is an easy challenge. However, in the real challenge, the collision must be generated from the same message. Thus, the computations on the two side of the equation are pairwise related, i.e., the computation on the one side of the equation can only pair with a single computation on the other side. Consequently, unlike in the easy challenge, \( 2^{n/2} \) computations on each side can only generate \( 2^{n/2} \) pairs instead of \( 2^n \). Therefore, to launch a similar meet-in-the-middle procedure as we did in the easy challenge for the real challenge, a crucial part of our attack is to construct a structure breaking the pairwise dependency between the two computations. That structure playing the important role is the *interchange structure* introduced in Sect. 2.5. Next, we provide an overview of our attack based on the interchange structure and then give detailed attack procedures.

### Overview of the Attack

Next, we give an overview of the first preimage attack on the XOR combiner. Let \(V\) denote the target value. The two hash functions \(\mathcal {H}_1\) and \(\mathcal {H}_2\) share the same input message, and hence, the internal states of their iterative compression function computations are pairwise related. We first manage to simultaneously control the computation chains of \(\mathcal {H}_1\) and \(\mathcal {H}_2\) by constructing an interchange structure including a message structure \(\mathcal {M}\) and two sets of internal states \(\mathcal {A}\) (for \(\mathcal {H}_1\)) and \(\mathcal {B}\) (for \(\mathcal {H}_2\)) such that for any state *A* picked from \(\mathcal {A}\) and *B* picked from \(\mathcal {B}\), we can easily derive a message \(M_{A, B}\) from \(\mathcal {M}\) such that \(\mathcal {H}_1(M_{A,B})\) produces *A* and \(\mathcal {H}_2(M_{A,B})\) produces *B*. Hence, we can select states from \(\mathcal {A}\) and \(\mathcal {B}\) independently in the next phase of the attack. In the next phase, we use a birthday match to find a message block *m*, a state *A* in \(\mathcal {A}\) and a state *B* in \(\mathcal {B}\) such that \(h_1(A, m) \oplus h_2(B, m)\) equals the target hash digest \( V\), where \(h_1\) and \(h_2\) are the compression functions of \(\mathcal {H}_1\) and \(\mathcal {H}_2\), respectively. Finally, given states *A* and *B*, we derive the message \(M_{A, B}\) from \(\mathcal {M}\) and output \(M_{A, B} \Vert m\) as a preimage of *V*.^{Footnote 11} The birthday match in the second phase of the attack is essentially a meet-in-the-middle procedure enabled by the interchange structure built in the first phase of the attack. Thus, the entire attack is more efficient than a brute-force attack.

The complexity of the preimage search is approximately \(2^{n-t}\) evaluations of the compression function, using an interchange structure with \(2^t\) endpoints.

#### Complexity Analysis

Building the interchange structures requires approximately \(2^{2t+n/2}\) evaluations of the compression function, while the preimage search requires approximately \(2^{n-t}\). The optimal complexity^{Footnote 12} is reached when both steps take the same time, i.e., \(t = n/6\). This gives a complexity of \(\tilde{O}(2^{5n/6})\). Since it uses messages of length at least \( n/2\cdot 2^{2t} \), the optimal complexity is obtained for messages of length at least \( 2^{n/3} \). For messages shorter than \( 2^{n/3} \), it provides a trade-off of \( 2^n \cdot L^{-1/2} \) between the maximal allowed message length *L* and the time complexity of attack (see Fig. 12 for a trade-off curve).

### Details of the Preimage Attack on XOR Combiners Using the Interchange Structure

Now, we describe the full preimage attack in detail. We first build an interchange structure with \(2^t\) chains for each of \(\mathcal {H}_1\) and \(\mathcal {H}_2\). We denote the ending points as \(\big \{ A_j \mid j=0 \ldots 2^t-1\big \}\) and \(\big \{ B_k \mid k=0 \ldots 2^t-1\big \}\), and we know how to select a message \(\varvec{M}_{jk}\) to reach any state \((A_j, B_k)\). When adding message fragment \(m\Vert pad\), to one of the messages \(\varvec{M}_{jk}\) in the interchange structure, where *m* is a message block and *pad* is the final block padded with the length *L* of the preimage message, the output of the combiner can be written as follows:

Note that we fix the finalization functions of \(\mathcal {H}_1\) and \(\mathcal {H}_2\) as their compression functions, \( h_1 \) and \( h_2 \), respectively.

To reach a target value \(V\), we select a random block *m*, and we evaluate \(\big \{ A'_j = h_1(h_1(A_j,m), pad) \mid j=0 \ldots 2^t-1\big \}\) and \(\big \{ B'_k = V\oplus h_2(h_2(B_k,m),pad) \mid k=0 \ldots 2^t-1\big \}\). If there is a match \((j^*, k^*)\) between the two lists, we have the following:

For a random choice of *m*, we expect that a match exists with probability \(2^{2t-n}\), and testing it requires approximately \(2^t\) operations.^{Footnote 13} We will have to repeat this procedure \(2^{n-2t}\) times on average; therefore, the total cost of the preimage search is approximately \(2^{n-t}\) evaluations of \(h_1\) and \(h_2\).

As explained in the previous section, building a \(2^t\)-interchange structure requires approximately \(n/2 \cdot 2^{2t+n/2}\) operations. Using \(t=n/6\), we balance the two steps of the attack and reach the optimal complexity of approximately \(n/2 \cdot 2^{5n/6}\) operations for this preimage attack.

## Improved Preimage Attack on XOR Combiners Based on Deep Iterates

The first attack works identically for the case in which the combined hash functions use the HAIFA mode and the case in which they use the MD construction. However, when they are limited to use the MD construction, we can launch a more efficient attack than the first. In this case, pairwise dependency between internal states can be broken efficiently by using repeated message blocks. Explicitly, we use a different approach to get the two sets of states \(\mathcal {A}= \big \{ A_j \mid j=0 \ldots 2^t-1\big \}\) and \(\mathcal {B}= \big \{ B_k \mid k=0 \ldots 2^t-1\big \}\) such that for any pair of states \((A_j, B_k \mid A_j\in \mathcal {A}, B_k \in \mathcal {B})\), we can manage to find a message \( M_{A,B} \) such that \( (IV_1, IV_2) \xrightarrow {M_{A,B}} (A_j, B_k) \). For convenience, we name such an abstract procedure GenPairableStates, which is implemented and utilized by quite different approaches in different attacks—the first attack implements it using interchange structure, this second attack implements it using deep iterates in functional graphs, and as will be seen, the third attack implements it using cyclic nodes in functional graphs.

The first step is to fix an arbitrary message block *m* to the compression functions, giving rise to *n*-to-*n*-bit random mappings \(f_1(\cdot ) \triangleq h_1(\cdot ,m)\) and \(f_2(\cdot ) \triangleq h_2(\cdot ,m)\). Such random mappings and their functional graphs have many interesting properties and have been extensively studied and used in cryptanalysis, as shown in Sect. 2.7. However, to attack hash combiners, we exploit them in new ways. In this attack, instead of precisely controlling every computational step in chains of equal length to obtain two sets of endpoints as in building an interchange structure, here, we loosely herd computational chains of various length to collect two sets of states. These collected states have large offsets in the chains. These chains are iteratively computed using the above-defined random mappings \( f_1 \) and \( f_2 \). Thus, the collected states are essentially *deep iterates* in the functional graphs of \( f_1 \) and \( f_2 \), which are introduced in Sect. 2.7.1. As has been shown in Sect. 2.7.1, such special states are relatively easy (i.e., with high probability) to be reached from randomly selected starting states. This is where the advantage of the attack mainly comes from.

In this attack, given a pair of such special states \( (A_j, B_k) \), finding a common message mapping a pair of starting states to them under the two hash computations is not as efficient as selecting a message from an interchange structure in Attack 1. However, collecting those final states by expanding functional graphs is much more efficient than computing endpoints by building an interchange structure. This attack amortizes computational costs to different steps. Thus, it provides better balance between different attack steps. Moreover, it also provides a better trade-off between the message length and time complexity.

However, unlike the interchange structure-based attack, this approach uses chains of various lengths, which implies that lengths of message fragments in intermediate attack steps are not fixed in advance. However, the length of the preimage needs to be predefined in this attack. Thus, the length padding at the end of the hash computations will be a problem. We overcome this problem using our tool, the simultaneous expandable message for two MD hash functions, which is introduced in Sect. 2.6.

Next, we provide a high-level overview of this attack and then present the detailed attack steps.

### Overview of the Attack

Suppose that we are given a target *n*-bit preimage value \(V\) and our goal is to find a message \(\varvec{M}\) such that \(\mathcal {H}_1(\varvec{M}) \oplus \mathcal {H}_2(\varvec{M}) = V\). Although the formal problem does not restrict \(\varvec{M}\) in any way, several concrete hash functions restrict the length of \(\varvec{M}\). Therefore, we will first assume that the size of \(\varvec{M}\) is bounded by a parameter *L*.

The attack is composed of three main phases.

#### Complexity Analysis

Denote \(L = 2^\ell \). For parameters \( g_1 \ge max(n/2, n-\ell )\) and \(s \ge 0\), the complexity of phases of the attack (as computed in their detail description) is given below (ignoring constant factors).

We balance the time complexities of the second phase and the first term in the expression of the third phase by setting \(n + s - g_1 = 3g_1/2 - s/2\), or \(s = 5g_1/3 - 2n/3\), giving a value of \(2^{n/3 + 2g_1/3}\) for these terms. Furthermore, \(\ell +9g_1/2-2n-3s/2 = \ell +2g_1-n\), and the time complexity expression of Phase 3 is simplified to be \(2^{n/3 + 2g_1/3} + 2^{\ell +2g_1-n}\). Since \(g_1\) is a positive factor in all the terms, we optimize the attack by picking the minimal value of \(g_1\) under the restriction \(g_1 \ge \max (n/2, n-\ell )\). In case \(\ell \le n/2\), we set \(g_1 = n-\ell \) and the total time complexity of the attack^{Footnote 14} is

The optimal complexity is \(2^{2n/3}\), obtained for messages of length \(2^{n/2}\) (see Fig. 12 for a trade-off curve).

### Details of the Preimage Attack on XOR Combiners Using Deep Iterates

Details of Phase 1 can be found in Sect. 2.6. In the following, we describe details of the other two phases.

#### Details of Phase 2: Finding a Set of Target State Pairs

In the second phase, we fix an arbitrary message block *m*, giving rise to the functional graphs \( \mathcal {FG}_{f_1} \) and \( \mathcal {FG}_{f_2} \) defined by the random mappings \(f_1(\cdot ) \triangleq h_1(\cdot ,m)\) and \(f_2(\cdot ) \triangleq h_2(\cdot ,m)\). Given parameters \(g_1 \ge n/2\) and \(s \ge 0\), our goal is to compute a set \(\mathcal {S}\) (of size \(2^s\)) of tuples of the form ((*x*, *y*), *w*), where *w* is a single block such that for each tuple, the following hold:

- 1.
The state

*x*is a \(2^{n-g_1}\)th iterate in \( \mathcal {FG}_{f_1} \), and*y*is a \(2^{n-g_1}\)th iterate in \( \mathcal {FG}_{f_2} \). - 2.
\((x,y) \xrightarrow {w} (a,b)\) and \(h_1(a,pad) \oplus h_2(b,pad) = V\), where

*pad*is a final block of the (padded) preimage message of length*L*.

This algorithm resembles the algorithm used in the final phase in previous interchange structure-based preimage attack (Attack 1 in Sect. 3), as both look for state pairs (*x*, *y*) that give \(h_1(x,w\Vert pad) \oplus h_2(y, w\Vert pad) = V\) (for some message block *w*). The difference is that in previous interchange structure-based attack, (*x*, *y*) is an arbitrary endpoint pair of the interchange structure, while in this case, we look for *x* and *y* that are deep iterates.

The time complexity of Steps 2 and 3 is approximately \(2^{g_1}\). The time complexity of Step 4.(a) and Step 4.(b) is also bounded by \(2^{g_1}\). We now calculate the expected number of executions of Step 4 until \(2^s\) matches are found and inserted into \(\mathcal {S}\).

According to Observation 1 in Sect. 2.7.1, the expected size of \(\mathcal {T}_1\) and \(\mathcal {T}_2\) (the number of deep iterates) is close to \(2^{g_1}\). Thus, for each execution of Step 4, the expected number of matches on *n*-bit values \(h_2(y,w \Vert pad) \oplus V = h_1(x,w \Vert pad)\) is \(2^{2g_1 - n}\). Consequently, Step 4 is executed \(2^{s + n - 2g_1 }\) times in order to obtain \(2^s\) matches. Altogether, the total time complexity of this step is

#### Details of Phase 3: Hitting a Target State Pair

In the third and final phase, we start from \((\hat{x},\hat{y})\) and compute a message \(\hat{M}_{\Vert q}\) of length *q* (is valid as long as shorter than \(L-2\)) such that \((\hat{x},\hat{y}) \xrightarrow {\hat{M}_{\Vert q}} (\bar{x},\bar{y})\) for some \(((\bar{x},\bar{y}),\bar{m}) \in \mathcal {S}\). We use in a strong way the fact that states \( \bar{x} \) (and \( \bar{y} \)) in \( \mathcal {S}\) are deep iterate (of depth \( 2^{n - g_1} \)) in \( \mathcal {FG}_{f_1} \) (and \( \mathcal {FG}_{f_2} \)).

