Preimage Attacks on Reduced Tiger and SHA-2

This paper shows new preimage attacks on reduced Tiger and SHA-2. Indesteege and Preneel presented a preimage attack on Tiger reduced to 13 rounds (out of 24) with a complexity of 2128.5. Our new preimage attack finds a one-block preimage of Tiger reduced to 16 rounds with a complexity of 2161. The proposed attack is based on meet-in-the-middle attacks. It seems difficult to find "independent words" of Tiger at first glance, since its key schedule function is much more complicated than that of MD4 or MD5. However, we developed techniques to find independent words efficiently by controlling its internal variables. Surprisingly, the similar techniques can be applied to SHA-2 including both SHA-256 and SHA-512. We present a one-block preimage attack on SHA-256 and SHA-512 reduced to 24 (out of 64 and 80) steps with a complexity of 2240 and 2480, respectively. To the best of our knowledge, our attack is the best known preimage attack on reduced-round Tiger and our preimage attack on reduced-step SHA-512 is the first result. Furthermore, our preimage attacks can also be extended to second preimage attacks directly, because our attacks can obtain random preimages from an arbitrary IV and an arbitrary target.

[1]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[2]  Hans Dobbertin Cryptanalysis of MD4 , 1996, FSE.

[3]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[4]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[5]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[6]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[7]  Vincent Rijmen,et al.  Cryptanalysis of the Tiger Hash Function , 2007, ASIACRYPT.

[8]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[9]  Vincent Rijmen,et al.  Update on Tiger , 2006, INDOCRYPT.

[10]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[11]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[12]  Bart Preneel,et al.  Preimages for Reduced-Round Tiger , 2007, WEWoRC.

[13]  John Kelsey,et al.  Collisions and Near-Collisions for Reduced-Round Tiger , 2006, FSE.

[14]  Tanja Lange,et al.  Progress in Cryptology - INDOCRYPT 2006, 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceedings , 2006, INDOCRYPT.

[15]  Ahmad-Reza Sadeghi,et al.  Research in Cryptology, Second Western European Workshop, WEWoRC 2007, Bochum, Germany, July 4-6, 2007, Revised Selected Papers , 2008, WEWoRC.

[16]  Florian Mendel,et al.  A (Second) Preimage Attack on the GOST Hash Function , 2008, FSE.

[17]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.