Hash functions are one of the ubiquitous cryptographic functions used widely for various applications such as digital signatures, data integrity, authentication protocols, MAC algorithms, RNGs, etc. Hash functions are supposed to be one-way, i.e., preimage resistant. One interesting property of hash functions is that they process arbitrary-length messages into fixed-length outputs. In general, this can be achieved mostly by applying compression functions onto the message blocks of fixed length, recursively. The length of the message is incorporated as padding in the last block prior to the hash, a procedure called the Merkle-Damgard strengthening. In this paper, we introduce a new way to find preimages on a hash function by using a rainbow table of its compression function even if the hash function utilizes the Merkle-Damgard (MD) strengthening as a padding procedure. To overcome the MD strengthening, we identify the column functions as representatives of certain set of preimages, unlike conventional usage of rainbow tables or Hellman tables to invert one-way functions. As a different approach, we use the position of the given value in the table to invert it. The workload of finding a preimage of a given arbitrary digest value is 2 2n/3 steps by using 2 2n/3 memory, where n is both the digest size and the length of the chaining value. We give some extensions of the preimage attack on certain improved variants of MD constructions such as using output functions, incorporating the length of message blocks or using random salt values. Moreover, we introduce the notion of "near-preimage" and mount an attack to find near-preimages. We generalize the attack when the digest size is not equal to the length of chaining value. We have verified the results experimentally, in which we could find a preimage in one minute for the 40-bit hash function, whereas the exhaustive search took roughly one week on a standard PC.
[1]
Andrey Bogdanov,et al.
Hash Functions and RFID Tags: Mind the Gap
,
2008,
CHES.
[2]
Adi Shamir,et al.
PayWord and MicroMint: Two Simple Micropayment Schemes
,
1996,
Security Protocols Workshop.
[3]
Bruce Schneier,et al.
Second Preimages on n-bit Hash Functions for Much Less than 2n Work
,
2005,
IACR Cryptol. ePrint Arch..
[4]
S. Babbage.
Improved “exhaustive search” attacks on stream ciphers
,
1995
.
[5]
John Kelsey,et al.
Herding Hash Functions and the Nostradamus Attack
,
2006,
EUROCRYPT.
[6]
Ralph C. Merkle,et al.
One Way Hash Functions and DES
,
1989,
CRYPTO.
[7]
Koutarou Suzuki,et al.
Cryptographic Approach to “Privacy-Friendly” Tags
,
2003
.
[8]
Philippe Oechslin,et al.
Reducing Time Complexity in RFID Systems
,
2005,
Selected Areas in Cryptography.
[9]
Stefan Lucks,et al.
A Failure-Friendly Design Principle for Hash Functions
,
2005,
ASIACRYPT.
[10]
Jovan Dj. Golic,et al.
Cryptanalysis of Alleged A5 Stream Cipher
,
1997,
EUROCRYPT.
[11]
Pascal Junod,et al.
Characterization and Improvement of Time-Memory Trade-Off Based on Perfect Tables
,
2008,
TSEC.
[12]
Antoine Joux,et al.
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
,
2004,
CRYPTO.
[13]
Eli Biham,et al.
A Framework for Iterative Hash Functions - HAIFA
,
2007,
IACR Cryptol. ePrint Arch..
[14]
Philippe Oechslin,et al.
Making a Faster Cryptanalytic Time-Memory Trade-Off
,
2003,
CRYPTO.
[15]
Ivan Damgård,et al.
A Design Principle for Hash Functions
,
1989,
CRYPTO.
[16]
Martin E. Hellman,et al.
A cryptanalytic time-memory trade-off
,
1980,
IEEE Trans. Inf. Theory.
[17]
Hugo Krawczyk,et al.
Strengthening Digital Signatures Via Randomized Hashing
,
2006,
CRYPTO.