The goal of this phase is to find a pair of starting points of chains, reaching some \( ((\bar{x}, \bar{y}), \bar{m}) \in \mathcal {S}\) at same distance. This phase is carried out by picking an arbitrary starting message block \(\hat{m}\), which gives points \(x_0 = h_1(\hat{x},\hat{m})\) and \(y_0 = h_2(\hat{y},\hat{m})\). We then continue to evaluate the chains \(x_{i+1} = h_1(x_i , m)\) and \(y_{j+1} = h_2(y_j , m)\) up to length at most \(L-3\). We hope to encounter \(\bar{x}\) at some distance \(q-1\) from \(x_0\) and to encounter \(\bar{y}\) at the same distance \(q-1\) from \(y_0\), where \(((\bar{x},\bar{y}),\bar{m}) \in \mathcal {S}\). In case in which for all pairs of \( ((\bar{x},\bar{y}), \bar{m}) \in \mathcal {S}\), \( \bar{x} \) and \( \bar{y} \) are encountered at different distances in the chains, or at least one of them is not encountered at all, we pick a different value for \( \hat{m} \) and start again. Once we find such a value for \( \hat{m} \) and pair of iterates \( (\bar{x}, \bar{y}) \), this gives the required \(\hat{M}_{\Vert q} \triangleq \hat{m} \Vert [m]^{q-1}\).

According to Observation 2 in Sect. 2.7.1, for a pair of \( 2^{n - g_1} \)th iterates \( \bar{x} \) and \( \bar{y} \), the probability that they will be encountered at the same distance from arbitrary starting points \( x_0 \) and \( y_0 \) of chains is \( (2^{n- g_1})^3 \cdot 2^{-2n} = 2^{n - 3g_1} \). Since \( \mathcal {S}\) contains \( 2^s \) elements, the probability calculation yields the conclusion that we need to compute about \( 2^{3g_1 - n - s} \) chains from different starting points to find such a value for \( \hat{m} \) generating starting points \( (x_0, y_0) \) reaching a pair of deep iterates \( (\bar{x}, \bar{y})\) in \( \mathcal {S}\) at the same distance.

The next question which we address is to what maximal length \( L' \) should we evaluate chains \( \vec {x} \) and \( \vec {y} \). As we wish to reach iterates \( \bar{x} \) and \( \bar{y} \) of depth \( 2^{n - g_1} \), it can be shown that \( L' = 2^{n - g_1} \) is optimal. Since the total chain length should be less than \( L - 3 \), this impose the restriction \( L' = 2^{n - g_1} < L - 3 \), or \( 2^{g_1} < 2^n / L \).

The naive algorithm described above performs about \(2^{3g_1-n-s}\) trials, where each trial evaluates chains of length \(L' = 2^{n - g_1}\) from arbitrary points, giving a total time complexity of approximately \(2^{3g_1-n-s + n - g_1} = 2^{2g_1-s}\). Since \(g_1 \ge n/2\), the time complexity of this phase is at least \(2^{n-s}\), and after making a balance with that of the Phase 2, the time complexity can be \( 2^{3n/4} \) by setting \( s = n/4 \).

However, it is possible to optimize this naive algorithm by further expanding the graphs of \(f_1\) and \(f_2\). As a result, the evaluated chains are expected to collide with the graphs sooner (before they are evaluated to the full length of \(2^{n - g_1}\)). Once a collision occurs, we use a look-ahead procedure to calculate the distance of the chain’s starting point from \(\bar{x}\) (or \(\bar{y}\)) in each tuple \( ((x,y),w) \in \mathcal {S}\). This look-ahead procedure resembles the one used in attacks on hash-based MACs [28, 54] (although the setting and actual algorithm in our case are obviously different).

We define an \(\mathcal {S}\)-*node* (for \(f_1\)) as a node *x* such that there exists a node *y* and a message block *w* such that \(((x,y),w) \in \mathcal {S}\). An \(\mathcal {S}\)-node for \(f_2\) is defined in a similar way. To avoid heavy update operations for the distances from all the \(\mathcal {S}\)-nodes, we use distinguished points. Essentially, each computed chain is partitioned into intervals according to distinguished points, where each distinguished point stores only the distances to all the \(\mathcal {S}\)-nodes that are contained in its interval up to the next distinguished point. Given a parameter \(g_2 > g_1\), the algorithm for this phase is described below.

The time complexity of Step 1 is approximately \(2^{g_2}\). (Note that we always perform a constant amount of work per developed node.)

For time complexity of Step 2, the analysis is as follows. As concluded above, the expected number of values for \( \hat{m} \) we need to test until we find a pair of starting point \( (x_0, y_0) \) of chains encounter at the same distance to a pair of \( 2^{n - g_1} \)th iterates \( (\bar{x}, \bar{y}) \) in \( \mathcal {S}\) is approximately \( 2^{3g_1 - n - s} \).

The analysis of the complexity of Step 2.(a) is as follows. First, we estimate the expected number of nodes that we visit during the computation of a chain. Initially, we compute approximately \(2^{n-g_2}\) nodes until we hit stored distinguished points. Then, we continue by traversing (only) distinguished points up to depth of about *L*. The expected number of such points is \(L \cdot 2^{g_2-n}\). Therefore, we expect to visit approximately \(2^{n-g_2} + L \cdot 2^{g_2-n}\) nodes while computing a chain. Finally, we need to account for all the \(\mathcal {S}\)-nodes encountered while traversing the chains of depth *L*. Basically, there are \(2^s\)\(\mathcal {S}\)-nodes which are iterates of depth \(2^{n-g_1}\) (essentially), randomly chosen in Phase 2 out of approximately \(2^{g_1}\) such deep iterates. As a result, the probability of such a deep iterate to be a \(\mathcal {S}\)-node is approximately \(2^{s-g_1}\) (while other nodes have probability 0). Therefore, while traversing chains of depth *L*, we expect to encounter at most \(L \cdot 2^{s-g_1}\)\(\mathcal {S}\)-nodes (which is a bound on the sizes of \(\mathcal {T}_1\) and \(\mathcal {T}_2\)). Altogether, the expected time complexity of a single execution of Step 2.(a) is at most \(2^{n-g_2} + L \cdot 2^{g_2-n} + L \cdot 2^{s-g_1}\).

The total time complexity of this phase is \(2^{g_2} + 2^{3g_1-n-s} \cdot (2^{n-g_2} + L \cdot 2^{g_2-n} + L \cdot 2^{s-g_1}) = 2^{g_2} + 2^{3g_1-g_2-s} + L \cdot 2^{3g_1+g_2-2n-s} + L \cdot 2^{2g_1-n}\). We set \(g_2 = 3g_1/2 - s/2\) which balances the first two terms and gives a time complexity of

The time complexity evaluation of the full attack at the beginning of this section shows that for the optimal parameters of this attack, the extra two terms \(L \cdot 2^{9g_1/2-2n-3s/2} + L \cdot 2^{2g_1-n}\) are negligible compared to the other terms in the complexity equation. In other words, the distinguished points method allowed us to resolve with no overhead the complication of keeping track of distances from the \(\mathcal {S}\)-nodes.

### Optimizing the Deep Iterate-Based Preimage Attack on XOR Combiners Using the Interchange Structure

The above deep iterate-based preimage attack on XOR combiners can be slightly improved using an interchange structure. Recall that the interchange structure helps to break the dependency between two hash computations on a common message. When building a \( 2^r \)-interchange structure starting from the pair of endpoints \( (\hat{x}, \hat{y}) \) of the simultaneous expandable message and ending at two sets of states \( \mathcal {A} = \{A_1, A_2, \dots , A_{2^r} \} \) and \( \mathcal {B} = \{B_1, B_2, \dots , B_{2^r} \}\), any \( A_i \in \mathcal {A} \) can make a pair with any \( B_j \in \mathcal {B} \). (For any such a pair, one could easily find a common message mapping \( (\hat{x}, \hat{y}) \) to this pair.) Therefore, by using a single message block \( \hat{m} \) to generate two sets of \( 2^r \) random starting nodes, respectively, from \( \mathcal {A} \) and \( \mathcal {B} \), we can get \( 2^{2r} \) pairs of starting nodes. As a result, the required number of samplings on the random massage block \( \hat{m} \) is reduced by a factor of \( 2^{2r}\).

The detailed complexity analysis of the attack using a \( 2^r \)-interchange structure is as follows: Denote \( L {=} 2^{\ell } \). For parameters \( g_1 \ge \max (n/2, n - {\ell }) \), \( g_2 \ge 0 \), \( s \ge 0 \) and \( 0 \le r \le {\ell }/2 \) (because the length \( 2^{2r} \) of the interchange structure should be less than the message length \( 2^{\ell } \)), the complexity of phases of the attack is given below (ignoring constant factors).

Compared with the complexity of the attack in Sect. 4.1, the difference lies in Phase 3. In the complexity formula of Phase 3, the term \( 2^{g_2} \) is the number of nodes developed in the look-ahead procedure; the term \(2^{3g_1 - n - s - 2r} \) is the required number of samplings on the value of message block \( \hat{m} \) to get pairs of starting nodes, which is reduced by a factor of \( 2^{2r} \) when building a \( 2^r \)-interchange structure; the term \( 2^r \cdot (2^{n - g_2} + 2^{{\ell } + g_2 - n} + 2^{{\ell } + s - g_1}) \) is the time complexity for computing distances of pairs of starting nodes (generated using the same value for \( \hat{m} \)) from all \( 2^s \) target nodes; the term \( 2^{n/2 + 2r} \) is the time complexity for building the \( 2^r \)-interchange structure.

We first balance the first two terms in Phase 3 by setting \( g_2 = 3g_1 - g_2 - s - r\), which gives \( g_2 = 3g_1/2 - s/2 - r/2 \). Thus, the complexity of Phase 3 becomes \(2^{3g_1/2 - s/2 - r/2} + 2^{9g_1/2 - 3s/2 - 3r/2 + {\ell } -2n} + 2^{2g_1 + {\ell } -n - r} + 2^{n/2 + 2r}.\) We then balance Phase 2 and Phase 3 by setting \( n + s - g_1 = 3g_1/2 - s/2 - r/2 \), which gives \( s = 5g_1/3 - r/3 - 2n/3 \). The sum of all dominant terms turns to be \( 2^{\ell } + 2^{n/3 + 2g_1/3 - r/3} + 2^{2g_1 + {\ell } - n - r} + 2^{n/2 + 2r}. \) Finally, we pick the minimal value of \( g_1 \) under the restriction \( g_1 \ge \max (n/2, n - {\ell }) \). In case \( {\ell } \le n / 2 \), we set \( g_1 = n - {\ell } \). The sum of dominant terms turns to be \( 2^{\ell } + 2^{n - 2{\ell }/3 - r/3} + 2^{n - {\ell } - r} + 2^{n/2 + 2r}.\) Considering \( n - 2{\ell }/3 - r/3 > n - {\ell } - r \) always holds, the sum of dominant terms is

Note that there is a restriction on *r*, that is, \( r \le \ell /2 \). As a result (see Fig. 12 for a trade-off curve),

For the case \( {\ell } \le 3n/11 \), we have \( n - 2{\ell }/3 - r / 3> n/2 + {\ell } > n/2 + 2r \). We set \( r = {\ell }/2 \) to optimize the complexity. Thus, the sum of dominant terms is \( 2^{n - 5{\ell }/6} \). The optimal complexity is \( 2^{17n/22} \) obtained for message of length \( 2^{\ell } = 2^{3n/11} \).

For the case \( 3n/11 < {\ell } \le n/2 \), we set \( r = 3n/14 - 2{\ell }/7 \) to make a balance, which fulfils \( r < {\ell }/2 \) in this case. The sum of dominant terms is \( 2^{13n/14 - 4{\ell }/7}\). The optimal complexity is \( 2^{9n/14} \) obtained for message of length \( 2^{\ell } = 2^{n/2} \).

## Improved Preimage Attack on XOR Combiners Based on Multi-cycles

When the underlying hash functions use the MD construction, and the maximum length of the message is allowed to exceed \( 2^{n/2} \) blocks, we can further improve previous deep iterate-based preimage attack. The idea is that we utilize more special nodes in function graphs, which are called cyclic nodes, and exploit a technique named *multi-cycles* as introduced in Sect. 2.7.2. Recall that, in the deep iterate-based attack, a key step is to find two starting nodes \( x_0 \) and \( y_0 \) in functional graphs of \( f_1 \) and \( f_2 \), such that they reach the selected target nodes \( \bar{x} \) and \( \bar{y} \) at a common distance. We find that when selecting cyclic nodes as target nodes \( \bar{x} \) and \( \bar{y} \), the probability of a pair of random node \( (x_0, y_0) \) reaching them at a common distance can be greatly amplified. Indeed, cyclic nodes are essentially special deep iterates that are located not only *deep* in the functional graph but also in a *cycle* of the graph. Therefore, for two cyclic nodes in two independent functional graphs, by looping around the cycles, some differences between distances from two random nodes to the two cyclic nodes can be corrected by the difference between the two cycle lengths. More precisely, if the members of a target node pair \((\bar{x}, \bar{y})\) are both cyclic nodes within the largest components in two functional graphs, the probability of a random pair \((x_0, y_0)\) reaching \((\bar{x}, \bar{y})\) at a common distance is amplified by \(\#C\) times, the maximum number of cycles that can be used, by using the set of correctable distance bias as stated in Sect. 2.7.2. Moreover, such a probability amplification comes with almost no increase in complexity at Step 2, which leads to a new complexity trade-off between Steps 2 and 3. Thus, the usage of cyclic nodes and multi-cycles enables us to reduce the computational complexity of preimage attacks on the XOR combiner.

