Linear-XOR and Additive Checksums Don’t Protect Damgård-Merkle Hashes from Generic Attacks

  • Praveen Gauravaram
  • John Kelsey
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4964)


We consider the security of Damgård-Merkle variants which compute linear-XOR or additive checksums over message blocks, intermediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damgård-Merkle variants gain almost no security against generic attacks such as the long-message second preimage attacks of [10,21] and the herding attack of [9].


Intermediate State Hash Function Compression Function Diamond Structure Generic Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: Incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997)Google Scholar
  2. 2.
    Coppersmith, D.: Two Broken Hash Functions. Technical Report IBM Research Report RC-18397, IBM Research Center (October 1992)Google Scholar
  3. 3.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  4. 4.
    Dunkelman, O., Preneel, B.: Generalizing the herding attack to concatenated hashing schemes. In: ECRYPT hash function workshop (2007)Google Scholar
  5. 5.
    Filho, D.G., Barreto, P., Rijmen, V.: The MAELSTROM-0 Hash Function. In: 6th Brazilian Symposium on Information and Computer System Security (2006)Google Scholar
  6. 6.
    Gauravaram, P.: Cryptographic Hash Functions: Cryptanalysis, Design and Applications. PhD thesis, Information Security Institute, QUT (June 2007)Google Scholar
  7. 7.
    Hoch, J., Shamir, A.: Breaking the ICE: Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 179–194. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Kelsey, J., Kohno, T.: Herding Hash Functions and the Nostradamus Attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Kelsey, J., Schneier, B.: Second Preimages on n-bit Hash Functions for Much Less than 2n̂ Work. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Knudsen, L., Mathiassen, J.: Preimage and Collision attacks on MD2. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 255–267. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Lei, D.: F-HASH: Securing Hash Functions Using Feistel Chaining. Cryptology ePrint Archive, Report 2005/430 (2005)Google Scholar
  13. 13.
    Lucks, S.: Hash Function Modes of Operation. In: ICE-EM RNSA 2006 Workshop at QUT, Australia (June, 2006)Google Scholar
  14. 14.
    Merkle, R.: One way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  15. 15.
    Mironov, I., Narayanan, A.: Personal communication (August 2006)Google Scholar
  16. 16.
    Muller, M.: The MD2 Hash Function Is Not One-Way. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 214–229. Springer, Heidelberg (2004)Google Scholar
  17. 17.
    Nandi, M., Stinson, D.: Multicollision attacks on some generalized sequential hash functions. Cryptology ePrint Archive, Report 2006/055 (2006)Google Scholar
  18. 18.
    NIST. Cryptographic Hash Algorithm Competition (November, 2007),
  19. 19.
    Government Committee of the Russia for Standards. GOST R 34.11-94 (1994)Google Scholar
  20. 20.
    Gauravaram, P., Millan, W., Dawson, E., Viswanathan, K.: Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 407–420. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Dean, R.D.: Formal Aspects of Mobile Code Security. PhD thesis, Princeton University (1999)Google Scholar
  22. 22.
    Tuma, J., Joscak, D.: Multi-block Collisions in Hash Functions based on 3C and 3C+ Enhancements of the Merkle-Damgård Construction. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 257–266. Springer, Heidelberg (2006)Google Scholar
  23. 23.
    Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Wang, X., Yin, Y.L., Yu, H.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar
  25. 25.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  26. 26.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  27. 27.
    Yuval, G.: How to swindle Rabin. Cryptologia 3(3), 187–189 (1979)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Praveen Gauravaram
    • 1
  • John Kelsey
    • 2
  1. 1.Technical University of Denmark (DTU), Denmark, Queensland University of Technology (QUT)Australia
  2. 2.National Institute of Standards and Technology (NIST)USA

Personalised recommendations