Finding Preimages of Tiger Up to 23 Steps

  • Lei Wang
  • Yu Sasaki
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6147)


This paper evaluates the preimage resistance of the Tiger hash function. We will propose a pseudo-preimage attack on its compression function up to 23 steps with a complexity of 2181, which can be converted to a preimage attack on 23-step Tiger hash function with a complexity of 2187.5. The memory requirement of these attacks is 222 words. Our pseudo-preimage attack on the Tiger compression function adopts the meet-in-the-middle approach. We will divide the computation of the Tiger compression function into two independent parts. This enables us to transform the target of finding a pseudo-preimage to another target of finding a collision between two independent sets of some internal state, which will reduce the complexity. In order to maximize the number of the attacked steps, we derived several properties or weaknesses in both the key schedule function and the step function of the Tiger compression function, which gives us more freedom to separate the Tiger compression function.


Tiger hash function meet-in-the-middle preimage attack independent chunks 


  1. 1.
    Anderson, R., Biham, E.: Tiger: A Fast New Hash Function. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 89–97. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Indesteege, S., Preneel, B.: Preimages for Reduced-Round Tiger. In: Lucks, S., Sadeghi, A.-R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 90–99. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Isobe, T., Shibutani, K.: Preimage Attacks on Reduced Tiger and SHA-2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 139–155. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Mendel, F.: Two Passes of Tiger Are Not One-Way. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 29–40. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Kelsey, J., Lucks, S.: Collisions and Near-Collisions for Reduced-Round Tiger. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 111–125. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Mendel, F., Preneel, B., Rijmen, V., Yoshida, H., Watanabe, D.: Update on Tiger. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 63–79. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Mendel, F., Rijmen, V.: Cryptanalysis of the Tiger Hash Function. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 536–550. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Aoki, K., Sasaki, Y.: Preimage Attacks on One-Block MD4, 63-Step MD5 and More. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Morita, H., Ohta, K., Miyaguchi, S.: A Switching Closure Test to Analyze Cryptosystems. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 183–193. Springer, Heidelberg (1992)Google Scholar
  10. 10.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  11. 11.
    Sasaki, Y., Aoki, K.: Finding Preimages in Full MD5 Faster than Exhaustive Search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Wang, L., Sasaki, Y.: Finding Preimages of Tiger Up to 23 Steps (full version of this paper),
  13. 13.
    Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2,

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Lei Wang
    • 1
  • Yu Sasaki
    • 2
  1. 1.The University of Electro-CommunicationsTokyoJapan
  2. 2.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan

Personalised recommendations