### Overview of the Attack

Here, we briefly list the *main* steps of our preimage attack on the XOR combiner.

By balancing the complexities of these steps, we obtain an optimal complexity of \(2^{5n/8}\).

### Details of the Preimage Attack on the XOR Combiner Using Multi-cycles

In this section, we present the completed description of the attack procedure and complexity evaluation. We point out the length of our preimage is at least \(2^{n/2}\) blocks due to the usage of (multi-) cycles.

#### Attack Procedure

Denote by *V* the target hash digest. Suppose the attacker is going to produce a preimage message with a length *L*. The value of *L* will be discussed later. The attack procedure is described below.

#### Complexity Analysis

For parameters \( L \ge 2^{n/2} \), \( s \ge 0 \) and \( t \ge 0 \), the complexity of the steps of the attack is given below (ignore the constant and polynomial factors for simplicity of description).

**Step 1:**\(L+n^2 \cdot 2^{n/2}\) (refer to Sect. 2.6);**Step 2:**\(2^{n/2} + L/L_1 \approx 2^{n/2} + 2^{-n/2} \cdot L \approx 2^{n/2}\);**Step 3:**\(2^{s+n/2}\);One execution of the search procedure has a complexity of \(L_1 + L_2\) and contributes to \(L_1 \cdot L_2\) pairs. As \(L_1 \cdot L_2 = \varTheta (2^{n})\), one tuple can be obtained by a constant number of executions. Hence, the number of necessary executions is \(\varTheta (2^s)\), and the complexity of this step is \(\varTheta (2^{s+n/2})\).

**Step 4:**\(2^{t}+2^{n/2}\);The complexity of developing \(2^t\) nodes and computing their distance to a particular target node is \(2^t\) (refer to Algorithm 5 and Step 4a). The complexity to compute the distance of all the other target nodes to the particular target node is upper bounded by \(2^{n/2}\) (refer to the expectation of the maximum cycle length in Thm. 3). Hence, the complexity of this step is \(2^{t}+2^{n/2}\).

**Step 5:**\(2^{2n-t-s}/L\);One execution of the search procedure requires a time complexity of \(2^{n-t}\). Clearly, a constant factor of both chains encounter nodes stored in \( \mathcal {G}_{1} \) and \( \mathcal {G}_{2} \). We mainly need to evaluate the probability of deriving a common distance for each chain. For every pair of target nodes \((\bar{x}_i, \bar{y}_i)\), the value of \(d_{x_{i}}-d_{y_i}\) is equal to a correctable distance bias in \(\mathcal {D}\) with a probability of \(\#C \cdot 2^{-n/2} \approx L \cdot 2^{-n}\). Since there are \(2^s\) pairs of target nodes, the success probability of each chain is \(L \cdot 2^{s-n}\). Hence, the total number of chains is \(2^{n-s}/L\), and the complexity of this step is \(2^{n-t} \cdot 2^{n-s} / L = 2^{2n-t-s}/L\).

**Steps 6 and 7:**\(\mathcal {O}(L)\).

The overall complexity is computed as (denote \( L = 2^{\ell } \))

where the complexity of Step 2 is ignored.

Now, we search for parameters *t* and *s* that give the lowest complexity. First, we balance Step 3 and Step 4 by setting \( s + n/2 = t \). That gives \( s = t - n/2 \). The complexity becomes (ignoring constant factors) \(2^{\ell } + 2^t + 2^{5n/2 - 2t - \ell }.\) We then make a balance by setting \( t = 2n - 2t + n/2 - \ell \), i.e., \( t = 5n/6 - \ell /3 \). Thus, the total complexity becomes

Hence,

for the case \( n/2 \le \ell \le 5n/8 \), the final complexity is \( 2^{5n/6 - \ell /3} \);

for the case \( 5n/8 < \ell \), the final complexity is \( 2^{\ell } \).

The optimal complexity is \( 2^{5n/8} \), obtained for messages of length \( 2^{5n/8} \) (see Fig. 12 for a trade-off curve).

### Optimizing the Multi-cycle-Based Preimage Attack on the XOR Combiner Using the Interchange Structure

Again, similar to the previous deep iterate-based preimage attack, this multi-cycle-based preimage attack on the XOR combiner can also be improved using an interchange structure. The complexity of the attack using a \( 2^r \)-interchange structure is analysed as follows.

Denote \( L = 2^{\ell } \). For parameters \( t \ge n/2 \), \( {\ell } \ge n/2 \) and \( 0 \le r \le {\ell }/2 \) (because the length \( 2^{2r} \) of the interchange structure should be no larger than the message length \( L = 2^{\ell } \)), the complexity of each step is as follows:

The sum of dominant terms is

We first balance the last four terms by setting \( s + n/2 = t = 2n - t - s - r - {\ell } = n/2 + 2r\). Thus, \( t = 11n/14 - 2\ell /7 \), \( s = 2n/7 - 2\ell /7\) and \( r = n/7 - \ell /7 \). Note that for \( {\ell } \ge n/2 \), we have \( n/7 - {\ell }/7 \le n/14 < n/2 \). Thus, the restriction \( r \le {\ell }/2 \) always holds in this setting. The total complexity turns to be

Hence,

for the case \( n/2 \le {\ell } \le 11n/18 \), the final complexity is \( 2^{11n/14 - 2l/7} \);

for the case \( 11n/18 < {\ell } \), the final complexity is \( 2^{\ell } \).

The optimal complexity is \( 2^{11n/18} \), obtained for messages of length \( 2^{11n/18} \) (see Fig. 12 for a trade-off curve).

## Second-Preimage Attack on Concatenation Combiners Based on Deep Iterates

In this section, we introduce the first second-preimage attack faster than \( 2^{n} \) on concatenation combiners of MD hashes.

In this attack, we are given a challenge message \(\varvec{M}= m_1\Vert m_2\Vert \ldots \Vert m_L\), and our goal is to find another message \(\varvec{M}'\) such that \(\mathcal {H}_1(\varvec{M}') \Vert \mathcal {H}_2(\varvec{M}') = \mathcal {H}_1(\varvec{M}) \Vert \mathcal {H}_2(\varvec{M})\) (or equivalently \(\mathcal {H}_1(\varvec{M}') = \mathcal {H}_1(\varvec{M})\) and \(\mathcal {H}_2(\varvec{M}') = \mathcal {H}_2(\varvec{M})\)). We denote the sequence of internal states computed during the invocation of \(h_1\) (respectively, \(h_2\)) on \(\varvec{M}\) by \(a_0,a_1,\ldots ,a_L\) (respectively, \(b_0,b_1,\ldots ,b_L\)).

The general framework of our attack is similar to that of, the long message second-preimage attack on a single MD hash proposed by Kelsey and Schneier and described in Sect. 2.2. Namely, we first compute the sequences of internal states \(a_1,\ldots ,a_L\) and \(b_1,\ldots ,b_L\) by applying the compression functions \(h_1\) and \(h_2\) on the challenge message \(\varvec{M}= m_{1}\Vert \ldots \Vert m_L\). Our goal is then to “connect” to one of the state pairs \((a_i,b_i)\) using a different message prefix of the same size. Once we manage to achieve this, we can reuse the same message suffix as in \(\varvec{M}\) and obtain a second preimage.

There are two main challenges in this approach, where the main challenge is to connect to some state pair \((a_i,b_i)\) generated by \(\varvec{M}\) from a different message. The secondary challenge is to ensure that the connected message prefixes are of the same length. We overcome the secondary challenge by building a simultaneous expandable message for two Merkle–Damgård hash functions, as described in Sect. 2.6.

A much more difficult challenge is to actually connect to the challenge message on a state pair \((a_i,b_i)\) from a different message of arbitrary (smaller) length. Indeed, the obvious approach of attempting to reach an arbitrary 2*n*-bit state pair by trying random messages requires more than \(2^n\) time, since the number of target state pairs is equal to the message length which is smaller than \(2^n\). A more promising approach is to use the *interchange structure* introduced in Sect. 3. Recall that the interchange structure consists of an initial state pair (*a*, *b*), a set of message fragments \( \mathcal {M} \) and two sets of internal states \(\mathcal {A}\) (for \(\mathcal {H}_1\)) and \(\mathcal {B}\) (for \(\mathcal {H}_2\)) such that for any value \(A \in \mathcal {A}\) and any value \(B \in \mathcal {B}\), it is possible to efficiently construct a message \(M_{A,B} \in \mathcal {M}\) that maps (*a*, *b*) to (*A*, *B*). Assume that there exists an index \(i \in \{1,2,\ldots ,L\}\) such that \(a_i \in \mathcal {A}\) and \(b_i \in \mathcal {B}\); then, we can connect to \((a_i,b_i)\) using \(M_{a_i,b_i}\) as required. Unfortunately, this does not result in an efficient attack, essentially because the complexity of building an interchange structure for sufficiently large sets \(\mathcal {A}\) and \(\mathcal {B}\) is not efficient enough.

Here, as in the deep iterate-based preimage attack on XOR combiner, we use deep iterates in functional graphs of \( f_1(\cdot ) \triangleq h_1(\cdot ,m) \) and \( f_2 \triangleq h_2(\cdot ,m) \). (As a result, it is not applicable when any one of the underlying hash functions are of the HAIFA framework.) More specifically, our goal is to find a state pair \((a_p,b_p)\) composed of two deep iterates in \(\mathcal {FG}_{f_1}\) and \(\mathcal {FG}_{f_2}\), respectively.^{Footnote 15} Once we find such a “special” state pair, we show how to simultaneously reach both of its states in an efficient manner from an arbitrary state pair. Combined with the simultaneous expandable message, this gives the desired second preimage.

Next, as in previous attack, we start by providing a high-level overview of the attack and then give technical details.

### Overview of the Attack

The attack is composed of three main phases.

#### Complexity Analysis

Denote \(L = 2^\ell \). For a parameter \( g_1 \ge max(n/2, n-\ell )\), the complexity of the phases of the attack (as computed in their detail description) is given below (ignoring constant factors).

We balance the second and third phases by setting \(2n - g_1 - \ell = 3g_1/2\), or
\(g_1 = 2/5 \cdot (2n-\ell )\), giving time complexity of \(2^{3/5 \cdot (2n-\ell )}\). This trade-off holds as long as \(2^{\ell } + n^2 \cdot 2^{n/2} \le 2^{3/5(2n-\ell )}\), or \(\ell \le 3n/4\). The optimal complexity is \(2^{3\ell /4}\), obtained for \(\ell = 3n/4\) (see Fig. 12 for a trade-off curve). The attack is faster than \(2^n\) (Joux’s preimage attack) for^{Footnote 16}\(\ell > n/3\). The message range for which the attack is faster than \(2^n\) can be slightly improved to \(L \ge 2^{2n/7}\) using the optimized attack, described in Sect. 6.3.

### Details of the Second-Preimage Attack on Concatenation Combiners Using Deep Iterates

Details of Phase 1 can be found in Sect. 2.6.

#### Details of Phase 2: Finding a Target State Pair

In the second phase, we fix an arbitrary message block *m*, giving rise to the functional graph \( \mathcal {FG}_{f_1} \) of \(f_1(\cdot ) \triangleq h_1(\cdot ,m)\) and \( \mathcal {FG}_{f_2} \) of \(f_2(\cdot ) \triangleq h_2(\cdot ,m)\) and let \(g_1 \ge n/2\) be a parameter (to be determined later). Our goal is to find a pair of states \((\bar{x},\bar{y})\), a message block \(\bar{m}\) and an index *p* such that the following two conditions hold:

- 1.
The state \(\bar{x}\) is a \(2^{n-g_1}\)th iterate in \( \mathcal {FG}_{f_1} \) and \(\bar{y}\) is a \(2^{n-g_1}\)th iterate in \( \mathcal {FG}_{f_2}\).

- 2.
The state pair \((\bar{x},\bar{y})\) is mapped to \((a_p,b_p)\) by \(\bar{m}\), or \((\bar{x},\bar{y}) \xrightarrow {\bar{m}} (a_p,b_p)\).

The algorithm of this phase is given below.

The time complexity of Steps 2 and 3 (which execute Algorithm 5) is approximately \(2^{g_1}\). The time complexity of Step 4.(a) and Step 4.(b) is also bounded by \(2^{g_1}\) (given that \(a_1,\ldots ,a_L\) and \(b_1,\ldots ,b_L\) are sorted in memory), as the size of \(\mathcal {T}_1\) and \(\mathcal {T}_2\) is at most \(2^{g_1}\) and the number of matches found in each step can only be smaller.

We now calculate the expected number of executions of Step 4 until the required \((a_p,b_p)\) is found. According to Observation 1 in Sect. 2.7.1, the expected size of \(\mathcal {T}_1\) and \(\mathcal {T}_2\) (that contain iterates of depth \(2^{n-g_1}\)) is close to \(2^{g_1}\). According to the birthday paradox, the expected size of \(\mathcal {T}'_1\) is approximately \(L \cdot 2^{g_1 - n}\). Similarly, the number of matches \(y' = b_{j}\) is also approximately \(L \cdot 2^{g_1 - n}\). The probability of a match \(i=j\) in Step 4.(b) is computed using a birthday paradox on the *L* possible indexes, namely \(1/L \cdot (L \cdot 2^{g_1 - n})^2 = L \cdot 2^{2g_1 - 2n}\). As a result, Step 4 is executed approximately \(1/L \cdot 2^{2n - 2g_1}\) times until the required \((a_p,b_p)\) is found. (The executions with different blocks \(m'\) are essentially independent.) Altogether, the total time complexity of this step is

Since the index *p* is uniformly distributed in the interval [1, *L*], we will assume that \(p = \varTheta (L)\).

