Meet-in-the-Middle Attacks Using Output Truncation in 3-Pass HAVAL
We propose preimage and pseudo-preimage attacks on short output lengths of the hash function 3-pass HAVAL, which is designed to be able to output various hash lengths by one algorithm. HAVAL executes a truncate function at the end of the hash computation in order to produce various output lengths. If the hash value is truncated, the internal state size becomes larger than the hash length. Hence, it appears that finding attacks faster than the exhaustive search becomes relatively hard. In this paper, we propose two types of preimage and pseudo-preimage attacks based on the meet-in-the-middle attack. A key point of our attack is how to deal with input information for truncate functions. The first approach works for various types of truncate functions. The second approach uses a property particular to the truncate function of HAVAL. As far as we know, these are the first preimage and pseudo-preimage attacks that work for short output lengths of HAVAL.
KeywordsHAVAL hash truncate wide pipe meet-in-the-middle preimage pseudo-preimage
Unable to display preview. Download preview PDF.
- 1.Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992)Google Scholar
- 4.U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register /vol. 72(212)/Friday, November 2, 2007/Notices (2007)Google Scholar
- 5.Zheng, Y., Pieprzyk, J., Seberry, J.: HAVAL — one-way hashing algorithm with variable length of output. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 83–104. Springer, Heidelberg (1993)Google Scholar
- 6.U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180-3) (2008)Google Scholar
- 14.Aumasson, J.P., Meier, W., Mendel, F.: Preimage attacks on 3-pass HAVAL and step-reduced MD5. In: Workshop Records of SAC 2008, pp. 99–114 (2008)Google Scholar
- 21.Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Workshop Records of SAC 2008, pp. 82–98 (2008)Google Scholar
- 22.Isobe, T., Shibutani, K.: Preimage attacks on reduced Tiger and SHA-2. In: Fast Software Encryption 2009 Preproceedings, pp. 141–158 (2009)Google Scholar