The MD2 Hash Function Is Not One-Way

  • Frédéric Muller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3329)

Abstract

MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of 2128. We describe preimage attacks against the underlying compression function, the best of which has complexity of 273. As a result, the full MD2 hash can be attacked in preimage with complexity of 2104.

Keywords

Hash Function Compression Function Message Block Cryptographic Hash Function Collision Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full conference paper text

References

  1. 1.
    Balenson, D.: RFC 1423 - Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. RSA Laboratories (February 1993)Google Scholar
  2. 2.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  3. 3.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Dobbertin, H.: The Status of MD5 after a Recent Attack. CryptoBytes 2(2), 1–6 (1996)MathSciNetGoogle Scholar
  5. 5.
    Dobbertin, H.: The First Two Rounds of MD4 are Not One-Way. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 284–292. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004) (to appear)Google Scholar
  7. 7.
    Kaliski, B.: RFC 1319 - The MD2 Message-Digest Algorithm. RSA Laboratories (April 1992)Google Scholar
  8. 8.
    MD5CRK, a new distributed computing project, See http://www.md5crk.com/
  9. 9.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  10. 10.
    Preneel, B.: Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven (1993)Google Scholar
  11. 11.
    Rivest, R.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  12. 12.
    Rivest, R.: RFC 1321 - The MD5 Message-Digest Algorithm. RSA Laboratories (April 1992)Google Scholar
  13. 13.
    Rogaway, P., Shrimpton, T.: Cryptographic Hash Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 349–366. Springer, Heidelberg (2004) (Pre-proceedings Version) Google Scholar
  14. 14.
    Rogier, N., Chauvaud, P.: MD2 Is not Secure without the Checksum Byte. Designs, Codes and Cryptography 12(3), 245–251 (1997); An early version of this paper was presented at the 2nd SAC Workshop in 1995MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Van Rompay, B., Biryukov, A., Preneel, B.: Cryptanalysis of 3-Pass HAVAL. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 228–245. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    RSA Laboratories. PKCS #1 v1.5: RSA Encryption Standard (1993), Available at http://www.rsalabs.com/pkcs/pkcs-1
  17. 17.
    RSA Laboratories. PKCS #1 v2.1: RSA Encryption Standard (2002), Available at http://www.rsalabs.com/pkcs/pkcs-1
  18. 18.
    van Oorschot, P., Wiener, M.: Parallel Collision Search with Cryptanalytic Applications. Journal of Cryptology 12(1), 1–28 (1999)MATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002) (Extended Abstract)CrossRefGoogle Scholar
  20. 20.
    Wiemers, A.: The Full Cost of Cryptanalytic Attacks. Journal of Cryptology 17(2), 105–124 (2004)CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Frédéric Muller
    • 1
  1. 1.DCSSI Crypto LabParis 07 SPFrance

Personalised recommendations