#### Details of Phase 3: Hitting the Target State Pair

In the third and final phase, we start from the pair of endpoints \((\hat{x},\hat{y})\) of the simultaneous expandable message constructed in Phase 1 and compute a message fragment \(\hat{M}_{\Vert q}\) of length \(q < p-1\) such that \((\hat{x},\hat{y}) \xrightarrow {\hat{M}_{\Vert q}} (\bar{x},\bar{y})\). Like in the deep iterate-based preimage attack on the XOR combiner, here, we again use in a strong way the fact that the state \(\bar{x}\) (and \(\bar{y}\)) is a deep iterate (of depth \(2^{n-g_1}\)) in the functional graph of \(f_1(x)\) (\(f_2(y)\)).

This phase is carried out by picking an arbitrary starting message block \(\hat{m}\), which gives points \(x_0 = h_1(\hat{x},\hat{m})\) and \(y_0 = h_2(\hat{y},\hat{m})\). We then continue to evaluate the chains \(x_i = h_1(x_{i-1} , m)\) and \(y_j = h_2(y_{j-1} , m)\) up to a maximal length \(L'=2^{n-g_1}\). We hope to encounter \(\bar{x}\) at some distance \(q-1\) from \(x_0\) and to encounter \(\bar{y}\) at the same distance \(q-1\) from \(y_0\). Given that \(q-1 < p\), this will give the required \(\hat{M} = \hat{m} \Vert [m]^{q-1}\) (where \([m]^{q-1}\) denotes the concatenation of \(q-1\) message blocks *m*), which is of length \(q < p-1\). If \(\bar{x}\) and \(\bar{y}\) are encountered at different distances in the chains, or at least one of them is not encountered at all, we pick a different value for \(\hat{m}\) and start again.

Since \(\bar{x}\) (resp. \( \bar{y} \)) is an iterate of depth \(2^{n - g_1}\) in \(\mathcal {FG}_{f_1}\) (resp. \( \mathcal {FG}_{f_2} \)), it is an endpoint of a chain of states of length \(L' = 2^{n - g_1}\) (such a chain was computed in Phase 2). According to Observation 2, the probability that \(\bar{x}\) and \(\bar{y}\) will be encountered at the same distance from arbitrary starting points \(x_0\) and \(y_0\) of chains is \( 2^{n - 3g_1} \). The probability calculation gives rise to the conclusion that we need to compute approximately \(2^{3g_1-n}\) chains from different starting points. Each chain is of length up to \(L' = 2^{n - g_1}\). This gives a total time complexity of about \(2^{3g_1-n + n - g_1} = 2^{2g_1}\). Since \(g_1 \ge n/2\), the time complexity of the full algorithm is at least \(2^n\), and the attack is not faster than Joux’s preimage attack.

To optimize the algorithm, as we did in the deep iterate-based preimage attack, we use a look-ahead procedure by further expanding the graphs of \(f_1\) and \(f_2\). The difference is that since we only select a single pair of deep iterate as the target, we do not use the distinguished point technique^{Footnote 17}\(^{,}\)^{Footnote 18}. We pick a parameter \(g_2 > g_1\) and execute the algorithm below.

The time complexity of Step 1 is approximately \(2^{g_2}\). As concluded above, in Step 2, we perform approximately \(2^{3g_1-n}\) trials on the value of \( \hat{m} \) before finding two starting points \( x_0 \) and \( y_0 \) at the same distance from \(\bar{x}\) and \(\bar{y}\). According to the analysis of Sect. 2.7.1, each trial requires approximately \(2^{n-g_2}\) computation (before hitting \(\mathcal {G}_1\) and \(\mathcal {G}_2\)). Therefore, the total time complexity of this phase is \(2^{g_2} + 2^{3g_1-n}\cdot 2^{n-g_2} = 2^{g_2} + 2^{3g_1-g_2}\). The complexity is minimized by setting \(g_2 = 3g_1/2\) which balances the two terms and gives a time complexity of

Finally, we note that the memory complexity of this algorithm can be optimized using distinguished points. A detailed way to achieve this has been presented in the closely related algorithm in Sect. 4.2.2.

### Optimizing the Deep Iterate-Based Second-Preimage Attack on Concatenation Combiners Using an Interchange Structure

Similar to the deep iterate-based preimage attack on the XOR combiner, this deep iterate-based second-preimage attack can also be slightly improved using an interchange structure. The detailed complexity analysis of the attack using a \( 2^r \)-interchange structure is as follows:

Denote \( L = 2^{\ell } \). For parameters \( g_1 \ge \max (n/2, n - {\ell }) \), \( g_2 \ge 0 \) and \( 0 \le r \le {\ell }/2 \) (because the length \( 2^{2r} \) of the interchange structure should be less than the message length \( 2^{\ell } \)), the complexity of the phases of the attack is (ignoring constant factors)

Compared with the complexity of the attack in Sect. 6.1, the difference lies in Phase 3. In the complexity formula of Phase 3, the term \( 2^{g_2} \) is the number of nodes developed in the look-ahead procedure; the term \( 2^{3g_1 - n - 2r} \) is the required number of samplings on the random massage block \( \hat{m} \) when trying to find a pair of starting nodes reaching the pair of \( 2^{n-g_1}\)th iterates \( (\bar{x}, \bar{y}) \) at a common distance; the term \( 2^{r + n - g_2} \) is the time complexity for computing the distances of a set of \( 2^r \) starting nodes (generated using the same value for \( \hat{m} \)) from a target node; and the term \( 2^{n/2 + 2r} \) is the time complexity for building a \( 2^r \)-interchange structure.

We first balance the first two terms in Phase 3 by setting \( g_2 = 3g_1 - g_2 - r \), which gives \( g_2 = 3g_1/2 - r/2 \). The sum of all dominant terms is

For \( {\ell } > 7n/17 \), we set \( 2n - g_1 - {\ell } = 3g_1/2 - r/2 = n/2 + 2r \), which gives \( g_1 = 19n/22 - 5\ell /11 \) and \( r = 7n/22 - 3\ell /11 \). The total complexity is then \(2^{\ell } + 2^{25n/22 - 6{\ell }/11}\). For \( {\ell } > 25n/34 \), we have \( 25n/22 - 6{\ell }/11 < {\ell } \). Thus, the time complexity is \( 2^{\ell } \) for \( {\ell } > 25n/34 \). Note that \( g_1 = 19n/22 - 5{\ell }/11\) fulfils the restriction \( g_1 \ge \max (n/2, n - \ell ) \) for \( n/4 \le \ell \le 4n/5 \), and \( r = 7n/22 - 3\ell /11 \) fulfils the restriction \( 2r < l \) as long as \( \ell > 7n/17 \). Thus, the time complexity is \( 2^{25n/22 - 6{\ell }/11} \) for \( 7n/17 < {\ell } \le 25n/34 \).

For \( {\ell } \le 7n/17 \), we directly set \( r = {\ell }/2 \) (the maximum under the restriction \( 2r < \ell \)) to optimize the complexity (because as shown next, the balanced sum \( 2^{2n - g_1 - {\ell }} + 2^{3g_1/2 - r/2} \) is greater than \( 2^{n/2 + 2r} \) under the restrictions \( g_1 \ge \max (n/2, n-{\ell }) \), \( 2r < \ell \) and \( {\ell } \le 7n/17 \)). The formula is \(2^{2n - g_1 - {\ell }} + 2^{3g_1/2 - {\ell }/4} + 2^{n/2 + {\ell }}.\) We balance the first two terms by setting \( 2n - g_1 - {\ell } = 3g_1/2 - {\ell }/4 \), from which we deduced that \( g_1 = 4n/5 - 3{\ell }/10 \) (fulfils the restriction \( g_1 \ge \max (n/2, n-{\ell }) \) as long as \( \ell > 2n/7 \)). Then, the complexity is \( 2^{6n/5 - 7{\ell }/10} + 2^{n/2 + {\ell }} \). Since \( 6n/5 - 7{\ell }/10 \ge n/2 + {\ell } \) for \( {\ell } \le 7n/17 \), the total time complexity is then \( 2^{6n/5 - 7{\ell }/10} \). It is no less than \( 2^n \) for \( \ell < 2n/7 \).

Thus, the final time complexity of this attack using interchange structure is summarized as follows:

For the case \( {\ell } < 2n / 7 \), the complexity is \( 2^n \) achieved by Joux’s attack;

For the case \( 2n / 7 \le {\ell } \le 7n / 17 \), the complexity of this attack is \( 2^{6n/5 - 7{\ell }/10} \);

For the case \( 7n / 17 < {\ell } \le 25n/34 \), the complexity of this attack is \( 2^{25n/22 - 6{\ell }/11} \);

For the case \( {\ell } > 25n/34 \), the complexity of this attack is \( 2^{\ell } \).

The optimal complexity is \( 2^{25n/34} \), obtained for messages of length \( 2^{25n/34} \) (see Fig. 12 for a trade-off curve).

## Second-Preimage Attack on the Zipper Hash

In this section, we present the first second-preimage attack on the Zipper hash, which is applicable for *idealized* compression functions and hence a generic attack. Again, the attack is based on the deep iterates and multi-cycles in the functional graphs defined by \(f_1(\cdot ) \triangleq h_1(\cdot , m) \) and \( f_2(\cdot ) \triangleq h_2(\cdot , m) \) with a fixed single-block message value *m*. The general framework is similar to that of the above ones on combiners of MD hashes. However, some special specifications on the Zipper hash allow the attacker to choose an optimal configuration for the attack and to launch a more efficient connecting phase in the attack. More precisely, as opposed to the two parallel combiners, in the Zipper hash, the message length is placed in the middle of the two passes. Thus, when we first connect our crafted message to the challenge message on an internal state in the second pass, the message prefix of our crafted message is fixed. This prefix does not include the length padding. As a result, the length of our crafted message is not necessarily equal to the length of the challenge message. Thus, we can choose a proper length for our crafted message that optimizes the attack complexity. A further uniqueness of the Zipper hash is that its second pass processes the message blocks in a reversed order. Thus, in the attack, when looking for a pair of nodes \((\check{x}, \check{y})\) reaching two predefined nodes of deep iterates \((\bar{x}, \bar{y})\) at a common distance, \(\check{x}\) and \(\check{y}\) are computed with different message blocks. This enables us to launch an efficient meet-in-the-middle procedure during the connecting phase. Accordingly, Joux’s multi-collision (see Sect. 2.1) is used to facilitate the meet-in-the-middle procedure, and the previous simultaneous expandable message in Sect. 2.6 is fine-tuned to adapt to the Zipper hash.

### Overview of the Attack

Given a message \( \varvec{M}= m_1\Vert \cdots \Vert m_L \), the goal of the second-preimage attack on the Zipper hash is to find another message \(\varvec{M}'\) such that \( \mathcal {H}_2(\mathcal {H}_1(IV, \varvec{M}), \overleftarrow{\varvec{M}}) = \mathcal {H}_2(\mathcal {H}_1(IV, \varvec{M}'), \overleftarrow{\varvec{M}'})\), where \( \overleftarrow{\varvec{M}} \) is a message generated by reversing the order of message blocks of \( \varvec{M}\) (we call \( \overleftarrow{\varvec{M}} \) the reverse of \( \varvec{M}\)), i.e., \( \overleftarrow{\varvec{M}} = m_L \Vert m_{L-1} \Vert \cdots \Vert m_1 \), and \( \overleftarrow{\varvec{M}'} \) is the reverse of \( \varvec{M}' \). Here, we briefly list the *main* steps of the attack.

There are two main differences between the attack on the Zipper hash and the second-preimage attack on concatenation combiners (Attack 4) and the preimage attacks on XOR combiners (Attacks 2 and 3). One is that linking \(\tilde{x}\) to \(\bar{x}\) and \(\tilde{y}\) to \(\bar{y}\) can be carried out independently, resulting in a meet-in-the-middle-like effect. The other is that the message length is embedded inside the expandable message \(\mathcal {M}_\mathtt{SEM}\), which enables us to choose the length of second preimage to optimize the complexity.

### Details of the Second-Preimage Attack on the Zipper Hash

In this subsection, we present the detailed procedure of Attack 5.

#### Complexity Analysis

The complexities of each step in this attack are as follows (ignoring constant factors and the factor *n*):

The sum of dominant terms is

where \( 2^t \) is the complexity for developing more nodes in the look-ahead procedure; \( 2^{{\ell }'} \) is the complexity for building the simultaneous expandable message; \( 2^r\cdot 2^{n - t} \) is the complexity for generating tables \( \mathcal {T}_1 \) and \( \mathcal {T}_2 \).

We first balance the first term with the fourth term by setting \( t = r + n - t \), which gives \( t = n/2 + r/2 \). As a result, the sum of dominant terms is

When the allowed length \( L' \) of the second preimage is limited by \( 2^{n/2} \), we set \( {\ell }' = n/2 \) to optimize the complexity. The multi-cycle technique is not applicable. The required number of samplings on pairs of starting nodes before finding one pair reaching any one of the \( 2^{2r} \) pairs of target nodes at a common distance is \( 2^{2n - 3n/2} \). Thus, it is required that \( 2^{2r} = 2^{2n - 3n/2} = 2^{n/2} \). This gives \( r = n/4 \). The total complexity is then \( 2^{5n/8} \) for all \( {\ell } \ge 3n/8 \).

