On hash functions using checksums

We analyse the security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation. We show that a large class of such schemes, including those using non-linear or even one-way checksum functions, is not secure against the second preimage attack of Kelsey and Schneier, the herding attack of Kelsey and Kohno and the multicollision attack of Joux. Our attacks also apply to a large class of cascaded hash functions. Our second preimage attacks on the cascaded hash functions improve the results of Joux presented at Crypto’04. We also apply our attacks to the MD2 and GOST hash functions. Our second preimage attacks on the MD2 and GOST hash functions improve the previous best known short-cut second preimage attacks on these hash functions by factors of at least 226 and 254, respectively. Our herding and multicollision attacks on the hash functions based on generic checksum functions (e.g., one-way) are a special case of the attacks on the cascaded iterated hash functions previously analysed by Dunkelman and Preneel and are not better than their attacks. On hash functions with easily invertible checksums, our multicollision and herding attacks (if the hash value is short as in MD2) are more efficient than those of Dunkelman and Preneel.

[1]  Paulo S. L. M. Barreto,et al.  The MAELSTROM-0 Hash Function , 2006, Anais do VI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2006).

[2]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[3]  Jean-Jacques Quisquater,et al.  2n-Bit Hash-Functions Using n-Bit Symmetric Block Cipher Algorithms , 1990, EUROCRYPT.

[4]  Burton S. Kaliski,et al.  The MD2 Message-Digest Algorithm , 1992, RFC.

[5]  Lars R. Knudsen,et al.  Preimage and Collision Attacks on MD2 , 2005, FSE.

[6]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[7]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[8]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[9]  Pascal Chauvaud,et al.  Md2 is not Secure Without the Checksum Byte , 1997, Des. Codes Cryptogr..

[10]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[11]  Bruce Schneier One-way hash functions , 1991 .

[12]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[13]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[14]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[15]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[16]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[17]  John Kelsey,et al.  Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle Hashes from Generic Attacks , 2008, CT-RSA.

[18]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[19]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[20]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[21]  Lars R. Knudsen,et al.  Cryptanalysis of MD2 , 2009, Journal of Cryptology.

[22]  William Millan,et al.  Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction , 2006, ACISP.

[23]  Wu Wen Hash Functions Based on Block Ciphers , 2009 .

[24]  Duo Lei,et al.  F-HASH: Securing Hash Functions Using Feistel Chaining , 2005, IACR Cryptol. ePrint Arch..

[25]  Air Force Air Force Materiel Command Hq FIPS-PUB-180-1 , 1995 .

[26]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[27]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[28]  Frédéric Muller,et al.  The MD2 Hash Function Is Not One-Way , 2004, ASIACRYPT.

[29]  Bart Preneel,et al.  Cryptographic hash functions , 2010, Eur. Trans. Telecommun..

[30]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..