Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions

  • Antoine Joux
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3152)

Abstract

In this paper, we study the existence of multicollisions in iterated hash functions. We show that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, i.e. pairs of messages, even for extremely large values of r. More precisely, the ratio of the complexities of the attacks is approximately equal to the logarithm of r. Then, using large multicollisions as a tool, we solve a long standing open problem and prove that concatenating the results of several iterated hash functions in order to build a larger one does not yield a secure construction. We also discuss the potential impact of our attack on several published schemes. Quite surprisingly, for subtle reasons, the schemes we study happen to be immune to our attack.

References

  1. 1.
    Brickell, E., Pointcheval, D., Vaudenay, S., Yung, M.: Design validation for siscrete logarithm based signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 276–292. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), pp. 209–218 (1998)Google Scholar
  3. 3.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  4. 4.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160, a strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Girault, M., Stern, J.: On the length of cryptographic hash-values used in identification schemes. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 202–215. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press (1997), Available on line: http://www.cacr.math.uwaterloo.ca/hac
  7. 7.
    Merkle, R.: A fast software one-way hash function. Journal of Cryptology 3(1), 43–58 (1990)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  9. 9.
    Secure hash standard. Federal Information Processing Standard Publication 180–1 (1995)Google Scholar
  10. 10.
    Preneel, B.: Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven (January 1993)Google Scholar
  11. 11.
    Rivest, R., Shamir, A.: PayWord and MicroMint – two simple micropayment schemes. CryptoBytes 2(1), 7–11 (1996)Google Scholar
  12. 12.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  13. 13.
    Rivest, R.L.: The MD5 message-digest algorithm. NetworkWorking Group Request for Comments: 1321 (April 1992)Google Scholar
  14. 14.
    Schneier, B.: Applied Cryptography, 2nd edn. John Wiley & Sons, Chichester (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Antoine Joux
    • 1
  1. 1.DCSSI Crypto LabParis 07 SPFrance

Personalised recommendations