The breaking of the AR Hash Function

The AR hash function has been proposed by Algorithmic Research Ltd . It has been circulated in the ISO community (Working group 2, document WG2/N179), and is currently being used in practice in the German banking world. AR hash is based on DES and a variant of the CBC mode. It produces a 128 bit hash value. In this paper, we present two attacks on AR hash. The first one constructs in one DES encryption two messages with the same hash value. The second one finds, given an arbitrary message M , an M' 'not equal to' M with the same hash value as M . The attack is split into two parts, the first part needs about 2^33 DES encryptions and succeeds with probability 63 %, the second part needs at most about 2^66 DES encryptions and succeeds with probability about 99 % . Moreover, the 2^33 respectively 2^66 encryptions are necessary only in a one-time preprocessing phase, i.e. having done one of the attacks once with success, a new message can be attacked at the cost of no encryptions at all. Since the hash value is 128 bits long, the times for the attacks should be compared to 2^64, resp. 2^128 DES encryptions for brute force attacks.