Preimage Attacks against PKC98-Hash and HAS-V

  • Yu Sasaki
  • Florian Mendel
  • Kazumaro Aoki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6829)


We propose preimage attacks against PKC98-Hash and HAS-V. PKC98-Hash is a 160-bit hash function proposed at PKC 1998, and HAS-V, a hash function proposed at SAC 2000, can produce hash values of 128 + 32k (k = 0,1,…,6) bits. These hash functions adopt the Merkle-Damgård and Davies-Meyer constructions. One unique characteristic of these hash functions is that their step functions are not injective with a fixed message. We utilize this property to mount preimage attacks against these hash functions. Note that these attacks can work for an arbitrary number of steps. The best proposed attacks generate preimages of PKC98-Hash and HAS-V-320 in 296 and 2256 compression function computations with negligible memory, respectively. This is the first preimage attack against the full PKC98-Hash function.


PKC98-Hash HAS-V preimage Davies-Meyer non-injective step function 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Rivest, R.L.: Request for Comments 1321: The MD5 Message Digest Algorithm. The Internet Engineering Task Force (1992),
  3. 3.
    Shin, S.U., Rhee, K.H., Ryu, D.H., Lee, S.J.: A new hash function based on MDx-family and its application to MAC. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 234–246. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Hong, D., Koo, B., Kim, W.H., Kwon, D.: Preimage attacks on reduced steps of ARIRANG and PKC98-hash. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 315–331. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)MATHGoogle Scholar
  6. 6.
    Han, D., Park, S., Chee, S.: Cryptanalysis of the modified version of the hash function proposed at PKC’98. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 252–262. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Chang, D., Sung, J., Sung, S., Lee, S., Lim, J.: Full-round differential attack on the original version of the hash function proposed at PKC’98. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 160–174. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Mendel, F., Pramstaller, N., Rechberger, C.: Improved collision attack on the hash function proposed at PKC’98. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 8–21. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Aoki, K., Sasaki, Y.: Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 70–89. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Park, N.K., Hwang, J.H., Lee, P.J.: HAS-V: A new hash function with variable output length. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 202–216. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Lim, C.H., Lee, P.J.: A study on the proposed korean digital signature algorithm. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 175–186. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. 14.
    Mendel, F., Rijmen, V.: Weaknesses in the HAS-V compression function. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Mouha, N., Cannière, C.D., Indesteege, S., Preneel, B.: Finding collisions for a 45-step simplified HAS-V. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 206–225. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Leurent, G.: MD4 is not one-way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    De Cannière, C., Rechberger, C.: Preimages for reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008); slides on preliminary results presented at ESC 2008 seminar, CrossRefGoogle Scholar
  19. 19.
    Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preimage attacks: First results on full Tiger, and improved results on MD4 and SHA-2. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010); IACR Cryptology ePrint Archive: Report 2010/016, CrossRefGoogle Scholar
  20. 20.
    Lamberger, M., Mendel, F.: Structural attacks on two SHA-3 candidates: Blender-n and DCH-n. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 68–78. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Joux, A., Lucks, S.: Improved generic algorithms for 3-collisions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 347–363. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Florian Mendel
    • 2
  • Kazumaro Aoki
    • 1
    • 2
  1. 1.NTTTokyoJapan
  2. 2.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations