Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks.

[1]  Hans Dobbertin,et al.  The First Two Rounds of MD4 are Not One-Way , 1998, FSE.

[2]  Florian Mendel,et al.  A (Second) Preimage Attack on the GOST Hash Function , 2008, FSE.

[3]  Vincent Rijmen,et al.  Cryptanalysis of the Tiger Hash Function , 2007, ASIACRYPT.

[4]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[5]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[6]  Erik D. Demaine,et al.  Subquadratic Algorithms for 3SUM , 2005, Algorithmica.

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[9]  Frédéric Muller,et al.  The MD2 Hash Function Is Not One-Way , 2004, ASIACRYPT.

[10]  Eli Biham,et al.  Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs , 2006, CRYPTO.

[11]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[12]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[13]  Lars R. Knudsen,et al.  Cryptanalysis of MD2 , 2009, Journal of Cryptology.

[14]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[15]  Serge Vaudenay,et al.  On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[16]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[17]  Lars R. Knudsen,et al.  Preimage and Collision Attacks on MD2 , 2005, FSE.

[18]  Bart Preneel,et al.  Preimages for Reduced-Round Tiger , 2007, WEWoRC.

[19]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[20]  Søren S. Thomsen An improved preimage attack on MD2 , 2008, IACR Cryptol. ePrint Arch..

[21]  Vincent Rijmen,et al.  Weaknesses in the HAS-V Compression Function , 2007, ICISC.

[22]  Yu Sasaki,et al.  Preimage Attacks on 3, 4, and 5-Pass HAVAL , 2008, ASIACRYPT.

[23]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[24]  Eli Biham,et al.  New Techniques for Cryptanalysis of Hash Functions and Improved Attacks on Snefru , 2008, FSE.

[25]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[26]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[27]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[28]  Gaëtan Leurent,et al.  Message Freedom in MD4 and MD5 Collisions: Application to APOP , 2007, FSE.

[29]  Vincent Rijmen,et al.  Second Preimages for SMASH , 2007, CT-RSA.

[30]  Kyoji Shibutani,et al.  Preimage Attacks on Reduced Tiger and SHA-2 , 2009, FSE.

[31]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[32]  Yu Sasaki,et al.  Improved Collision Attack on MD4 with Probability Almost 1 , 2005, ICISC.

[33]  Vincent Rijmen,et al.  Analysis of the Hash Function Design Strategy Called SMASH , 2008, IEEE Transactions on Information Theory.

[34]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[35]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[36]  Xiaoyun Wang,et al.  The Second-Preimage Attack on MD4 , 2005, CANS.

[37]  Florian Mendel Two Passes of Tiger Are Not One-Way , 2009, AFRICACRYPT.

[38]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[39]  Ivica Nikolic,et al.  Meet-in-the-Middle Attacks on SHA-3 Candidates , 2009, FSE.

[40]  Orr Dunkelman Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009, Revised Selected Papers , 2009, FSE.

[41]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[42]  Vincent Rijmen,et al.  Update on Tiger , 2006, INDOCRYPT.

[43]  Yu Sasaki,et al.  Finding Preimages of Tiger Up to 23 Steps , 2010, FSE.

[44]  Kaisa Nyberg Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Papers , 2008, FSE.

[45]  Yu Sasaki,et al.  Security of MD5 Challenge and Response: Extension of APOP Password Recovery Attack , 2008, CT-RSA.

[46]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.