Generic Attacks on Hash Combiners

Zhenzhen Bao Itai Dinur Jian Guo Gaëtan Leurent Lei Wang

ASK 2019, December 13–15 Kobe, Japan

1/60 Acknowledgments

The works are reported in Zhenzhen Bao, Itai Dinur, Jian Guo, Gaëtan Leurent, and Lei Wang. “Generic Attacks on Hash Combiners”. In: Journal of Cryptology (2019)

This is a combination and extension of three conference papers I Gaëtan Leurent and Lei Wang. “The Sum Can Be Weaker Than Each Part”. In: Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I. ed. by Elisabeth Oswald and Marc Fischlin. Vol. 9056. LNCS. Springer, 2015 I Itai Dinur. “New Attacks on the Concatenation and XOR Hash Combiners”. In: Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I. ed. by Marc Fischlin and Jean-Sébastien Coron. Vol. 9665. LNCS. Springer, 2016 I Zhenzhen Bao, Lei Wang, Jian Guo, and Dawu Gu. “Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners”. In: Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part II. ed. by Jonathan Katz and Hovav Shacham. Vol. 10402. LNCS. Springer, 2017

2/60 Outline

Introduction Preliminaries Preimage Attacks on XOR Combiners Based on the Interchange Structure Improved Preimage Attack on XOR Combiners Based on Deep Iterates Improved Preimage Attack on XOR Combiners Based on Multi-Cycles Second-Preimage Attack on Concatenation Combiners Based on Deep Iterates Second-Preimage Attack on the Zipper Hash Second-Preimage Attack on Hash-Twice More Applications and Extensions Summary and Open Problems

3/60 Cryptographic Hash Combiners

Motivation of design of hash combiners (share the common motivation with other cryptographic combiners, e.g., encryption combiners): I Security robustness the combiner is secure as long as any one of its underlying hash functions is secure I Security amplification the combiner is more secure than its underlying hash functions Besides, regarding implementations I Backward-compatible the combiner is compatible with existing infrastructure

4/60 Constructions of Hash Combiners – Parallel

Concatenation Combiner XOR Combiner M M

IV1 IV2 IV1 IV2

H1 H2 H1 H2

H1(M) H2(M) H1(M) H2(M) n k n n L n

2n n

H1,H2 H1,H2 L C (M) = H1(M)kH2(M) C (M) = H1(M) H2(M)

n 2n 2n (collision 2 , 2nd-preimage 2 , preimage 2 ) (collision 2n/2, 2nd-preimage 2n, preimage 2n)

5/60 Theoretical Research on Hash Combiners

Security of classical hash combiners I Security proofs: lower bound; [Her05; Can+07; FL07; FL08; FLP08; Her09; Leh10; FLP14; BB06; Pie07; Pie08; Rja09] I Generic attacks: upper bound; the main focus of this work The underlying compression functions are ideal (random)

6/60 I The HAIFA construction [BD07]: 0 x0 = IVm xi+1 = hi(xi, mi, #bits, salt) H(M) = g(xl+1, |M| )

m1 m2 ··· mL−1 mL

/ b / b / b / b n n n n n n IV / h / h / ··· / h / h / H(M) x0 x1 ··· xL−2 xL−1 xL / / / / c c c c 0 · b 1 · b (L − 2) · b (L − 1) · b

Underlying Construction - Iterative Hash Functions

I The Merkle-Damgård construction (MD) [Dam89; Mer89]: Padding and dividing M = m1 k m2 k · · · k mL, where mL is encoded with the length the message |M|: x0 = IV xi = h(xi−1, mi) H(M) = h(xL−1, mL)

m1 m2 ··· mL−1 mL

/ b / b / b / b n n n n n n IV / h / h / ··· / h / h / H(M) x0 x1 ··· xL−2 xL−1 xL

7/60 Underlying Construction - Iterative Hash Functions

m1 m2 ··· mL−1 mL

/ b / b / b / b n n n n n n IV / h / h / ··· / h / h / H(M) x0 x1 ··· xL−2 xL−1 xL

I The HAIFA construction [BD07]: 0 x0 = IVm xi+1 = hi(xi, mi, #bits, salt) H(M) = g(xl+1, |M| )

m1 m2 ··· mL−1 mL

/ b / b / b / b n n n n n n IV / h / h / ··· / h / h / H(M) x0 x1 ··· xL−2 xL−1 xL / / / / c c c c 0 · b 1 · b (L − 2) · b (L − 1) · b

