Generic Attacks on Hash Combiners

Hash combiners are a practical way to make cryptographic hash functions more tolerant to future attacks and compatible with existing infrastructure. A combiner combines two or more hash functions in a way that is hopefully more secure than each of the underlying hash functions, or at least remains secure as long as one of them is secure. Two classical hash combiners are the exclusive-or (XOR) combiner $$ \mathcal {H}_1(M) \oplus \mathcal {H}_2(M) $$ H 1 ( M ) ⊕ H 2 ( M ) and the concatenation combiner $$ \mathcal {H}_1(M) \Vert \mathcal {H}_2(M) $$ H 1 ( M ) ‖ H 2 ( M ) . Both of them process the same message using the two underlying hash functions in parallel. Apart from parallel combiners, there are also cascade constructions sequentially calling the underlying hash functions to process the message repeatedly, such as Hash-Twice $$\mathcal {H}_2(\mathcal {H}_1(IV, M), M)$$ H 2 ( H 1 ( I V , M ) , M ) and the Zipper hash $$\mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})$$ H 2 ( H 1 ( I V , M ) , M ← ) , where $$\overleftarrow{M}$$ M ← is the reverse of the message M . In this work, we study the security of these hash combiners by devising the best-known generic attacks. The results show that the security of most of the combiners is not as high as commonly believed. We summarize our attacks and their computational complexities (ignoring the polynomial factors) as follows: 1. Several generic preimage attacks on the XOR combiner: A first attack with a best-case complexity of $$ 2^{5n/6} $$ 2 5 n / 6 obtained for messages of length $$ 2^{n/3} $$ 2 n / 3 . It relies on a novel technical tool named interchange structure. It is applicable for combiners whose underlying hash functions follow the Merkle–Damgård construction or the HAIFA framework. A second attack with a best-case complexity of $$ 2^{2n/3} $$ 2 2 n / 3 obtained for messages of length $$ 2^{n/2} $$ 2 n / 2 . It exploits properties of functional graphs of random mappings. It achieves a significant improvement over the first attack but is only applicable when the underlying hash functions use the Merkle–Damgård construction. An improvement upon the second attack with a best-case complexity of $$ 2^{5n/8} $$ 2 5 n / 8 obtained for messages of length $$ 2^{5n/8} $$ 2 5 n / 8 . It further exploits properties of functional graphs of random mappings and uses longer messages. These attacks show a rather surprising result: regarding preimage resistance, the sum of two n -bit narrow-pipe hash functions following the considered constructions can never provide n -bit security. 2. A generic second-preimage attack on the concatenation combiner of two Merkle–Damgård hash functions. This attack finds second preimages faster than $$ 2^n $$ 2 n for challenges longer than $$ 2^{2n/7} $$ 2 2 n / 7 and has a best-case complexity of $$ 2^{3n/4} $$ 2 3 n / 4 obtained for challenges of length $$ 2^{3n/4} $$ 2 3 n / 4 . It also exploits properties of functional graphs of random mappings. 3. The first generic second-preimage attack on the Zipper hash with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is $$ 2^{3n/5} $$ 2 3 n / 5 , obtained for challenge messages of length $$ 2^{2n/5} $$ 2 2 n / 5 . 4. An improved generic second-preimage attack on Hash-Twice with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is $$ 2^{13n/22} $$ 2 13 n / 22 , obtained for challenge messages of length $$ 2^{13n/22} $$ 2 13 n / 22 . The last three attacks show that regarding second-preimage resistance, the concatenation and cascade of two n -bit narrow-pipe Merkle–Damgård hash functions do not provide much more security than that can be provided by a single n -bit hash function. Our main technical contributions include the following: 1. The interchange structure, which enables simultaneously controlling the behaviours of two hash computations sharing the same input. 2. The simultaneous expandable message, which is a set of messages of length covering a whole appropriate range and being multi-collision for both of the underlying hash functions. 3. New ways to exploit the properties of functional graphs of random mappings generated by fixing the message block input to the underlying compression functions.

[1]  Douglas R. Stinson,et al.  On the complexity of the herding attack and some related attacks on hash functions , 2012, Des. Codes Cryptogr..

[2]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[3]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[4]  Marc Fischlin,et al.  Multi-property Preserving Combiners for Hash Functions , 2008, TCC.

[5]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[6]  Michal Rjasko On Existence of Robust Combiners for Cryptographic Hash Functions , 2009, ITAT.

[7]  Arno Mittelbach,et al.  Cryptophia's Short Combiner for Collision-Resistant Hash Functions , 2013, ACNS.

[8]  Moses D. Liskov Constructing an Ideal Hash Function from Weak Ideal Compression Functions , 2006, Selected Areas in Cryptography.