When the allowed length \( L' \) of the second preimage is not limited and can be greater than \( 2^{n/2} \), multi-cycles can be used. In this case, the required number of samplings on pairs of starting nodes before finding one pair reaching any one of the \( 2^{2r} \) pairs of target nodes at a common distance is \( 2^{2n - 3n/2 - ({\ell }' - n/2)} \). Thus, \( 2^{2r} = 2^{n - {\ell }'} \). This gives \( r = n/2 - {\ell }'/2 \). The total complexity is then \( 2^{3n/4 - {\ell }'/4} + 2^{{\ell }'} + 2^{n - {\ell }} \). We then balance the first two terms by setting \( 3n/4 - {\ell }'/4 = {\ell }' \), which gives \( {\ell }'= 3n/5 \).

For the case \( {\ell } < 2n/5 \), the total complexity is \( 2^{n-{\ell }} \);

For the case \( 2n/5 \le {\ell } \), the total complexity is stabilized at \( 2^{3n/5} \).

(see Fig. 13 for trade-off curves).

### Step 4: Constructing an Expandable Message

The constructing method is similar to that in Sect. 2.6, with slight modifications. Detailed steps and the method used are shown in Algorithm 6, where \( C \approx n/2 + \log (n) \):

## Second-Preimage Attack on Hash-Twice

In this section, we present an efficient second-preimage attack on another cascade hash construction—Hash-Twice (a generalized specification \( \mathcal {HT}(M) \triangleq \mathcal {H}_2(\mathcal {H}_1(IV, M), M) \)). Similar to the previous second-preimage attack on Hash-Twice in [2], this attack builds a diamond structure for one hash function by exploiting messages in a long multi-collision built for the other hash function. Like all our previous functional graph-based (deep iterate-based and multi-cycle-based) attacks, it improves the attack from [2] because of the efficiency brought by exploiting the special nodes in the functional graphs. It follows the same structure as the second-preimage attack on the concatenation combiner, but the result shows that attacking Hash-Twice can be much more efficient than attacking the concatenation combiner. That is mainly because the attack tries to connect to an *n*-bit internal state in the case of Hash-Twice, instead of a 2*n*-bit internal state in the case of the concatenation combiner. Note that similar to all previous functional graph-based attacks, this attack applies when the underlying hash functions use the MD construction.

### Overview of the Attack

Given a challenge message \( \varvec{M}= m_1 \Vert m_2 \Vert \dots \Vert m_L \), the goal of the second-preimage attack on Hash-Twice is to find another message \( \varvec{M}' \) such that \( \mathcal {H}_2(\mathcal {H}_1(IV, \varvec{M}'), \varvec{M}') = \mathcal {H}_2(\mathcal {H}_1(IV, \varvec{M}), \varvec{M}) \). The framework of this attack is sketched as follows.

### Details of the Second-Preimage Attack on Hash-Twice Based on Multi-cycles, Diamond and Interchange Structure for Long Messages

The detailed steps of the second-preimage attack on Hash-Twice are follows:

#### Complexity Analysis

The complexity of each step in this second-preimage attack on Hash-Twice is as follows (denote \( L = 2^{\ell }\)):

For \( {\ell } > n/2 \), we have \( 2^{n-{\ell }} < 2^{n/2} \). The sum of dominant terms is (ignoring polynomial factors)

We balance different terms by setting \( t = n/2 + 2r = n/2 + s/2 = 2n - t - r - s - {\ell }\), i.e., \( r = t/2 - n/4 \), \( s = 2t - n \) and \( t = 13n/18 - 2{\ell }/9 \). Consequently, the total complexity is approximately

The improved attack is valid for all \( {\ell } > n/2 \) (even when we account for the message length \( 2^{2r} \) of the interchange structure, which should be less the \( 2^{\ell } \)). The optimal complexity for this attack is \( 2^{13n/22} \), obtained when \( 2^{\ell } = 2^{13n/22} \). Compared with the original optimal complexity \( 2^{2n/3} \) for messages of length \( 2^{13n/22} \), the improvement is \( 2^{5n/66} \) (see Fig. 13 for a trade-off curve).

### Details of the Second-Preimage Attack on Hash-Twice Based on Deep Iterates, Diamond and Interchange Structure for Short Messages

Note that for \( L = 2^{\ell } \le 2^{n/2} \), we can no longer apply the multi-cycles technique. However, we can still choose deep iterates with depth less than \( 2^{n/2} \) as target nodes and selected proper iterate depth to improve the second-preimage attack on Hash-Twice for short messages.

The procedure of this new attack is similar to that of the previous attack in Sect. 8.2. The difference lies in that in Step 1, we collect a set of \( 2^s \) pairs of target nodes \(\{ (\bar{x}_1, \bar{y}), (\bar{x}_2, \bar{y}), \dots , (\bar{x}_{2^s}, \bar{y}) \} \), where \( \bar{x}_i \)’s are \( 2^{n - g} \)th iterate nodes in \( \mathcal {FG}_{f_1} \) for \( 1 \le i \le 2^s \) and \( \bar{y} \) is a \( 2^{n - g} \)th iterate node in \( \mathcal {FG}_{f_2} \). It is required that \( g \ge \max (n/2, n - {\ell }) \). In addition, in Steps 2 and 7, we use the distinguish point technique in the look-ahead procedure as we did in the preimage attack on XOR combiner in Sect. 4.2. The procedures in other steps are the same as those in Sect. 8.2.

In this case, the required number of samplings before finding a pair of \( (\check{x}, \check{y}) \) such that they reach one of the target pairs of nodes \( (\bar{x}_i, \bar{y}) \) at a common distance is \( 2^{3g - n - s - 2r} \). Consequently, the complexity of Step 7 is \( 2^{r} \cdot 2^{3g - n - s - 2r} \cdot (2^{n - t} + 2^{\ell + t - n} + 2^{\ell + s - g}) \). Thus, complexity of each step in this second-preimage attack on Hash-Twice for short message is as follows:

For \( {\ell } \le n/2 \), we have \( 2^{n - {\ell }} \ge 2^{n/2} \). Thus, the sum of dominant terms is

We first set \( t = n/2 + s/2 = n/2 + 2r = 3g - s - t - r\), i.e., \( t = 2g/3 + 5n/18 \), \( s = 4g/3 - 4n/9 \) and \( r = g/3 - n/9 \) to make a balance. The sum of dominant terms is \( 2^g + 2^{2g/3 + 5n/18} + 2^{n - \ell } + 2^{2g + \ell - 7n/6} + 2^{5g/3 + \ell - 8n/9} \). We optimize the attack by picking the minimal value of *g* under the restriction \( g \ge \max (n/2, n-{\ell }) \), i.e., \( g = n - {\ell } \) for \( {\ell } \le n/2 \). Consequently, the total complexity becomes (for \( g = n - {\ell } \) and \( \ell < n/2 \), with the last two terms always less than \( 2^{n - \ell } \), the distinguished points method allowed us to resolve with no overhead the complication of keeping track of distances from \( 2^s \) target nodes):

The improved attack is better than that in [2] for \( {\ell } > 5n/12 \) (in which case \( 17n/18 - 2{\ell }/3 < 2n/3 \), the message length \( 2^{2r} \) of the interchange structure is less the \( 2^{\ell } \), thus applicable). The optimal complexity for this attack is \( 2^{11n/18} \), obtained when \( {\ell } = n/2 \). Compared with the previous best-known complexity \( 2^{2n/3} \) at message length \( L = 2^{n/2} \), the improvement is \( 2^{n/18} \) (see Fig. 13 for a trade-off curve).

## More Applications and Extensions

### Applications Beyond MD Construction and Beyond XOR Operation

*Application to HAIFA Mode* The first preimage attack on the XOR combiner purely bases on interchange structure. Thus, it works identically if the hash functions use the HAIFA mode rather than the plain Merkle–Damgård iteration, whereas the other attacks all based on functional graphs requiring identical compression functions and thus cannot work if the underlying hash functions use the HAIFA mode.

*Application to Cryptophia’s Short Combiner* All of our attacks on XOR combiner can also be applied to Cryptophia’s short combiner, as proposed by Mittelbach [46], and to the revised version of Mennink and Preneel [47]. This combiner computes the sum of two hash functions with some preprocessing of the message to allow non-independent functions:

where \(k_1, k_2, l_1, l_2\) is a randomly chosen key. The security proof in the ideal model shows that *C* is optimally preimage resistant if at least one of the hash functions is ideal.

However, if both \(\mathcal {H}_1\) and \(\mathcal {H}_2\) are narrow-pipe, we can apply our preimage attacks with the same corresponding complexity. This does not violate the security proof because we need both functions to be narrow-pipe and hence not *n*-bit ideal.^{Footnote 19} From a practical point of view, though, they show that in many cases (*e.g.*, using SHA-512 and Whirlpool) the combiner is *weaker* than the initial functions.

*Application Beyond XOR* All preimage attacks on XOR combiner can easily be extended to \(\mathcal {H}_1(M) \odot \mathcal {H}_2(M)\) where \(\odot \) denotes an easy to invert group operation (for instance, a modular addition rather than the exclusive-or). These attacks can also be extended to hash functions \(\mathcal {H}_1\) and/or \(\mathcal {H}_2\) using an internal checksum, such as the GOST family of hash functions, using pairs of blocks with a constant sum.

### Applications to the Combination of Wide-Pipe Hash Functions

Our attacks can also be used when the internal state size \(n'\) is (not much) larger than the output size *n*.

#### The Interchange Structure-Based Preimage Attack on the XOR Combiner

In Attack 1, the complexity of building a \(2^t\)-interchange structure is related to \(n'\) as \((n'/2)\cdot 2^{2t+n'/2}\). On the other hand, the complexity of the meet-in-the-middle preimage search is related to *n* as \(2^{n-t}\). The optimal complexity is \((n'/2) \cdot 2^{2n/3+n'/6}\) by matching the two complexities with \(t = n/3-n'/6\). Therefore, our attack can be applied as long as \(n'+6\log (n') \le 2n\) holds. For instance, we can compute preimages of \(\text {SHA-224} \oplus \text {BLAKE-224}\) using the interchange structure-based attack with complexity roughly \(2^{199}\).^{Footnote 20}

#### The Deep Iterate-Based Preimage Attack on the XOR Combiner

For parameters \( g_1 \ge \max (n'/2, n'- \ell ) \) and \( s \ge 0 \), the complexity of each phase in Attack 2 is as follows:

We balance the time complexities of different phases similar to what we did before. In case of \( {\ell } \le n'/2 \), we set \( g_1 = n'- \ell \), and the total time complexity of the attack is \( 2^{n/3 + 2n'/3 - 2\ell /3} + 2^{n'- \ell } \). The optimal complexity is \( 2^{n/3 + n'/3} \),^{Footnote 21} obtained for \( \ell = n'/ 2 \). It is less than \( 2^n \) when \( n'< 2n \).

#### The Multi-cycle-Based Preimage Attack on the XOR Combiner

The complexity of each detailed step in Attack 3 is no longer related to the output size *n* but related to the internal state size \( n'\) except for Step 3. For Step 3, the complexity is \( 2^{s + n - n'/ 2} \). For other steps, the complexity can be obtained by simply replacing *n* with \( n'\) from the original formula. Then, the overall complexity is approximately (note that \( \ell \ge n'/2 \))

We balance the last three terms by setting \( s + n - n'/2 = t = 2n'- t - s - \ell \), i.e., \( s = n'- 2n/3 - \ell /3 \), \( t = n'/2 + n/3 - \ell /3 \). Then, the total complexity is \( 2^{\ell } + 2^{n'/2 + n/3 - \ell /3} \). The optimal complexity is \( 2^{3n'/ 8 + n/4} \) for \( \ell = 3n'/ 8 + n/4 \). The complexity is less than \( 2^n \) when \( n'/2< \ell < n \) and \( n'< 2n \).

#### The Deep Iterate-Based Second-Preimage Attack on the Concatenation Combiner

The complexity of Attack 4 is no longer related to the output size *n* but rather is related to the internal state size \( n' \) and the message length \( L = 2^{\ell } \). The time complexity is \( 2^{(3/5) \cdot (2n'- \ell )} \) as long as \( \ell \le 3n'/ 4 \) and is less than \( 2^{n} \) for \( \ell > 2n'- 5n/3 \). Therefore, this attack can be applied when \( n'< 4n/3 \).

#### The Second-Preimage Attack on the Zipper Hash

The complexity of Attack 5 is no longer related to the output size *n* but is related to the internal state size \( n'\). We can get the complexity by simply replacing *n* with \( n'\) in the formula. Accordingly, when the length \( L' \) of the second preimage is limited by \( 2^{n'/ 2} \), the optimal complexity is \( 2^{5n'/ 8} \) for all \( {\ell } \ge 3n'/ 8 \). It is less than \( 2^n \) when \( n'< 8n/5 \). When the length \( L' \) is not limited, the optimal complexity is \( 2^{3n'/ 5} \) for all \( {\ell } \ge 2n'/ 5 \). It is less than \( 2^n \) when \( n'< 5n/3 \).

