TY - GEN
T1 - New attacks on the concatenation and XOR hash combiners
AU - Dinur, Itai
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2016.
PY - 2016/1/1
Y1 - 2016/1/1
N2 - We study the security of the concatenation combiner H1(M)||H2(M) for two independent iterated hash functions with n-bit outputs that are built using the Merkle-Damgård construction. In 2004 Joux showed that the concatenation combiner of hash functions with an n-bit internal state does not offer better collision and preimage resistance compared to a single strong n-bit hash function. On the other hand, the problem of devising second preimage attacks faster than 2n against this combiner has remained open since 2005 when Kelsey and Schneier showed that a single Merkle-Damgård hash function does not offer optimal second preimage resistance for long messages. In this paper, we develop new algorithms for cryptanalysis of hash combiners and use them to devise the first second preimage attack on the concatenation combiner. The attack finds second preimages faster than 2n for messages longer than 22n/7 and has optimal complexity of 23n/4. This shows that the concatenation of two Merkle-Damgård hash functions is not as strong a single ideal hash function. Our methods are also applicable to other well-studied combiners, and we use them to devise a new preimage attack with complexity of 22n/3 on the XOR combiner H1(M)⊕H2(M) of two Merkle-Damgård hash functions. This improves upon the attack by Leurent and Wang (presented at Eurocrypt 2015) whose complexity is 25n/6 (but unlike our attack is also applicable to HAIFA hash functions). Our algorithms exploit properties of random mappings generated by fixing the message block input to the compression functions of H1 and H2. Such random mappings have been widely used in cryptanalysis, but we exploit them in new ways to attack hash function combiners.
AB - We study the security of the concatenation combiner H1(M)||H2(M) for two independent iterated hash functions with n-bit outputs that are built using the Merkle-Damgård construction. In 2004 Joux showed that the concatenation combiner of hash functions with an n-bit internal state does not offer better collision and preimage resistance compared to a single strong n-bit hash function. On the other hand, the problem of devising second preimage attacks faster than 2n against this combiner has remained open since 2005 when Kelsey and Schneier showed that a single Merkle-Damgård hash function does not offer optimal second preimage resistance for long messages. In this paper, we develop new algorithms for cryptanalysis of hash combiners and use them to devise the first second preimage attack on the concatenation combiner. The attack finds second preimages faster than 2n for messages longer than 22n/7 and has optimal complexity of 23n/4. This shows that the concatenation of two Merkle-Damgård hash functions is not as strong a single ideal hash function. Our methods are also applicable to other well-studied combiners, and we use them to devise a new preimage attack with complexity of 22n/3 on the XOR combiner H1(M)⊕H2(M) of two Merkle-Damgård hash functions. This improves upon the attack by Leurent and Wang (presented at Eurocrypt 2015) whose complexity is 25n/6 (but unlike our attack is also applicable to HAIFA hash functions). Our algorithms exploit properties of random mappings generated by fixing the message block input to the compression functions of H1 and H2. Such random mappings have been widely used in cryptanalysis, but we exploit them in new ways to attack hash function combiners.
KW - Concatenation combiner
KW - Cryptanalysis
KW - Hash function
KW - XOR combiner
UR - http://www.scopus.com/inward/record.url?scp=84979088493&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-49890-3_19
DO - 10.1007/978-3-662-49890-3_19
M3 - Conference contribution
AN - SCOPUS:84979088493
SN - 9783662498897
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 484
EP - 508
BT - Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Fischlin, Marc
A2 - Coron, Jean-Sebastien
PB - Springer Verlag
T2 - 35th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT 2016
Y2 - 8 May 2016 through 12 May 2016
ER -