7/60 Our Focus: Combiners of Iterative Hash Functions – Parallel

H ,H I Concatenation combiner: C 1 1 (M) = H1(M) k H2(M)

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 H1(M) m1 m2 ··· mi ··· mL

k H(M)

H2(M) IV2 h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1

H ,H I XOR combiner: C 1 1 (M) = H1(M) ⊕ H2(M)

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 H1(M) m m ··· m ··· m 1 2 i L H(M) L

H2(M) IV2 h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1

8/60 Outline

9/60 I Attacks on concatenation combiner using Joux’s Multi-collisions

H1 1 - Step 1 H1 xn+1 n - Step 2 |MMC| = 2 2 - Step 1 n |MMC| = 2 - Step 3 x n IV1 2 - Step 2 IV1 m - Step 4 - Step 3 xn V1

2n xn+1

1 1 y1 y n yn n+1 2 m V2 IV2 MMC collision IV2 MMC

n 2 2 n n y n H 2 2 H2 2 2 yn yn+1

(a) Collision attack. Cplx: n · 2n/2 (b) Preimage attack. Cplx: n · 2n

Joux’s Multi-collisions (JM [Jou04]) I Get 2t-multi-collision by successively applying birthday attack t times. Cplx t · 2n/2.

m1 m2 mt t x0 xt ≡ x0 xt 0 0 0 m1 m2 mt denoted by MMC

10/60 Joux’s Multi-collisions (JM [Jou04]) I Get 2t-multi-collision by successively applying birthday attack t times. Cplx t · 2n/2.

m1 m2 mt t x0 xt ≡ x0 xt 0 0 0 m1 m2 mt denoted by MMC I Attacks on concatenation combiner using Joux’s Multi-collisions

H1 1 - Step 1 H1 xn+1 n - Step 2 |MMC| = 2 2 - Step 1 n |MMC| = 2 - Step 3 x n IV1 2 - Step 2 IV1 m - Step 4 - Step 3 xn V1

2n xn+1

1 1 y1 y n yn n+1 2 m V2 IV2 MMC collision IV2 MMC

n 2 2 n n y n H 2 2 H2 2 2 yn yn+1

(a) Collision attack. Cplx: n · 2n/2 (b) Preimage attack. Cplx: n · 2n 10/60 Attacks on Concatenation Combiner (JM [Jou04])

2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n MD H 2n/2 2n 2n HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 MD / HAIFA 6 2n 6 22n 6 22n H1 k H2 ≈ 2n/2 ≈ 2n ≈ 2n

Ideal 2n/2 2n 2n H1 ⊕ H2 MD / HAIFA 2n/2 2n 2n H1 ⊕ H2

11/60 I The long message 2nd-preimage attack on MD Hash using expandable message. Cplx: max(2n/L, 2t + t · 2n/2).

m1 m2 mp mp+1 mL m1 m2 mp mp+1 mL H(M) H(M) IV a1 a2 ap aL IV a1 a2 ap aL m0 m0 - Step 1 IV MEM - Step 2 IV x Mkp−1 - Step 3

(a) Foiled by MD message length padding (b) Using Kelsey and Schneier’s EM [KS05]

Expandable Message (EM [DA99; KS05]) I Get 2t colliding messages whose lengths cover the whole range of t + [0, 2t − 1] by iteratively generating t collisions with message fragments of carefully chosen length. Cplx 2t + t · 2n/2 t m1 m2 mt x0 xt ≡ x0 xt

20 0 [0] km1 1 [0]2 km0 2 t−1 [0]2 km0 t denoted by MEM

12/60 Expandable Message (EM [DA99; KS05]) I Get 2t colliding messages whose lengths cover the whole range of t + [0, 2t − 1] by iteratively generating t collisions with message fragments of carefully chosen length. Cplx 2t + t · 2n/2 t m1 m2 mt x0 xt ≡ x0 xt

20 0 [0] km1 1 [0]2 km0 2 t−1 [0]2 km0 t denoted by MEM I The long message 2nd-preimage attack on MD Hash using expandable message. Cplx: max(2n/L, 2t + t · 2n/2).

m1 m2 mp mp+1 mL m1 m2 mp mp+1 mL H(M) H(M) IV a1 a2 ap aL IV a1 a2 ap aL m0 m0 - Step 1 IV MEM - Step 2 IV x Mkp−1 - Step 3