[9]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[10]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[11]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[12]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[13]  Luca Trevisan,et al.  Amplifying Collision Resistance: A Complexity-Theoretic Treatment , 2007, CRYPTO.

[14]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[15]  John Kelsey,et al.  Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård , 2009, Selected Areas in Cryptography.

[16]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[17]  Marvin A. Carlson Editor , 2015 .

[18]  S. Michalopoulos,et al.  Folklore , 2019 .

[19]  Chenhui Jin,et al.  A second preimage attack on zipper hash , 2015, Secur. Commun. Networks.

[20]  Dan Boneh,et al.  On the Impossibility of Efficiently Combining Collision Resistant Hash Functions , 2006, CRYPTO.

[21]  Joos Vandewalle,et al.  Advances in Cryptology - EUROCRYPT '89, Workshop on the Theory and Application of of Cryptographic Techniques, Houthalen, Belgium, April 10-13, 1989, Proceedings , 1990, EUROCRYPT.

[22]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[23]  John Kelsey,et al.  New Second-Preimage Attacks on Hash Functions , 2016, Journal of Cryptology.

[24]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[25]  Rosario Gennaro,et al.  Advances in Cryptology – CRYPTO 2014 , 2014, Lecture Notes in Computer Science.

[26]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[27]  Dawu Gu,et al.  Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners , 2017, IACR Cryptol. ePrint Arch..

[28]  Lei Wang,et al.  Functional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions , 2018, IACR Trans. Symmetric Cryptol..

[29]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[30]  Adi Shamir,et al.  On the Strength of the Concatenated Hash Combiner When All the Hash Functions Are Weak , 2008, ICALP.

[31]  Amir Herzberg,et al.  On Tolerant Cryptographic Constructions , 2005, CT-RSA.

[32]  Florian Mendel,et al.  MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners , 2009, ASIACRYPT.

[33]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[34]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[35]  Amir Herzberg Folklore, practice and theory of robust combiners , 2009, J. Comput. Secur..

[36]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[37]  T. Dierks,et al.  The TLS protocol , 1999 .

[38]  Marc Fischlin,et al.  Robust Multi-Property Combiners for Hash Functions , 2014, Journal of Cryptology.

[39]  Ashwin Jha,et al.  Some Cryptanalytic Results on Zipper Hash and Concatenated Hash , 2015, IACR Cryptol. ePrint Arch..

[40]  Thomas Peyrin,et al.  New Generic Attacks against Hash-Based MACs , 2013, ASIACRYPT.

[41]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[42]  Anja Lehmann On the security of hash function combiners , 2010 .

[43]  Itai Dinur,et al.  Improved Generic Attacks Against Hash-Based MACs and HAIFA , 2016, Algorithmica.

[44]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[45]  Krzysztof Pietrzak,et al.  Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don't Exist , 2007, EUROCRYPT.

[46]  Itai Dinur,et al.  New Attacks on the Concatenation and XOR Hash Combiners , 2016, EUROCRYPT.

[47]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[48]  Bart Preneel,et al.  Breaking and Fixing Cryptophia's Short Combiner , 2014, CANS.

[49]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[50]  Thomas Peyrin,et al.  Generic Universal Forgery Attack on Iterative Hash-Based MACs , 2014, EUROCRYPT.

[51]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[52]  Marc Fischlin,et al.  Security-Amplifying Combiners for Collision-Resistant Hash Functions , 2007, CRYPTO.

[53]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[54]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[55]  Lei Wang,et al.  The Sum Can Be Weaker Than Each Part , 2015, EUROCRYPT.

[56]  Bart Preneel,et al.  Generalizing the Herding Attack to Concatenated Hashing Schemes , 2014 .

[57]  Krzysztof Pietrzak,et al.  Compression from Collisions, or Why CRHF Combiners Have a Long Output , 2008, CRYPTO.

[58]  Philippe Flajolet,et al.  Random Mapping Statistics , 1990, EUROCRYPT.

[59]  Marc Fischlin,et al.  Robust Multi-property Combiners for Hash Functions Revisited , 2008, ICALP.

[60]  Pieter Retief Kasselman,et al.  Analysis and design of cryptographic hash functions , 1999 .

[61]  Dmitry Khovratovich,et al.  Collision Spectrum, Entropy Loss, T-Sponges, and Cryptanalysis of GLUON-64 , 2014, FSE.

[62]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[63]  Arno Mittelbach Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output , 2012, SCN.

[64]  Gilles Brassard,et al.  Advances in Cryptology - CRYPTO '89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings , 1990, Annual International Cryptology Conference.

[65]  Thomas Peyrin,et al.  Updates on Generic Attacks against HMAC and NMAC , 2014, CRYPTO.

[66]  Itai Dinur,et al.  Improved Generic Attacks against Hash-Based MACs and HAIFA , 2014, CRYPTO.

[67]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .