New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity

  • Muhammad Barham
  • Orr Dunkelman
  • Stefan Lucks
  • Marc Stevens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10532)


Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damgård hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second preimage attacks on the dithered Merkle-Damgård construction. These attacks consume significantly less memory in the online phase (with a negligible increase in the online time complexity) than previous attacks. For example, in the case of MD5 with the Keränen sequence, we reduce the memory complexity from about \(2^{51}\) blocks to about \(2^{26.7}\) blocks (about 545 MB). We also present an essentially memoryless variant of Andreeva et al. attack. In case of MD5-Keränen or SHA1-Keränen, the offline and online memory complexity is \(2^{15.2}\) message blocks (about 188–235 KB), at the expense of increasing the offline time complexity.



The authors would like to thank the anonymous referees for their constructive comments that have improved the results of the paper. In addition, the interaction of the authors during the Dagstuhl seminar on symmetric cryptography in January 2016, have contributed significantly to improving the results.


  1. 1.
    Andreeva, E., Bouillaguet, C., Dunkelman, O., Fouque, P., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016)CrossRefMATHMathSciNetGoogle Scholar
  2. 2.
    Andreeva, E., Bouillaguet, C., Dunkelman, O., Kelsey, J.: Herding, second preimage and trojan message attacks beyond merkle-damgård. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 393–414. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-05445-7_25 CrossRefGoogle Scholar
  3. 3.
    Andreeva, E., Bouillaguet, C., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_16 CrossRefGoogle Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_11 CrossRefGoogle Scholar
  5. 5.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, New York (1990)MATHGoogle Scholar
  6. 6.
    Damgård, I.B.: A design principle for hash functions. In: Brassard [5], pp. 416–427 (1990)Google Scholar
  7. 7.
    Dean, R.D.: Formal aspects of mobile code security. Ph.D. thesis, princeton university (1999)Google Scholar
  8. 8.
    Hoch, J.J., Shamir, A.: Breaking the ICE – finding multicollisions in iterated concatenated and expanded (ICE) hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 179–194. Springer, Heidelberg (2006). doi: 10.1007/11799313_12 CrossRefGoogle Scholar
  9. 9.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_19 CrossRefGoogle Scholar
  10. 10.
    Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006). doi: 10.1007/11761679_12 CrossRefGoogle Scholar
  11. 11.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005). doi: 10.1007/11426639_28 CrossRefGoogle Scholar
  12. 12.
    Keränen, V.: Abelian squares are avoidable on 4 letters. In: Kuich, W. (ed.) ICALP 1992. LNCS, vol. 623, pp. 41–52. Springer, Heidelberg (1992). doi: 10.1007/3-540-55719-9_62 CrossRefGoogle Scholar
  13. 13.
    Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2. Addison-Wesley, Boston (1969)MATHGoogle Scholar
  14. 14.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). doi: 10.1007/0-387-34805-0_21 CrossRefGoogle Scholar
  15. 15.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard [5], pp. 428–446 (1990)Google Scholar
  16. 16.
    Nivasch, G.: Cycle detection using a stack. Inf. Process. Lett. 90(3), 135–140 (2004)CrossRefMATHMathSciNetGoogle Scholar
  17. 17.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)CrossRefMATHMathSciNetGoogle Scholar
  18. 18.
    Rivest, R.L.: Abelian Square-Free Dithering for Iterated Hash Functions. In: Presented at ECrypt Hash Function Workshop, 21 June 2005, Cracow, and at the Cryptographic Hash workshop, 1 November 2005, Gaithersburg, Maryland, August 2005Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Muhammad Barham
    • 1
  • Orr Dunkelman
    • 1
  • Stefan Lucks
    • 2
  • Marc Stevens
    • 3
  1. 1.Computer Science DepartmentUniversity of HaifaHaifaIsrael
  2. 2.Bauhaus-Universitåt WeimarWeimarGermany
  3. 3.Centrum Wiskunde & InformaticaAmsterdamThe Netherlands

Personalised recommendations