(a) Foiled by MD message length padding (b) Using Kelsey and Schneier’s EM [KS05] 12/60 Second Preimage Attack on Single MD Hash Using Expandable Message [DA99; KS05] 2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 MD / HAIFA 6 2n 6 22n 6 22n n/2 n n H1 k H2 ≈ 2 ≈ 2 ≈ 2 Ideal 2n/2 2n 2n H1 ⊕ H2 MD / HAIFA 2n/2 2n 2n H1 ⊕ H2

13/60 Outline

14/60 Concatenation Combiner XOR Combiner Preimage Attacks on XOR Combiners M M

IV1 IV2 IV1 IV2

H1 H2 H1 H2

H1(M) H2(M) H1(M) H2(M) n k n n L n

2n n

H1,H2 H1,H2 L C (M) = H1(M)kH2(M) C (M) = H1(M) H2(M)

n 2n 2n Goal of the attack (collision 2 , 2nd-preimage 2 , preimage 2 ) (collision 2n/2, 2nd-preimage 2n, preimage 2n) n Given an n-bit target V, find the message M, s.t., H1(M) ⊕ H2(M) = V, with Cplx 2

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 H1(M) m1 m2 ··· mi ··· mL H(M) = V L

H2(M) IV2 h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1

15/60 Preimage Attacks on XOR Combiners

Goal of the attack n Given an n-bit target V, find the message M, s.t., H1(M) ⊕ H2(M) = V, with Cplx 2

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 H1(M) m m ··· m ··· m 1 2 i L H(M) L

H2(M) IV2 h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1

Interchange Structure I Breaking the pairwise relation between internal states of hash computations which share the same input message by a sequences of switches - an interchange structure

16/60 Build Switches for Interchange Structure

MMC H ~ai ~ai+1 i+1 ∗ i ∗ i 0 1 j0 j0 ~a = h (~a ,M ) = h (~a ,M ) j0 1 j0 i 1 j0 i ~bi+1 = h∗(~bi ,M ) = h∗(~bi ,M0) k1 2 k1 i 2 k0 i H2 ~i+1 ∗ ~i ~i+1 i b = h (b ,Mi) 6= b ~b M k0 2 k0 k1 k1 MC M ~bi+1 k1 ~bi M M 0 k0 MC n ~bi+1 Building a single switch Cplx: n · 2 2 M k0

0 ~ ~ First, M and M are selected from MMC to generate a collision (defining the new bk1 ), then bk0 is evaluated using M.

H1 ~a0 ~a0 ~a0 ~a0

~ ~ ~ ~ H2 b1 b1 b1 b1

~ ~ ~ ~ b0 b0 b0 b0

~ M ~ ~ M ~ ~ M 0 ~ A single swich: (~a0, b0) (~a0, b0) (~a0, b1) (~a0, b1) (~a0, b0) (~a0, b1) normal transition normal transition jump transition ~ ~ 0 Jump from (~a0, b0) to (~a0, b1) by using M (dashed lines) instead of M (solid lines). 17/60 Can be applied to any state pair t (Aj, Bk ) for j = 0 ··· 2 − 1 and k = 0 ··· 2t − 1 A 2t-interchange structure based on switches will need Θ(22t) switches Cplx: Θ(22t+n/2)

Interchange Structure (IS)

I The interchange structure has starting points IV1 and IV2, and ending points t t Aj | j = 0 ... 2 − 1 and Bk | k = 0 ... 2 − 1 , s.t., for any state pair (Aj, Bk), one can easily select a message mapping (IV1, IV2) to it.

H1 A3

A2 ( , ) A1 A1 B2

IV1 A0

H2 B3

IV2 B0 M0 M M M M M0 M M M M M 18/60 Can be applied to any state pair t (Aj, Bk ) for j = 0 ··· 2 − 1 and k = 0 ··· 2t − 1 A 2t-interchange structure based on switches will need Θ(22t) switches Cplx: Θ(22t+n/2)

Interchange Structure (IS)

H1 A3

A2 ( , ) A1 A2 B1

IV1 A0

H2 B3

IV2 B0 M M0 M M0 M M M M M M M 18/60 Interchange Structure (IS)

H1 A3

A 1 Can be applied to any state pair t IV1 A0 (Aj, Bk ) for j = 0 ··· 2 − 1 and k = 0 ··· 2t − 1 A 2t-interchange structure based on 2t H2 B3 switches will need Θ(2 ) switches 2t+n/2 B2 Cplx: Θ(2 )

IV2 B0 M M M0 M M M M M M M M0 18/60 ˜ 5n Cplx: O(2tn−6t2)nt−2t Step 2:3:4:5:n n2 ··22 2t + 2 = n − t

