Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions

The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security properties of such functions. At Crypto 2004 Joux showed that in any iterated hash function it is relatively easy to find exponential sized multicollisions, and thus the concatenation of several hash functions does not increase their security. However, in his proof it was essential that each message block is used at most once. In 2005 Nandi and Stinson extended the technique to handle iterated hash functions in which each message block is used at most twice. In this paper we consider the general case and prove that even if we allow each iterated hash function to scan the input multiple times in an arbitrary expanded order, their concatenation is not stronger than a single function. Finally, we extend the result to tree-based hash functions with arbitrary tree structures.

[1]  Moti Yung,et al.  On the Design of Provably Secure Cryptographic Hash Functions , 1991, EUROCRYPT.

[2]  Joos Vandewalle,et al.  A Framework for the Design of One-Way Hash Functions Including Cryptanalysis of Damgård's One-Way Function Based on a Cellular Automaton , 1991, ASIACRYPT.

[3]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[4]  Bart Preneel,et al.  Design Principles for Dedicated Hash Functions , 1993, FSE.

[5]  Bart Preneel Cryptographic hash functions , 1994, Eur. Trans. Telecommun..

[6]  Adi Shamir,et al.  PayWord and MicroMint: Two Simple Micropayment Schemes , 1996, Security Protocols Workshop.

[7]  Helena Handschuh,et al.  Security Analysis of SHA-256 and Sisters , 2003, Selected Areas in Cryptography.

[8]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[9]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[10]  Douglas R. Stinson,et al.  Multicollision Attacks on a Class of Hash Functions , 2004 .

[11]  Stefan Lucks,et al.  Design Principles for Iterated Hash Functions , 2004, IACR Cryptol. ePrint Arch..

[12]  Douglas R. Stinson,et al.  Multicollision Attacks on Generalized Hash Functions , 2004, IACR Cryptol. ePrint Arch..

[13]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[14]  Charanjit S. Jutla,et al.  A Simple and Provably Good Code for SHA Message Expansion , 2005, IACR Cryptol. ePrint Arch..

[15]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[16]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[17]  Bruce Schneier,et al.  Second Primages on n-bit Hash Functions for Much Less than 2n Work | NIST , 2005 .

[18]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[19]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[20]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.