Preimage Analysis of the Maelstrom-0 Hash Function

Maelstrom-0 is the second member of a family of AES-based hash functions whose designs are pioneered by Paulo Baretto and Vincent Rijmen. According to its designers, the function is designed to be an evolutionary lightweight alternative to the ISO standard Whirlpool. In this paper, we study the preimage resistance of the Maelstrom-0 hash function using its proposed 3CM chaining construction. More precisely, we apply a meet-in-the-middle preimage attack on the compression function and combine it with a guess and determine approach which allows us to obtain a 6-round pseudo preimage for a given compression function output with time complexity of 2496 and memory complexity of 2112. Then, we propose a four stage attack in which we adopt another meet-in-the-middle attack and a 2-block multicollision approach to defeat the two additional checksum chains and turn the pseudo preimage attack on the compression function into a preimage attack on the hash function. Using our approach, preimages of the 6-round reduced Maelstrom-0 hash function are generated with time complexity of 2505 and memory complexity of 2112.

[1]  Paulo S. L. M. Barreto,et al.  The MAELSTROM-0 Hash Function , 2006, Anais do VI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2006).

[2]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool , 2011, FSE.

[3]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[4]  Shuang Wu,et al.  (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others , 2012, FSE.

[5]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[6]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[7]  John Kelsey,et al.  Cryptanalysis of a class of cryptographic hash functions , 2007, IACR Cryptol. ePrint Arch..

[8]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[9]  Bao Li,et al.  Improved Cryptanalysis on Reduced-Round GOST and Whirlpool Hash Function , 2014, ACNS.

[10]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[11]  Amr M. Youssef,et al.  Second Preimage Analysis of Whirlwind , 2014, Inscrypt.

[12]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[13]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[14]  Bart Preneel,et al.  The Lane hash function , 2009, Symmetric Cryptography.

[15]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[16]  John Kelsey,et al.  On hash functions using checksums , 2010, International Journal of Information Security.

[17]  Florian Mendel,et al.  Practical Attacks on the Maelstrom-0 Compression Function , 2011, ACNS.

[18]  Paulo S. L. M. Barreto,et al.  Whirlwind: a new cryptographic hash function , 2010, Des. Codes Cryptogr..

[19]  Yu Sasaki,et al.  Improved Preimage Attack for 68-Step HAS-160 , 2009, ICISC.

[20]  Amr M. Youssef,et al.  Preimage Attacks on Reduced-Round Stribog , 2014, AFRICACRYPT.

[21]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[22]  William Millan,et al.  Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction , 2006, ACISP.

[23]  John Kelsey,et al.  Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle Hashes from Generic Attacks , 2008, CT-RSA.

[24]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[25]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[26]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[27]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[28]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[29]  Hongjun Wu,et al.  The Hash Function JH , 2009 .