Second Preimage Attacks on Dithered Hash Functions

  • Elena Andreeva
  • Charles Bouillaguet
  • Pierre-Alain Fouque
  • Jonathan J. Hoch
  • John Kelsey
  • Adi Shamir
  • Sebastien Zimmer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4965)


We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Merkle-Damgård construction with only slightly more work than the previously known attack, but allow enormously more control of the contents of the second preimage found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup’s UOWHF [26] and the ROX hash construction [2]. We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, including sequences which are much stronger than those in Rivest’s proposals. Finally, we show that both the existing second preimage attacks [8,16] and our new attack can be applied even more efficiently to multiple target messages; in general, given a set of many target messages with a total of 2 R message blocks, these second preimage attacks can find a second preimage for one of those target messages with no more work than would be necessary to find a second preimage for a single target message of 2 R message blocks.


Cryptanalysis Hash Function Dithering 


  1. 1.
    Allouche, J.-P.: Sur la complexité des suites infinies. Bull. Belg. Math. Soc. 1, 133–143 (1994)zbMATHMathSciNetGoogle Scholar
  2. 2.
    Andreeva, E., Neven, G., Preneel, B., Shrimpton, T.: Seven-Property-Preserving Iterated Hashing: ROX. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 130–146. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and Reduced SHA-1. In: [16], pp. 36–57Google Scholar
  4. 4.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  5. 5.
    Cobham, A.: Uniform tag seqences. Mathematical Systems Theory 6(3), 164–192 (1972)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  7. 7.
    Damgård, I.: A Design Principle for Hash Functions. In: [4], pp. 416–427Google Scholar
  8. 8.
    Dean, R.D.: Formal Aspects of Mobile Code Security. PhD thesis, Princeton University (January 1999)Google Scholar
  9. 9.
    Ehrenfeucht, A., Lee, K.P., Rozenberg, G.: Subword Complexities of Various Classes of Deterministic Developmental Languages without Interactions. Theor. Comput. Sci. 1(1), 59–75 (1975)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Feller, W.: 12. In: An Introduction to Probability Theory and Its Applications, vol. 1, John Wiley & sons, Chichester (1971)Google Scholar
  11. 11.
    Hellman, M.E.: A cryptanalytic time-memory trade off. In: IEEE Transactions on Information Theory, vol. IT-26, pp. 401–406 (1980)Google Scholar
  12. 12.
    Janson, S., Lonardi, S., Szpankowski, W.: On average sequence complexity. Theor. Comput. Sci. 326(1-3), 213–227 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Joux, A., Peyrin, T.: Hash Functions and the (Amplified) Boomerang Attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Kelsey, J., Kohno, T.: Herding Hash Functions and the Nostradamus Attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Kelsey, J., Schneier, B.: Second Preimages on n-Bit Hash Functions for Much Less than 2n Work. In: [6], pp. 474–490Google Scholar
  17. 17.
    Keränen, V.: Abelian Squares are Avoidable on 4 Letters. In: Kuich, W. (ed.) ICALP 1992. LNCS, vol. 623, pp. 41–52. Springer, Heidelberg (1992)Google Scholar
  18. 18.
    Keränen, V.: On abelian square-free DT0L-languages over 4 letters.. In: Harju, T. (ed.) WORDS 2003, vol. 27, pp. 95–109. TUCS General Publication (2003)Google Scholar
  19. 19.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006)
  20. 20.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied CryptographyGoogle Scholar
  21. 21.
    Merkle, R.C.: One Way Hash Functions and DES. In: [4], pp. 428–446Google Scholar
  22. 22.
    Mironov, I.: Hash Functions: From Merkle-Damgård to Shoup. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 166–181. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Orr Dunkelman, E.B.: A Framework for Iterative Hash Functions — HAIFA. Presented at the second NIST hash workshop (August 24–25, 2006)Google Scholar
  24. 24.
    Pansiot, J.-J.: Complexité des facteurs des mots infinis engendrés par morphismes itérés. In: Paredaens, J. (ed.) ICALP 1984. LNCS, vol. 172, pp. 380–389. Springer, Heidelberg (1984)Google Scholar
  25. 25.
    Rivest, R.L.: Abelian Square-Free Dithering for Iterated Hash Functions. In: Presented at ECrypt Hash Function Workshop, June 21, 2005, Cracow, and at the Cryptographic Hash workshop, November 1, 2005, Gaithersburg, Maryland (August 2005)Google Scholar
  26. 26.
    Shoup, V.: A Composition Theorem for Universal One-Way Hash Functions. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 445–452. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  27. 27.
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  28. 28.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: [6], pp. 1–18Google Scholar
  29. 29.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: [27], pp. 17–36Google Scholar
  30. 30.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: [6], pp. 19–35Google Scholar
  31. 31.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: [27], pp. 1–16Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Elena Andreeva
    • 1
  • Charles Bouillaguet
    • 2
  • Pierre-Alain Fouque
    • 2
  • Jonathan J. Hoch
    • 3
  • John Kelsey
    • 4
  • Adi Shamir
    • 2
    • 3
  • Sebastien Zimmer
    • 2
  1. 1.SCD-COSIC, Dept. of Electrical EngineeringKatholieke Universiteit Leuven 
  2. 2.(Département d’Informatique), CNRS, INRIAÉcole normale supérieureParisFrance
  3. 3.Weizmann Institute of Science 
  4. 4.National Institute of Standards and Technology 

Personalised recommendations