Faster Multicollisions

Joux’s multicollision attack is one of the most striking results on hash functions and also one of the simplest: it computes a kcollision on iterated hashes in time [log2 k&]·2n/2, whereas k!1/k ·2n(k−1)/k was thought to be optimal. Kelsey and Schneier improved this to 3 · 2n/2 if storage 2n/2 is available and if the compression functions admits easily found fixed-points. This paper presents a simple technique that reduces this cost to 2n/2 and negligible memory, when the IV can be chosen by the attacker. Additional benefits are shorter messages than the Kelsey/Schneier attack and cost-optimality.

[1]  Ueli Maurer,et al.  Domain Extension of Public Random Functions: Beyond the Birthday Barrier , 2007, CRYPTO.

[2]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[3]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[4]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[5]  Ronald L. Rivest,et al.  Abelian square-free dithering for iterated hash functions , 2005 .

[6]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[7]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[8]  Raphael C.-W. Phan,et al.  How (Not) to Efficiently Dither Blockcipher-Based Hash Functions? , 2008, AFRICACRYPT.

[9]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[10]  Kil-Hyun Nam,et al.  Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29-30, 2007, Proceedings , 2007, ICISC.

[11]  Pieter Retief Kasselman,et al.  Analysis and design of cryptographic hash functions , 1999 .

[12]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[13]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[14]  Douglas R. Stinson,et al.  Multicollision Attacks on a Class of Hash Functions , 2004 .

[15]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[16]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[17]  Serge Vaudenay Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008. Proceedings , 2008, AFRICACRYPT.

[18]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  Dongvu Tonien,et al.  Birthday Paradox for Multi-Collisions , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[21]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[22]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[23]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[24]  Richard J. Lipton,et al.  Foundations of Secure Computation , 1978 .

[25]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[26]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[27]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[28]  Stefan Lucks,et al.  Design Principles for Iterated Hash Functions , 2004, IACR Cryptol. ePrint Arch..

[29]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[30]  Lars R. Knudsen,et al.  Preimage and Collision Attacks on MD2 , 2005, FSE.

[31]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[32]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[33]  Douglas R. Stinson,et al.  Multicollision Attacks on Generalized Hash Functions , 2004, IACR Cryptol. ePrint Arch..

[34]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[35]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[36]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[37]  Andrew Chi-Chih Yao,et al.  The Complexity of Finding Cycles in Periodic Functions , 1982, SIAM J. Comput..

[38]  Byoungcheon Lee,et al.  Information Security and Cryptology - ICISC 2006, 9th International Conference, Busan, Korea, November 30 - December 1, 2006, Proceedings , 2006, ICISC.

[39]  Xiaoyun Wang,et al.  Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL , 2007, ICISC.

[40]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’89 , 1991, Lecture Notes in Computer Science.

[41]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[42]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[43]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.