L = V

M0 M M M M M0 M M M M M

Preimage Attacks on XOR Combiner Using Interchange Structure

A3 H1 2t+ n A2 Step 1: n · 2 2

A0 IV1

B3 H2 B2

B0 IV2

19/60 ˜ 5n Cplx: O(2tn−6t2)nt+−2nt Step 1:3:4:5:n n2 ··22 2 2t + 2 = n − t

L = V

M0 M M M M M0 M M M M M

Preimage Attacks on XOR Combiner Using Interchange Structure

A3 H1 t n−2t A2 Step 2: 2 · 2

A0 IV1

B3 H2 B2

B0 IV2

19/60 ˜ 5n Cplx: O(2tn−6t2)nt+−2nt Step 1:2:4:5:n n2 ··22 2 2t + 2 = n − t

L = V

M0 M M M M M0 M M M M M

Preimage Attacks on XOR Combiner Using Interchange Structure

A3 H1 t n−2t A2 Step 3: 2 · 2

A0 IV1

B3 H2 B2

B0 IV2

19/60 ˜ 5n Cplx: O(2t 6 2)nt+−2nt Step 1:2:3:5:n n2 ··22 2 2t + 2 = n − t

M0 M M M M M0 M M M M M

Preimage Attacks on XOR Combiner Using Interchange Structure

A3 H1 n−t A2 Step 4: 2

A0 IV1

L = V

B3 H2 B2

B0 IV2

19/60 ˜ 5n Cplx: O(2tn−6t2)nt+−2nt Step 1:2:3:4:n n2 ··22 2 2t + 2 = n − t

Preimage Attacks on XOR Combiner Using Interchange Structure

A3 H1 2t A2 Step 5: n · 2

A0 IV1

L = V

B3 H2 B2

B0 IV2 M0 M M M M M0 M M M M M

19/60 tn−t2nt+−2nt Step 1:2:3:4:5: n2 ··22 2

Preimage Attacks on XOR Combiner Using Interchange Structure

A3 H1 5n Cplx: O˜(2 6 ) A2 n 2t + 2 = n − t

A0 IV1

L = V

B3 H2 B2

B0 IV2 M0 M M M M M0 M M M M M

19/60 Preimage Attack on XOR Combiner Using Interchange Structure

2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 MD / HAIFA 6 2n 6 22n 6 22n n/2 n n H1 k H2 ≈ 2 ≈ 2 ≈ 2 Ideal 2n/2 2n 2n H1 ⊕ H2 n n MD / HAIFA n/2 6 2 6 2 2 5n/6 5n/6 H1 ⊕ H2 ≈ 2 ≈ 2

20/60 Outline

21/60 Interchange Structure (recap)

H1 A3

A1 Cplx: Θ(22t+n/2) IV1 A0 A 2t-interchange structure based on switches will need Θ(22t) switches Total Cplx: O˜(25n/6) H2 B3 Trade-off: 22t+n/2 vs. 2n−t B2

IV2 B0 M 0 M M M M M 0 M M M M M 22/60 The Functional Graph of Random Mappings (FG) $ n I Let f ←−FN , where FN is the set of mappings from N-set to N-set (N = 2 ). I The functional graph of f , denoted by FGf , is a directed graph, whose nodes are 0 ... N − 1 and edges are hx, f (x)i

23/60 Statistical Properties of Functional Graph [FO89]

x0 x1 x2 x3 x4 x5 Seen from node x0: x6 x x x x # Components = 3 0 1 6 7 tail length of x0 is λ(x0) = 7 { }: 13 cyclic nodes x 7 x7 x14 { }: 20 terminal nodes x8 x { , }: 44 image nodes x9 14 max Max. cycle length µ = 8 x10 x13 x x cycle length of x0 is µ(x0) = 8 Max. tail length λmax = 11 x11 8 11 x12 max Max. rho-length ρ = 19 rho-length of x0 is ρ(x0) = λ(x0) + µ(x0) = 15

I # Components: 0.5 · n I # Image notes: 0.62 · 2n n/2 I # Cyclic nodes: 1.2 · 2 I # k-th iterate image notes: (1 − τk)N −1+τ I # Terminal nodes: 0.37 · 2n where the τk satisfies the recurrence τ0 = 0, τk+1 = e k . 24/60 Functional Graph Deep Iterates (FGDI)

# 6-th iterate image nodes { }: 20 Theoretical value: 2n−log2(k)+1 = 26−log2(6)+1 ≈ 21.33

I Observation 1: It is easy to get a large set of deep iterates: T : 2t, M : 2t, D : 2t I Observation 2: A deep iterate has a relatively high probability to be reached from a randomly selected starting node.