#### The Second-Preimage Attack on Hash-Twice

The complexity of Attack 6 is no longer related to the output size *n* but rather is related to the internal state size \( n'\). Accordingly, when the length \( L = 2^\ell \) is limited by \( 2^{n'/ 2} \), the total complexity is \( 2^{n'- \ell } + 2^{17n'/18 - 2\ell /3}\). The optimal complexity is \( 2^{11n'/ 18} \), obtained for \( \ell = n'/ 2 \), which is less than \( 2^n \) when \( n'< 18 n / 11 \). When the length is not limited, the total complexity is \( 2^{\ell } + 2^{13n'/ 18 - 2\ell / 9} \). The optimal complexity is \( 2^{13n'/ 22} \), obtained for \( \ell = 13 n'/ 22 \), which is less than \( 2^n \) when \( n'< 22 n / 13 \).

### Extensions to the Combination of Three or More Hash Functions

#### The Interchange Structure-Based Preimage Attack on the XOR Combiner

The interchange structure-based attack on the XOR combiner, i.e., Attack 1, can be extended to the sum of three or more hash functions. To attack the sum of *k* functions, two different strategies are possible: either we use a simpler structure that only gives two degrees of freedom and fixes \(k-2\) functions to a constant value, or we build an interchange structure to control all the *k* functions independently.

*Controlling Only Two Functions* The easiest way to extend the attack is to use a single chain in the \(k-2\) extra hash functions. The procedure to build a switch is modified in order to use multi-collisions for \(k-1\) functions instead a simple multi-collisions for one function; this costs \(O(n^{k-1} \cdot 2^{n/2})\) using Joux’s method [35]. As in the basic attack, we need \(O(t^2)\) switches to generate a \(2^t\)-interchange for two functions, and the preimage search costs \(O(2^{n-t})\); the optimal complexity is therefore \(O(n^{k-1} \cdot 2^{5n/6})\) with \(t = n/6\).

*Controlling All the Functions* Alternatively, we can build a more complex interchange structure in order to control all the functions independently. When attacking three functions, we will use the switch structure to jump from chains \((\vec {a}_{j_0},\vec {b}_{k_0},\vec {c}_{l_0})\) to \((\vec {a}_{j_0},\vec {b}_{k_0},\vec {c}_{l_1})\) (or \((\vec {a}_{j_0},\vec {b}_{k_1},\vec {c}_{l_0})\) or \((\vec {a}_{j_1},\vec {b}_{k_0},\vec {c}_{l_0})\)). We need \(2^{3t}-1\) switches in the interchange structure to reach all the \(2^{3t}\) triplets of chains. (A switch makes only one new triplet reachable.) Each switch is built using a \(2^{n/2}\)-multi-collision on two functions, which can be built for a cost of \(O(n^2 \cdot 2^{n/2})\) following Joux’s technique [35]. Therefore, we can build a \(2^t\)-interchange for a cost of \(O(n^2 \cdot 2^{3t+n/2})\). More generally, for the sum of *k* hash functions, we can build an interchange structure for *k* functions for a cost of \(O(n^{k-1} \cdot 2^{kt+n/2})\).

In the preimage search phase, we generate *k* lists of size \(2^{t}\), and we need to detect efficiently whether we can combine then to generate a zero sum. This problem can be solved using an algorithm similar to Wagner’s generalized birthday algorithm [57]. If \(k=2^\kappa \), we find a solution with probability \(O(2^{(\kappa +1)\cdot t - n})\) for a cost of \(O(k \cdot 2^t)\). Therefore, the preimage search costs \(O(k \cdot 2^{n-\kappa t})\). With \(k=4\) (i.e., \(\kappa = 2\)), this yields a complexity of \(O(n^3 \cdot 2^{5n/6})\). However, this approach is less efficient than the previous one for \(k=3\) and for \(k>4\).

To summarize, attacking the sum of *k* hash functions (\(k \ge 2\)) using interchange structure costs \(O(n^{k-1} \cdot 2^{5n/6})\). Controlling chains independently in more than two hash function might be useful for further work, but it does not improve the preimage attack on the sum of *k* hash functions.

#### The Deep Iterate-Based Preimage Attack on the XOR Combiner

Suppose the combiner outputs the sum of *k* hash digests of *n* bits. To extend Attack 2, one needs to first construct a simultaneous expandable message for *k* independent hash functions, and this costs \( O(2^{\ell } + n^{2(k-1)} \cdot 2^{n/2}) \) by setting \( C \approx (n/2 + \log (n))^{k-1} \) (see Fig. 9a).

To extend Phase 2, one collects \( 2^{g_1} \) deep iterates for each of the *k* random functional graphs and then tries to find a set of \( 2^s \) tuples of *k* deep iterates by mapping a single-block message to states whose sum equals the target *V*. Again, this can be solved using an algorithm similar to Wagner’s generalized birthday algorithm, with *k* lists of size \( 2^{g_1} \). Let \( k = 2^{\kappa } \), and then, finding \( 2^s \) tuples costs \( O(2^s \cdot k \cdot 2^{n - \kappa g_1}) \approx 2^{n + s - \kappa g_1}\).

To extend Phase 3, one expands the *k* functional graphs independently with parameter \( g_2 \) in the look-ahead procedure and then tries to find a tuple of *k* starting nodes simultaneously hitting one of the \( 2^s \) tuples of *k* deep iterates obtained in Phase 2. Note that for one tuple of *k* deep iterates of depth \( 2^d \) in independent random functional graphs, the probability for a tuple of *k* random nodes reaching them simultaneously is approximately \( 2^{-kn} \sum _{i=1}^{2^d} i^k \approx 2^{(k + 1)d - kn} \). In the attack, \( d = n - g_1 \). Thus, the complexity of Phase 3 becomes

Note that in this attack, the restrictions are \( \ell \le n/2 \) and \( g_1 \ge \max (n/2, n - l) \). Thus, the last term in the complexity of Phase 3, i.e., \( 2^{kg_1 + l - n} \), cannot be less than \( 2^n \) for \( k \ge 3 \). In other words, when combining more than two hashes, under any configuration for parameters of the attack, the distinguished points method no longer allowed us to resolve with no overhead the complication of keeping track of distances from the \( \mathcal {S}\)-nodes. Thus, this extended attack is not more efficient than \( 2^n \).

#### The Multi-cycle-Based Preimage Attack on the XOR Combiner

The extension of Attack 3 is very similar to the above extension of the deep iterate-based preimage attack. However, because this attack does not need to use the distinguished points method, it can be more efficient than \( 2^n \) for \( k \ge 3 \). Let \( k = 2^{\kappa } \). Following a similar analysis for the complexity of each step to the above one, we have the following:

We make a balance by setting \( s + n - \kappa \cdot n/2 = t = n - t + kn/2 - s - {\ell } \), i.e., \( s = (k + 2\kappa - 2)n/6 - \ell /3 \), and \( t = (k - \kappa )n/6 + 2n/3 - \ell /3 \). Then, the complexity becomes \( 2^{\ell } + 2^{(k - \kappa )n/6 + 2n/3 - \ell /3} \). It is optimally \( 2^{(k - \kappa + 4)n/8} \) by setting \( \ell = (k - \kappa + 4)n/8 \). (In this attack, we assume \( n/2< \ell < n \).)

Accordingly, it costs less than \( 2^n \) computations for \( k < 7 \). For \( k = 3 \), the optimal complexity is approximately \( 2^{(7 - \log _23)n/8} \approx 2^{0.677n}\). For \( k = 4 \), the optimal complexity is approximately \( 2^{3n/4} \approx 2^{0.75n}\). For \( k = 5 \) and \(k = 6 \), this extension is less efficient than the above extended interchange structure-based attack.

#### The Deep Iterate-Based Second-Preimage Attack on the Concatenation Combiner

Suppose the combiner outputs the concatenation of *k* hash digests of *n* bits. The direct way to extend Attack 4 is to simultaneously control *k* hash functions. To do that, again, one needs to first construct a simultaneous expandable message for *k* independent hash functions; this costs \( O(2^{\ell } + n^{2(k-1)} \cdot 2^{n/2}) \) (see Fig. 9a). To extend Phase 2, one collects \( 2^{g_1} \) deep iterates for each of the *k* random functional graphs and then tries to find a tuple of *k* deep iterates hitting *k* internal states at the same offset *p* which is uniformly distributed in the interval \( [1, 2^{\ell }] \). The complexity of Phase 2 is \( 2^{g_1} \cdot 2^{-{\ell }} \cdot 2^{kn - kg_1} = 2^{kn - (k-1)g_1 - {\ell }} \). To extend Phase 3, one expands the *k* functional graphs with parameter \( g_2 \) independently and tries to find a tuple of *k* starting nodes simultaneously hitting the tuple of *k* deep iterates obtained in Phase 2. As calculated above, for a tuple of *k* deep iterates of depth \( 2^{n-g_1} \) in independent random functional graphs, the probability for a tuple of *k* random nodes reaching them simultaneously is about \( 2^{(k + 1)(n - g_1) - kn} \). Thus, the complexity of Phase 3 becomes \( 2^{(k+1)g_1/2 } \) by setting \( g_2 = (n - g_2) + kn - (k+1)(n - g_1)\), i.e., \( g_2 = (k+1)g_1/2 \). After making a balance between different phases by setting \( g_1 = 2(kn-\ell )/(3k-1) \), one will find that the optimal complexity is \( 2^{(k+1)n/4} \), obtained for \( l = (k+1)n/4 \). Thus, for \( k \ge 3 \), the attack is not more efficient than \( 2^n \).

#### The Second-Preimage Attack on the Zipper Hash

When the Zipper hash combines \( k > 2 \) hash functions by alternatively forward computing and reverse computing, one can still extend Attack 5.

To construct a simultaneous expandable message adaptable for the Zipper hash, one first constructs partial building blocks for all the computational passes in one direction and then constructs them for all the computational passes in the other direction. Note that in each of the building blocks in a simultaneous expandable message for the Zipper hash, there are two pieces of Joux’s multi-collisions, each at one of the two ends of the building block. The left Joux’s multi-collisions are for synchronizing the reverse computations, and the right Joux’s multi-collisions are for synchronizing the forward computations. The complexity to build a cascade simultaneous expandable message for *k* hash functions can be the same as that of building a parallel one, which is approximately \( O(2^{\ell } + n^{2(k-1)}\cdot 2^{n/2}) \). Note that for even *k*, the simultaneous expandable message is placed at the end of each pass, and the length of the second preimage encoded in the simultaneous expandable message can be chosen to optimize the attack, while for odd *k*, the simultaneous expandable message is placed in the front end of each pass (see Fig. 9b, c).

Next, we take \( k = 3 \) for example to briefly describe the extended attack (see Fig. 10). The attack first collects a triple of cyclic nodes \( (\bar{x}, \bar{y}, \bar{z}) \), each node located in each of the three random functional graphs generated using the three compression functions. Start from \( \bar{z} \), we build a \( 2^{r \cdot \frac{n}{2}} \)-Joux’s multi-collisions \( {\mathcal {M}_\mathtt{MC}}_{3} \), ending with \( \hat{z} \). By exploiting messages in \( {\mathcal {M}_\mathtt{MC}}_{3} \), we can start from \( \bar{x} \) and build a \( 2^r \)-Joux’s multi-collisions \( {\mathcal {M}_\mathtt{MC}}_{1} \), ending with \( \hat{x} \). This is essentially computing a \( 2^r \)-simultaneous Joux’s multi-collision starting from state pair \( (\bar{x}, \bar{z}) \) and ending with \( (\hat{x}, \hat{z}) \). We denoted it by \( {\mathcal {M}_\mathtt{MC}}_{13} \). Start from \( \bar{y} \), we build a \( 2^r \)-Joux’s multi-collisions \( {\mathcal {M}_\mathtt{MC}}_{2} \) for the reverse computation, ending with \( \hat{y} \). Then, find a message block \( \bar{m} \) mapping \( \hat{z} \) to an internal state \( c_p \) in the original computation with \( \varvec{M}\). Afterwards, the suffix of the second preimage is fixed to be \( m_{p+1} \Vert m_{p+2} \Vert \cdots \Vert m_{L} \).

Starting from \( \hat{y} \), we compute the cascade simultaneous expandable message. Note that only after we completed the computation in the second pass (which is a reverse computation in the middle of the two forward computations) and get the terminal point \( \ddot{y} \), we can start the computation in the first and third passes. The first pass starts from *IV* and the third pass starts from the terminal point of the second pass, i.e., \( \ddot{z} = \ddot{y} \). Because there is only one reverse pass, in each building block, only the right piece of Joux’s multi-collision is required (see Fig. 9b, if \( k \ge 4 \), there should be another piece of Joux’s multi-collision at the left end in each building block). At last, we launch a meet-in-the-middle procedure using messages in \( {\mathcal {M}_\mathtt{MC}}_{13} \) and \( {\mathcal {M}_\mathtt{MC}}_2 \), to find a triple of starting nodes \( (\check{x}, \check{y}, \check{z}) \) simultaneously reach the triple of deep iterates \( (\bar{x}, \bar{y}, \bar{z}) \), and output the concatenation of the obtained message fragments.

We analysis the complexity of the extended attack in general supposing that there are *k* computational passes. Note that, among the *k* computation passes, there are \( \lceil k / 2 \rceil \) forward computations and \( \lfloor k / 2 \rfloor \) reverse computations. We have \( 2^{2r} \) pairs of starting nodes in the meet-in-the-middle procedure in the extended attack, which is the Cartesian product between the set of \( 2^r \) nodes for the forward computations and the set of \( 2^r \) nodes for the reverse computations. Let the deep iterate nodes be of depth \( 2^d \); then, each pair succeeds with probability \( 2^{(k+1)d - kn} \) without using multi-cycles, and the probability is amplified to be \( 2^{(k+1)n/2 - kn - n/2 + {\ell }'} \) by using multi-cycles.

