Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2224 compression function evaluations instead of 2256. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 296 trials instead of 2128. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.

[1]  Dengguo Feng,et al.  An attack on hash function HAVAL-128 , 2007, Science in China Series F: Information Sciences.

[2]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[3]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[4]  Alex Biryukov,et al.  Non-randomness of the Full 4 and 5-Pass HAVAL , 2004, SCN.

[5]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[6]  Hans Dobbertin,et al.  The First Two Rounds of MD4 are Not One-Way , 1998, FSE.

[7]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[8]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[9]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[10]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[11]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[12]  Jennifer Seberry,et al.  HAVAL - A One-Way Hashing Algorithm with Variable Length of Output , 1992, AUSCRYPT.

[13]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[14]  Jongsung Kim,et al.  On the Security of Encryption Modes of MD4, MD5 and HAVAL , 2005, ICICS.

[15]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[16]  Joos Vandewalle,et al.  Cryptanalysis of 3-Pass HAVAL , 2003, ASIACRYPT.

[17]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[18]  Andrew Chi-Chih Yao,et al.  The Complexity of Finding Cycles in Periodic Functions , 1982, SIAM J. Comput..

[19]  Magnus Daum,et al.  Cryptanalysis of Hash functions of the MD4-family , 2005 .

[20]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[21]  Xiaoyun Wang,et al.  Cryptanalysis of the Full HAVAL with 4 and 5 Passes , 2006, FSE.

[22]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[23]  Vincent Rijmen,et al.  Weaknesses in the HAS-V Compression Function , 2007, ICISC.

[24]  Jongsung Kim,et al.  Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL , 2008, FSE.

[25]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[26]  Ramarathnam Venkatesan,et al.  Inversion Attacks on Secure Hash Functions Using satSolvers , 2007, SAT.

[27]  Yu Sasaki,et al.  Preimage Attacks on Step-Reduced MD5 , 2008, ACISP.