Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions

  • Antoine Joux
Conference paper

DOI: 10.1007/978-3-540-28628-8_19

Part of the Lecture Notes in Computer Science book series (LNCS, volume 3152)
Cite this paper as:
Joux A. (2004) Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin M. (eds) Advances in Cryptology – CRYPTO 2004. CRYPTO 2004. Lecture Notes in Computer Science, vol 3152. Springer, Berlin, Heidelberg


In this paper, we study the existence of multicollisions in iterated hash functions. We show that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, i.e. pairs of messages, even for extremely large values of r. More precisely, the ratio of the complexities of the attacks is approximately equal to the logarithm of r. Then, using large multicollisions as a tool, we solve a long standing open problem and prove that concatenating the results of several iterated hash functions in order to build a larger one does not yield a secure construction. We also discuss the potential impact of our attack on several published schemes. Quite surprisingly, for subtle reasons, the schemes we study happen to be immune to our attack.

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Antoine Joux
    • 1
  1. 1.DCSSI Crypto LabParis 07 SPFrance

Personalised recommendations