New Second-Preimage Attacks on Hash Functions

Elena Andreeva; Charles Bouillaguet; Orr Dunkelman; Pierre-Alain Fouque; Jonathan Hoch; Adi Shamir; John Kelsey

doi:10.1007/s00145-015-9206-4

Back

New Second-Preimage Attacks on Hash Functions

Journal article

Peer reviewed

New Second-Preimage Attacks on Hash Functions

Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, Pierre-Alain Fouque, Jonathan Hoch, Adi Shamir and John Kelsey

Journal of Cryptology, Vol.29(4), pp.657-696

Oct/2016

DOI: https://doi.org/10.1007/s00145-015-9206-4

Files and links (2)

url

https://doi.org/10.1007/s00145-015-9206-4View

Published (Version of record) Restricted

url

https://ezproxy.weizmann.ac.il/login?url=http://dx.doi.org/10.1007/s00145-015-9206-4View

Published (Version of record) Restricted

Abstract

In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle-DamgAyenrd-based iterative hash functions. Compared to the previously known long-message second-preimage attacks, our attack offers more flexibility in choosing the second-preimage message at the cost of a small computational overhead. More concretely, our attack allows the adversary to replace only a few blocks in the original target message to obtain the second preimage. As a result, our new attack is applicable to constructions previously believed to be immune to such second-preimage attacks. Among others, these include the dithered hash proposal of Rivest, Shoup's UOWHF, and the ROX constructions. In addition, we also suggest several time-memory-data tradeoff attack variants, allowing for a faster online phase, and even finding second preimages for shorter messages. We further extend our attack to sequences stronger than the ones suggested in Rivest's proposal. To this end we introduce the kite generator as a new tool to attack any dithering sequence over a small alphabet. Additionally, we analyse the second-preimage security of the basic tree hash construction. Here we also propose several second-preimage attacks and their time-memory-data tradeoff variants. Finally, we show how both our new and the previous second-preimage attacks can be applied even more efficiently when multiple short messages, rather than a single long target message, are available.

Details

Title: New Second-Preimage Attacks on Hash Functions
Creators: Elena Andreeva (null)
Charles Bouillaguet (null)
Orr Dunkelman (null) - 972WIS_INST___83
Pierre-Alain Fouque (null)
Jonathan Hoch (null)
Adi Shamir (null) - 972WIS_INST___83
John Kelsey (null)
Resource Type: Journal article
Publication Details: Journal of Cryptology, Vol.29(4), pp.657-696; Oct/2016
Number of pages: 40
Language: English
DOI: https://doi.org/10.1007/s00145-015-9206-4
Grant note: Research Council KU Leuven: GOA TENSE [GOA/11/007, OT/13/071]; IAP Program BCRYPT of the Belgian State (Belgian Science Policy) [P6/26]; European Commission through the ICT program [ICT-2007-216676 ECRYPT II]; Flemish Research Foundation (FWO-Vlaanderen); France Telecom Chair; ISF [827/12]_ALMAME_DELIMITER_
Record Identifier: 993266598503596

Metrics

3 Record Views