Meet-in-the-Middle Attacks Using Output Truncation in 3-Pass HAVAL

  • Yu Sasaki
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)


We propose preimage and pseudo-preimage attacks on short output lengths of the hash function 3-pass HAVAL, which is designed to be able to output various hash lengths by one algorithm. HAVAL executes a truncate function at the end of the hash computation in order to produce various output lengths. If the hash value is truncated, the internal state size becomes larger than the hash length. Hence, it appears that finding attacks faster than the exhaustive search becomes relatively hard. In this paper, we propose two types of preimage and pseudo-preimage attacks based on the meet-in-the-middle attack. A key point of our attack is how to deal with input information for truncate functions. The first approach works for various types of truncate functions. The second approach uses a property particular to the truncate function of HAVAL. As far as we know, these are the first preimage and pseudo-preimage attacks that work for short output lengths of HAVAL.


HAVAL hash truncate wide pipe meet-in-the-middle preimage pseudo-preimage 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992)Google Scholar
  2. 2.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register /vol. 72(212)/Friday, November 2, 2007/Notices (2007)Google Scholar
  5. 5.
    Zheng, Y., Pieprzyk, J., Seberry, J.: HAVAL — one-way hashing algorithm with variable length of output. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 83–104. Springer, Heidelberg (1993)Google Scholar
  6. 6.
    U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180-3) (2008)Google Scholar
  7. 7.
    Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Chang, D., Nandi, M.: Improved indifferentiability security analysis of chopMD hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    van Rompay, B., Biryukov, A., Preneel, B., Vandewalle, J.: Cryptanalysis of 3-pass HAVAL. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 228–245. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Suzuki, K., Kurosawa, K.: How to find many collisions of 3-pass HAVAL. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 428–443. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Wang, X., Feng, D., Yu, X.: An attack on hash function HAVAL-128. Science in China (Information Sciences) 48(5), 545–556 (2005)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Lee, E., Chang, D., Kim, J.-S., Sung, J., Hong, S.H.: Second preimage attack on 3-pass HAVAL and partial key-recovery attacks on NMAC/HMAC-3-pass HAVAL. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 189–206. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Aumasson, J.P., Meier, W., Mendel, F.: Preimage attacks on 3-pass HAVAL and step-reduced MD5. In: Workshop Records of SAC 2008, pp. 99–114 (2008)Google Scholar
  15. 15.
    Sasaki, Y., Aoki, K.: Preimage attacks on 3, 4, and 5-pass HAVAL. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 253–271. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)MATHGoogle Scholar
  17. 17.
    Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Mendel, F., Rijmen, V.: Weaknesses in the HAS-V compression function. In: Nam, K.H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Park, N.K., Hwang, J.H., Lee, P.J.: HAS-V: A new hash function with variable output length. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 202–216. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Leurent, G.: MD4 is not one-way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Workshop Records of SAC 2008, pp. 82–98 (2008)Google Scholar
  22. 22.
    Isobe, T., Shibutani, K.: Preimage attacks on reduced Tiger and SHA-2. In: Fast Software Encryption 2009 Preproceedings, pp. 141–158 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yu Sasaki
    • 1
    • 2
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.The University of Electro-CommunicationsTokyoJapan

Personalised recommendations