Hash Functions and the (Amplified) Boomerang Attack

  • Antoine Joux
  • Thomas Peyrin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


Since Crypto 2004, hash functions have been the target of many attacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanalysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1.


hash functions boomerang attack SHA-1 


  1. 1.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and Reduced SHA-1. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Rechberger, C., De Cannière, C., Mendel, F.: In: Rump Session of Fast Software Encryption – FSE 2007 (2007)Google Scholar
  5. 5.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  6. 6.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) Fast Software Encryption. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Joux, A., Peyrin, T.: Message modification, neutral bits and boomerangs. In: Proceedings of NIST 2nd Cryptographic Hash Workshop (2006)Google Scholar
  9. 9.
    Kelsey, J., Kohno, T., Schneier, B.: Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 75–93. Springer, Heidelberg (2001)Google Scholar
  10. 10.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. ePrint archive (2006),
  11. 11.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    National Institute of Standards and Technology. FIPS 180: Secure Hash Standard (May 1993), available from
  13. 13.
    National Institute of Standards and Technology. FIPS 180-1: Secure Hash Standard (April 1995), available from
  14. 14.
    National Institute of Standards and Technology. FIPS 180-2: Secure Hash Standard (August 2002), available from
  15. 15.
    Rivest, R.L.: RFC1321: The MD5 Message-Digest Algorithm (April 1992), available from
  16. 16.
    Rivest, R.L.: RFC 1320: The MD4 Message Digest Algorithm (April 1992),
  17. 17.
    Sugita, M., Kawazoe, M., Imai, H.: Gröbner Basis based Cryptanalysis of SHA-1. In: Fast Software Encryption – FSE’07. LNCS, Springer, Heidelberg (2007), Google Scholar
  18. 18.
    Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)Google Scholar
  19. 19.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Wang, X., Yao, A.C., Yao, F.: Cryptanalysis on SHA-1. In: Proceedings of NIST Cryptographic Hash Workshop (2005)Google Scholar
  21. 21.
    Wang, X., Yin, Y.L., Yu, H.: New Collision Search for SHA-1. In: Rump Session of CRYPTO (2005)Google Scholar
  22. 22.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  23. 23.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  24. 24.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Antoine Joux
    • 1
    • 3
  • Thomas Peyrin
    • 2
    • 3
  1. 1.DGA 
  2. 2.France Télécom R&D 
  3. 3.Université de Versailles Saint-Quentin-en-Yvelines 

Personalised recommendations