If the message length is limited to be no more than \( 2^{n/2} \), we cannot use the multi-cycles technique. The success of the attack requires \( 2r = kn - (k+1)\cdot d \), and the attack complexity is approximately \( 2^t + 2^{{\ell }'} + 2^{n - {\ell }} + 2^r \cdot 2^{n - t} \). Setting \( d = n/2 \) and \( {\ell }' = {\ell } = n/2 \), we get \( r = kn/4 - n/4 \), and the optimal complexity is \( 2^{kn/8 + 3n/8} \), which is less than \( 2^n \) for \( k < 5 \). Concretely, the complexity is \( 2^{3n/4} \) for \( k = 3 \) and \( 2^{7n/8} \) for \( k = 4 \).

If the message length is not limited, we can use the multi-cycles technique. The success of the attack requires \( 2r = kn - (k + 1) \cdot n/2 + n/2 - {\ell }' \), i.e., \( r = kn/4 - {\ell }'/2 \). The attack complexity is approximately \( 2^t + 2^{{\ell }'} + 2^{n - {\ell }} + 2^{kn/4 - {\ell }'/2 + n - t} \). We balance the terms by setting \( t = kn/4 - {\ell }'/2 + n - t = {\ell }' \) and achieve the optimized complexity \( 2^{kn/10 + 2n/5} \) for \( n - \ell < {\ell }' \) and \( {\ell }' = {kn/10 + 2n/5} \). It is less than \( 2^n \) when \( k < 6 \). Concretely, the complexity is \( 2^{7n/10} \), \( 2^{4n/5} \), \( 2^{9n/10} \) for \( k = 3,~ 4,~ 5 \), respectively.

#### The Second-Preimage Attack on Hash-Twice

Attack 6 can be extended using two different strategies: either we only build an interchange structure for two of the *k* computational passes or we build an interchange structure to control all the *k* computational passes. The second strategies cannot be more efficient than the first. Thus, we only describe the extended attack following the first strategy here.

In the extended attack on hashing *k* times, the frameworks for constructing the first and last passes are almost identical to that of the original attack (see Fig. 11). We collect \( 2^s \) special nodes in the functional graph of the first hash function. We collect one special node in each of the last \( k - 1 \) hash functions. If the message length is not limited, we select cyclic node as special nodes to be targeted (when using multi-cycles technique, we only consider the correctable distances between two of the *k* cycles); if the message length is limited, we select deep iterate nodes as the special nodes to be targeted. We thus get \( 2^s \) tuples of *k* target nodes. From those target nodes in the last \( k - 1 \) passes, we build a \( 2^{s\cdot n/2} \)-simultaneous Joux’s multi-collision \( {\mathcal {M}_\mathtt{MC}} \) (that is, a set of messages that is Joux’s multi-collision for the \( k - 1 \) independent hash functions simultaneously and is a \( 2^{s\cdot (n/2)^{k - i + 1}} \)-Joux’s multi-collision for the *i*th hash). We herd the \( 2^s \) target nodes in the first pass to a single state \( \tilde{x} \) by building a diamond using messages in \( \mathcal {M}_\mathtt{MC}\). We try to hit an internal state in the last computational pass from the endpoint of the last Joux’s multi-collision. After that, suffix of the second preimage is fixed. We can then compute the final states of the first \( k - 1 \) passes, which are also initial states of the last \( k - 1 \) passes. We then start from the initial states in the *k* computational passes, compute a *k*-pass simultaneous expandable message (see Fig. 9a). Starting from the terminal states of the simultaneous expandable message, we build an interchange structure in which two of the *k* passes have \( 2^r \) chains and the remaining \( k - 2 \) passes have a single chain (which essentially is a simultaneous Joux’s multi-collision for the remaining \( k - 2 \) passes). We finally try to use the endpoints of the interchange structure to find a tuple of *k* starting nodes reaching one of the \( 2^s \) tuples of *k* target nodes at the same distance.

If the message length is limited to be no more than \( 2^{n/2} \), we use deep iterate nodes (with depth \( 2^{n - g} \), where \( g \ge \max (n/2, n - {\ell }) \)) as targeted nodes in the above extended attack. Following an analysis similar to the one in Sect. 8.3, one finds that the complexity is as follows (ignore the constant and polynomial factors):

In Sect. 8.3, for the case \( k = 2 \), we balance the complexity using the first term in the formula of Step 7, because the last two terms in the formula of Step 7 are less than the first term under the best configuration. Here, for the case \( k \ge 3 \), we balance the complexity using the third term in the formula of Step 7, because the third term is greater than the first two terms. Specifically, we set \( t = {n}/{2} + {s}/{2} = {n}/{2} + 2r = kg + \ell - n - r\), i.e., \( t = 2kg/3 + 2\ell /3 - n/2 \), \( s = 4kg/3 + 4\ell /3 - 2n\) and \( r = kg/3 + \ell /3 - n/2 \). The complexity of the dominant terms is \(2^g + 2^{2kg/3 + 2\ell /3 - n/2} + 2^{-4kg/3 + g - 7\ell /3 + 3n} \), in which the mid term is always greater than \( 2^n \) for \( k \ge 4 \) under the restrictions \(g \ge \max (n/2, n - \ell )\) and \(\ell \le n/2 \). Thus, the attack can be more efficient than \( 2^n \) only for \( k < 4 \). For \( k = 3 \), we set \( g = n - \ell \) to optimize the complexity. In this case, \( r = k(n - \ell )/3 + \ell /3 - n/2 \), which fulfils the restriction \( 2r \le \ell \) when \( k \le 3 \). The complexity is then

It is optimally \( (2k - 1)n/6 \), obtained for \( \ell = n/2 \). As a result, for \( k = 3 \), the optimal complexity is \( 2^{5n/6} \).

If the message length is not limited and \( {\ell } > n/2 \), we use the multi-cycles technique. Following an analysis similar to the one in Sect. 8.2, one can find that the complexity is as follows (ignoring the constant and polynomial factors):

We make a balance by setting \( t = n/2+s/2 = n/2 + 2r = (k + 2)n/2 - t - r -s -{\ell }\), i.e., \( t = (2k + 9)n/18 -2\ell /9 \), \( s = 2kn/9 - 4\ell /9 \) and \( r = kn/18 - \ell /9 \). The complexity is then

It is optimally \( 2^{{(2k + 9) n}/{22}} \) when \( {\ell } = {{(9+2k) n}/{22}} \). Thus, the attack costs less than \( 2^n \) for \( k < 7 \). Concretely, it is \( 2^{15n/22} \), \( 2^{17n/22} \), \( 2^{19n/22} \), \( 2^{21n/22} \) for \( k = 3,~ 4,~ 5,~ 6 \), respectively.

### Remark

From the above results, in the functional graph-based attacks, when use a set of deep iterates as targeted states for attacks with short messages, one has to use the distinguished points method, which is not adequately efficient to attack combiners of more than three hash functions. In contrast, when using a set of cyclic nodes for attacks with long messages, one does not need the distinguished points method and thus can extend the attacks to combiners with *n*-bit output of up to six Merkle–Damgård hash functions.

## Summary and Open Problems

In this paper, we study the security of various of hash combiners by devising generic attacks. These attacks show rather surprising results—the security upper bounds of most hash combiners are not as high as commonly believed. Regarding basic security requirements (preimage resistance, second-preimage resistance), they fail to provide more (or even the same) security than that provided by a single ideal hash function, or even less than that provided by its underlying hash functions. See Table 1 for a summary of their current security status. In Figs. 12 and 13, we summarize their detailed security status by drawing trade-off curves between the length of the message and the complexity of the attacks. From these trade-off curves, for combiners with underlying hash functions using Merkle–Damgård construction, the gaps between the security upper bounds and the security lower bounds provided by security proof are quite narrow. However, that is true only for very long messages. For short messages, the gap remains large. That mainly results from the limitation of the key techniques used in our attacks. Our attacks highly exploit the iterated property of the underlying hash functions. Particularly, most of our attacks exploit properties of functional graphs of random mappings generated by fixing a message block input to the compression functions. Thus, they usually involve iterating the compression functions with fixed message block many times. Therefore, our crafted messages are very long, and they are typically composed of a large number of repeated message blocks (which can be easily recognized). Thus, one open problem is how to extend the attacks to apply to short messages or with small patches. Another open problem is how to extend the attacks to combiners with at least one underlying hash function following the HAIFA framework.

## Notes

We note that this MD5/SHA-1 combiner has been replaced by primitives based on single hash function (e.g., SHA-256) since TLS version 1.2 [20].

Here, we generalize the syntax of hash functions to also regard the initial value

*IV*as an input parameter.The original specification of Hash-Twice is \( \mathcal {HT}(M) \triangleq \mathcal {H}(\mathcal {H}(IV, M), M) \), which processes the same message twice using a single hash function as shown in [2].

For simplicity of description, we omit the computation of the initial value \( IV_n = h(IV, n, 0, 0) \), which is used to support variable hash size in the specification of HAIFA in [6]. This does not influence the attacks.

The attacks essentially only require one of the functions to be iterated.

For example, for \(n=160\) and message block of length 512 bits (as in SHA-1), the attack is faster than \(2^{160}\) for messages containing at least \(2^{46}\) blocks, or \(2^{52}\) bytes.

The complexity formulas do not take into account (small) constant factors, which are generally ignored throughout this paper.

A collision between \(x_{d-i}\) and \(x'_{D-i}\) occurs if \(x_{d-i} = x'_{D-i}\) but \(x_{d-i-1} \ne x'_{D-i-1}\).

A more accurate analysis would take into account the event that the chains collide before \(x_{d-i}\), but the probability of this is negligible.

This is a very low probability that the set contains repeated values, particularly when

*t*is significantly small compared with \(L_1\). Here, we omit the discussion.Note that for simplicity of description, we omit the description of the finalization transformation on the internal state with the padding block and refer to Sect. 3.2 for the formal description.

From now on, we will use “optimal complexity” to mean the minimized complexity under the optimal choice of parameters for each attack.

It takes \(O(t \cdot 2^{t})\) operations by sorting the lists, but only \(2 \cdot 2^{t}\) using a hash table.

Note that \(\ell +2g_1-n = n - \ell < n-2\ell /3\).

The actual attack is slightly different, as it searches for deep iterates from which \((a_p,b_p)\) can be reached with a common message block.

Note that for \(\ell > n/3\), \(g_1 = 2/5 \cdot (2n-\ell )> 2n/3 > max(n/2, n-\ell )\), as required.

One may ask why we did not compute a larger set \(\mathcal {S}\), as we did in Phase 2 of Attack 2. The reason for this is that it can be shown that in this case, a set of size 1 is optimal.

One may also ask why we did not use cyclic nodes and multi-cycles to further improve this second-preimage attack on concatenation combiners as we did for the preimage attack on XOR combiners. The reason is that optimization on Phase 2 of Attack 4 has reached it limitation because of the limited number of candidate state pairs for \( (\bar{x}, \bar{y}) \). Thus, the complexity of Phase 2 becomes the bottleneck and cannot be improved using cyclic nodes.

A large multi-collisions can be built with a cost of roughly \(2^{n/2}\) in a narrow-pipe function, but this costs almost \(2^n\) for an ideal hash function.

However, the message length can be a problem with some hash functions that do not accept long inputs. For example, SHA-256 and SHA-224 are only defined for messages with less than \( 2^{64} \) bits (i.e., \( 2^{55} \) blocks). In this case, one can apply the attack with a smaller value of

*t*: this reduces the length of the messages at the cost of more time spent in the preimage search step. Thus, to mount a preimage attack against \(\text {SHA-224} \oplus \text {BLAKE-224}\), we should use \( t = 24 \) instead of \( t = 32 \). Then, the optimal complexity is \( 2^{200} \) instead of \( 2^{199} \).Note that \( n/3 + n'/3 > n'/2 \) when \( n'< 2n \).

## References

E. Andreeva, C. Bouillaguet, O. Dunkelman, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, New second-preimage attacks on hash functions.

*J. Cryptol.***29**(4), 657–696 (2016)E. Andreeva, C. Bouillaguet, O. Dunkelman, J. Kelsey, Herding, second preimage and trojan message attacks beyond Merkle–Damgård, in M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini, editors,

*Selected Areas in Cryptography, 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, Revised Selected Papers*. Lecture Notes in Computer Science, vol. 5867 (Springer, 2009), pp. 393–414E. Andreeva, C. Bouillaguet, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, Second preimage attacks on dithered hash functions, in N.P. Smart, editor,

*Advances in Cryptology—EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings*. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 270–288L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors.

*Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7-11, 2008, Proceedings, Part II—Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations*. Lecture Notes in Computer Science, vol. 5126 (Springer, 2008)D. Boneh, X. Boyen. On the impossibility of efficiently combining collision resistant hash functions, in C. Dwork, editor,

*Advances in Cryptology—CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 2006, Proceedings*. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 570–583E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA.

*IACR Cryptol. ePrint Arch.***2007**, 278 (2007)Z. Bao, J. Guo, L. Wang, Functional graphs and their applications in generic attacks on iterated hash constructions.

*IACR Trans. Symmetric Cryptol.***2018**(1), 201–253 (2018)G. Brassard, editor.

*Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 1989, Proceedings*. Lecture Notes in Computer Science, vol. 435 (Springer, 1990)S.R. Blackburn, D.R. Stinson, J. Upadhyay, On the complexity of the herding attack and some related attacks on hash functions.

