Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle Hashes from Generic Attacks

We consider the security of Damgard-Merkle variants which compute linear-XOR or additive checksums over message blocks, intermediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damgard-Merkle variants gain almost no security against generic attacks such as the long-message second preimage attacks of [10, 21] and the herding attack of [9].

[1]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[2]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[3]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[4]  Paulo S. L. M. Barreto,et al.  The MAELSTROM-0 Hash Function , 2006, Anais do VI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2006).

[5]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[6]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[7]  Jirí Tuma,et al.  Multi-block Collisions in Hash Functions Based on 3C and 3C+ Enhancements of the Merkle-Damgård Construction , 2006, ICISC.

[8]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[9]  Lars R. Knudsen,et al.  Preimage and Collision Attacks on MD2 , 2005, FSE.

[10]  Byoungcheon Lee,et al.  Information Security and Cryptology - ICISC 2006, 9th International Conference, Busan, Korea, November 30 - December 1, 2006, Proceedings , 2006, ICISC.

[11]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[12]  William Millan,et al.  Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction , 2006, ACISP.

[13]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[14]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[15]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[16]  M. Jacob A personal communication , 1989 .

[17]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[18]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[19]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[20]  Praveen Gauravaram,et al.  Cryptographic hash functions : cryptanalysis, design and applications , 2007 .

[21]  Duo Lei,et al.  F-HASH: Securing Hash Functions Using Feistel Chaining , 2005, IACR Cryptol. ePrint Arch..

[22]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[23]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[24]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[25]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[26]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[27]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[28]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[29]  Bruce Schneier One-way hash functions , 1991 .

[30]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[31]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[32]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[33]  Frédéric Muller,et al.  The MD2 Hash Function Is Not One-Way , 2004, ASIACRYPT.

[34]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.