*Des. Codes Cryptogr.***64**(1–2), 171–193 (2012)Z. Bao, L. Wang, J. Guo, D. Gu, Functional graph revisited: updates on (second) preimage attacks on hash combiners, in J. Katz, H. Shacham, editors,

*Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II*. Lecture Notes in Computer Science, vol. 10402 (Springer, 2017), pp. 404–427S. Chen, C. Jin, A second preimage attack on Zipper hash.

*Secur. Commun. Netw.***8**(16), 2860–2866 (2015)R. Cramer, editor.

*Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings*. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005)R. Canetti, R.L. Rivest, M. Sudan, L. Trevisan, S.P. Vadhan, H. Wee, Amplifying collision resistance: a complexity-theoretic treatment, in Menezes [43], pp. 264–283.

R.D. Dean, A. Appel.

*Formal Aspects of Mobile Code Security*. PhD thesis, Princeton University Princeton (1999)T. Dierks, C. Allen, The TLS protocol version 1.0.

*RFC***2246**, 1–80 (1999)I. Damgård, A design principle for hash functions, in Brassard [8], pp. 416–427

I. Dinur. New attacks on the concatenation and XOR hash combiners, in M. Fischlin, J.-S. Coron, editors,

*Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I*. Lecture Notes in Computer Science, vol. 9665 (Springer, 2016), pp. 484–508I. Dinur, G. Leurent, Improved generic attacks against hash-based MACs and HAIFA, in Garay and Gennaro [27], pp. 149–168

O. Dunkelman, B. Preneel, Generalizing the herding attack to concatenated hashing schemes, in

*In ECRYPT Hash Function Workshop*(Citeseer, 2007)T. Dierks, E. Rescorla, The transport layer security (TLS) protocol version 1.2.

*RFC***5246**, 1–104 (2008)A.O. Freier, P. Karlton, P.C. Kocher, The secure sockets layer (SSL) protocol version 3.0.

*RFC***6101**:1–67 (2011)M. Fischlin, A. Lehmann, Security-amplifying combiners for collision-resistant hash functions, in Menezes [43], pp. 224–243

M. Fischlin, A. Lehmann, Multi-property preserving combiners for hash functions, in R. Canetti, editor,

*Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008*. Lecture Notes in Computer Science, vol. 4948 (Springer, 2008), pp. 375–392M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions revisited, in Aceto et al. [4], pp. 655–666

M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions.

*J. Cryptol.***27**(3), 397–428 (2014)P. Flajolet, A.M. Odlyzko, Random mapping statistics, in J.-J. Quisquater, J. Vandewalle, editors,

*Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, April 10–13, 1989, Proceedings*. Lecture Notes in Computer Science, vol. 434 (Springer, 1989), pp. 329–354J.A. Garay, R. Gennaro, editors.

*Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I*. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014)J. Guo, T. Peyrin, Y. Sasaki, L. Wang, Updates on generic attacks against HMAC and NMAC, in Garay and Gennaro [27], pp. 131–148

M.E. Hellman, A cryptanalytic time-memory trade-off.

*IEEE Trans. Inf. Theory***26**(4), 401–406 (1980)A. Herzberg, On tolerant cryptographic constructions, in A. Menezes, editor,

*Topics in Cryptology—CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings*. Lecture Notes in Computer Science, vol. 3376 (Springer, 2005), pp. 172–190A. Herzberg, Folklore, practice and theory of robust combiners.

*J. Comput. Secur.***17**(2), 159–189 (2009)J.J. Hoch, A. Shamir, Breaking the ICE—finding multicollisions in iterated concatenated and expanded (ICE) hash functions, in M.J.B. Robshaw, editor,

*Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers*. Lecture Notes in Computer Science, vol. 4047 (Springer, 2006), pp. 179–194J.J. Hoch, A. Shamir. On the strength of the concatenated hash combiner when all the hash functions are weak, in Aceto et al. [4], pp. 616–630

A. Jha, M. Nandi, Some cryptanalytic results on Zipper hash and concatenated hash.

*IACR Cryptol. ePrint Arch.***2015**, 973 (2015)A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in M.K. Franklin, editor,

*Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings*Lecture Notes in Computer Science, vol. 3152 (Springer, 2004), pp. 306–316A. Joux,

*Algorithmic Cryptanalysis*(Chapman and Hall/CRC, Boca Raton, 2009)J. Kelsey, T. Kohno, Herding hash functions and the nostradamus attack, in Serge Vaudenay, editor,

*Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings*. Lecture Notes in Computer Science, vol. 4004 (Springer, 2006), pp. 183–200J. Kelsey, B. Schneier, Second preimages on n-bit hash functions for much less than \(2{}^{{\rm n}}\) work, in Cramer [12], pp. 474–490

A. Lehmann.

*On the Security of Hash Function Combiners*. PhD thesis, Darmstadt University of Technology (2010)M. Liskov, Constructing an ideal hash function from weak ideal compression functions, in E. Biham, A.M. Youssef, editors,

*Selected Areas in Cryptography, 13th International Workshop, SAC 2006, Montreal, Canada, August 17-18, 2006 Revised Selected Papers*. Lecture Notes in Computer Science, vol. 4356 (Springer, 2006), pp. 358–375G. Leurent, T. Peyrin, L. Wang, New generic attacks against hash-based MACs, in K. Sako, P. Sarkar, editors,

*Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part II*. Lecture Notes in Computer Science, vol. 8270 (Springer, 2013), pp. 1–20G. Leurent, L. Wang, The sum can be weaker than each part, in E. Oswald, M. Fischlin, editors,

*Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I*. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015), pp. 345–367A. Menezes, editor.

*Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007, Proceedings*. Lecture Notes in Computer Science, vol. 4622. (Springer, 2007)R.C. Merkle. One way hash functions and DES, in Brassard [8], pp. 428–446

A. Mittelbach. Hash combiners for second pre-image resistance, target collision resistance and pre-image resistance have long output, in I. Visconti, R. De Prisco, editors,

*Security and Cryptography for Networks—8th International Conference, SCN 2012, Amalfi, Italy, September 5–7, 2012. Proceedings*. Lecture Notes in Computer Science, vol. 7485 (Springer, 2012), pp. 522–539A. Mittelbach, Cryptophia’s short combiner for collision-resistant hash functions, in M.J. Jacobson Jr., M.E. Locasto, P. Mohassel, R. Safavi-Naini, editors,

*Applied Cryptography and Network Security—11th International Conference, ACNS 2013, Banff, AB, Canada, June 25–28, 2013. Proceedings*. Lecture Notes in Computer Science, vol. 7954 (Springer, 2013), pp. 136–153B. Mennink, B. Preneel, Breaking and fixing cryptophia’s short combiner, in D. Gritzalis, A. Kiayias, I.G. Askoxylakis, editors,

*Cryptology and Network Security—13th International Conference, CANS 2014, Heraklion, Crete, Greece, October 22–24, 2014. Proceedings*. Lecture Notes in Computer Science, vol. 8813 (Springer, 2014), pp. 50–63F. Mendel, C. Rechberger, M. Schläffer, MD5 is weaker than weak: attacks on concatenated combiners, in M. Matsui, editor,

*Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings*. Lecture Notes in Computer Science, vol. 5912 (Springer, 2009), pp. 144–161M. Nandi, D. R. Stinson, Multicollision attacks on some generalized sequential hash functions.

*IEEE Trans. Inf. Theory***53**(2), 759–767 (2007)K. Pietrzak, Non-trivial black-box combiners for collision-resistant hash-functions don’t exist, in M. Naor, editor,

*Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings*. Lecture Notes in Computer Science, vol. 4515 (Springer, 2007), pp. 23–33K. Pietrzak, Compression from collisions, or Why CRHF combiners have a long output, in D.A. Wagner, editor,

*Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings*. Lecture Notes in Computer Science, vol. 5157 (Springer, 2008), pp. 413–432L. Perrin, D. Khovratovich, Collision spectrum, entropy loss, T-sponges, and cryptanalysis of GLUON-64, in C. Cid, C. Rechberger, editors,

*Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, March 3–5, 2014. Revised Selected Papers*. Lecture Notes in Computer Science, vol. 8540 (Springer, 2014), pp. 82–103B. Preneel,

*Analysis and Design of Cryptographic Hash Functions*. PhD thesis, Katholieke Universiteit te Leuven (1993)T. Peyrin, L. Wang, Generic universal forgery attack on iterative hash-based MACs, in P.Q. Nguyen, E. Oswald, editors,

*Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings*. Lecture Notes in Computer Science, vol. 8441 (Springer, 2014), pp. 147–164M. Rjasko, On existence of robust combiners for cryptographic hash functions. In P. Vojtás, editor,

*Proceedings of the Conference on Theory and Practice of Information Technologies, ITAT 2009, Horský hotel Kralova studna, Slovakia, September 25–29, 2009, volume 584 of CEUR Workshop Proceedings*(CEUR-WS.org, 2009), pp. 71–76P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications.

*J. Cryptol.***12**(1), 1–28 (1999)D.A. Wagner, A generalized birthday problem, in M. Yung, editor,

*Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings*. Lecture Notes in Computer Science, vol. 2442 (Springer, 2002), pp. 288–303X. Wang, H. Yu, How to break MD5 and other hash functions, in Cramer [12], pp. 19–35

X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in V. Shoup, editor,

*Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings*. Lecture Notes in Computer Science, vol. 3621 (Springer, 2005), pp. 17–36

## Acknowledgements

This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore, under its Strategic Capability Research Centres Funding Initiative, Nanyang Technological University under research Grant M4082123 and Singapore’s Ministry of Education under Grant M4012049. Itai Dinur is supported in part by the Israeli Science Foundation through Grant No. 573/16. Lei Wang is supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th five-year National Development Fund of Cryptography (MMJJ20170114).

## Author information

### Authors and Affiliations

### Corresponding author

## Appendices

### A Pseudo-codes of Algorithms

### B Optimized Interchange Structure

We now describe an optimized attack using only \((2^t-1)(2^t-1)\) switches rather than \(2^{2t}-1\). The attack also requires multi-collision structures, as introduced by Joux [35].

We replace the first \(2^t-1\) switches with a \(2^t\)-Joux’s multi-collision in \(\mathcal {H}_1\), and we use those messages to initialize all the \(b_k\) chains in \(\mathcal {H}_2\). We can also optimize the first series of switches in \(\mathcal {H}_2\) in the same way: we build a \(2^{t}\)-multi-collision in \(\mathcal {H}_2\) starting from \(b_0\), and we use those messages to initialize the \(a_j\) chains in \(\mathcal {H}_1\). This is illustrated in Fig. 14, and the detailed attack is given in Algorithm 6.

### C On Problem Raised by Dependency Between Chain Evaluations

Suppose \( \bar{x} \) and \( \bar{y} \) are both of depth \( 2^{n - g_1} \). From Observation 2 in Sect. 2.7.1, we conclude that the probability of encountering \(\bar{x}\) and \(\bar{y}\) at the same distance in chains (of \(f_1\) and \(f_2\)) evaluated from \(x_0\) and \(y_0\) is approximately \(2^{n-3g_1}\). Thus, in Sect. 4.2.2 and Sect. 6.2.2, we conclude that if the trials of chain evaluations are independent, we need to compute about \(2^{3g_1-n}\) chains from different starting points. However, since various trials performed by selecting different starting points for the chains are dependent, it might require further proof for the conclusion.

More specifically, when the number of nodes evaluated along chains exceeding \( 2^{n - d} \), a new chain of length \( 2^d \) is very likely to collide with a previously evaluated node due to the birthday paradox (\( 2^d\times 2^{n - d} = 2^n\)). Thus, the outcome of this chain evaluation is determined. As a result, new chains are all related to already evaluated chains, and the dependency between them affects the outcome non-negligibly after having evaluated \( 2^{n - d} \) nodes.

However, we notice that in our attacks, the actual birthday bound for the non-negligible dependency between trials is \( 2^{2n - 2d} \) instead of \( 2^{n - d} \) because in each trail, there are two chain evaluations. One is in \( \mathcal {FG}_{f_1} \), and the other is in \( \mathcal {FG}_{f_2} \). The chain evaluation in \( \mathcal {FG}_{f_1} \) can be seen as independent with a chain evaluation in \( \mathcal {FG}_{f_2} \). After having evaluated \( 2^{n - d} \) nodes in each of the two functional graphs, there is indeed a high probability for each new chain colliding with previously evaluated chains. However, for a new *pair of* chain evaluations, the probability for both chains colliding with the chains evaluated in a previous trial is significant only after having evaluated \( 2^{2n - 2d} \) nodes due to the birthday paradox. That is, trials cannot be seen as independent only after having evaluated \( 2^{2n - 2d} \) nodes. Note that in our attacks, required number of trials is \( 2^{2n - 3d} \); thus, the total evaluated number of nodes is \( 2^{2n - 3d} \cdot 2^{d + 1} \approx 2^{2n - 2d} \) which exactly falls on the birthday bound. Thus, the dependency between the trials is negligible and the complexity analysis of the corresponding attacks is justified.

## Rights and permissions

## About this article

### Cite this article

Bao, Z., Dinur, I., Guo, J. *et al.* Generic Attacks on Hash Combiners.
*J Cryptol* **33, **742–823 (2020). https://doi.org/10.1007/s00145-019-09328-w

Received:

Revised:

Published:

Issue Date:

DOI: https://doi.org/10.1007/s00145-019-09328-w

### Keywords

- Hash function
- Generic attack
- Hash combiner
- XOR combiner
- Concatenation combiner
- Zipper hash
- Hash-Twice
- (Second) Preimage attack