25/60 Functional Graph Deep Iterates (FGDI) I The probability that a deep iterate ¯x (resp. ¯y) will be encountered at distance d from d −n randomly chosen node x0 (resp. y0) is Pr[f1 (x0) = ¯x] ≈ d · 2 (resp. d −n Pr[f2 (y0) = ¯y] ≈ d · 2 ). d V d −n 2 Thus, Pr[f1 (x0) = ¯x f2 (y0) = ¯y] ≈ (d · 2 ) due to the independence of f1 and f2. I The probability that a pair of 2g-th iterates ¯x and ¯y will be encountered at the same distance is approximately (2g)3 · 2−2n = 23g−2n (g ≤ n/2). One need to compute ≈ 22n−3g chains from different starting points to find one pair of starting points reaching the pair of 2g-th iterates (¯x, ¯y) at the same distance.

G1 G2 4 ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ ⊥

5 4 3 4 3 2 ⊥ ⊥ ⊥ 4 3 2 1 x¯ ⊥ 4 3 2 1 y¯ ⊥ ⊥

xˆ x0(3) x1(2) yˆ y0(3) y1(2) y2(1) mˆ mˆ

26/60 Simultaneous Expandable Message (SEM) t 2 n 2 n Cplx: T : n · 2 + n · 2 2 , M : n + t · n, D : 2 2 (n + t)

C − 1 t

1 C − 1 1 C − 1 1 C − 1

1 C − 1 m1 m2 mC−1+t x0 sp1 x1 sp2 x2 spC−1+t xC−1+t H1 m1 x sp x 0 1 xp1 m0 xp 1 0 0 xp2 m2 m 0 ~0 ~0 xpC−1+t C−1+t i−C ~ [0] m1 0 (i − C) + 1 C − 1 1 + 1 C − 1 2 + 1 C − 1 C2t−1 + 1 C − 1

m1 m2 mC−1+t m1 y0 y1 y2 yC−1+t y0 y1

m0 ~ 1 0 0 H i−C 0 m2 m 2 [0] 0 ~0 C−1+t m1 ~0

[C(C − 1),C2 − 1] C[t, 2t + t − 1]

[C(C − 1) + tC, C2 − 1 + (2t + t − 1)C]-expandable message

(a) A building module (b) The full construction

27/60 Phase 2: 2g+s Phase 3: 23n/2−3g/2−s/2 + 25n/2−9g/2−3s/2+` + 2n−2g+`

Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1

ˆx IV1 MSEM

MSEM ˆy IV2

Phase 1: 2` + n2 · 2n/2 28/60 Phase 2: 2g+s Phase 3: 23n/2−3g/2−s/2 + 25n/2−9g/2−3s/2+` + 2n−2g+`

Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1 m - Step 2 H 1 / b n n n n / h1 / / f1 / xi xi+1 xi xi+1 ˆx IV1 MSEM

MSEM ˆy IV2

/ b n n n n H2 / h2 / / f2 / yi yi+1 yi yi+1

Phase 1: 2` + n2 · 2n/2 28/60 Phase 3: 23n/2−3g/2−s/2 + 25n/2−9g/2−3s/2+` + 2n−2g+`

Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1 - Step 2 H1 Phase 2 - Step 3

ˆx IV1 M m¯ SEM k pad ¯x ⊕ = V ˆ ¯y MSEM y k pad IV2 m¯

Phase 1: 2` + n2 · 2n/2 Phase 2: 2g+s 28/60 Phase 3: 23n/2−3g/2−s/2 + 25n/2−9g/2−3s/2+` + 2n−2g+`

Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1 - Step 2 H1 Phase 2 - Step 3 - Step 4 ˆx IV1 M m¯ SEM k pad ¯x ⊕ = V ˆ ¯y MSEM y k pad IV2 m¯

Phase 1: 2` + n2 · 2n/2 Phase 2: 2g+s 28/60 Phase 3: 23n/2−3g/2−s/2 + 25n/2−9g/2−3s/2+` + 2n−2g+`

Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1 - Step 2 H1 Phase 2 - Step 3 - Step 4 ˆx - Step 5 IV1 mˆ M x m¯ SEM 0 [m]q−1 k pad ¯x ⊕ = V ˆ [m]q−1 ¯y MSEM y k pad IV2 mˆ m¯ y0

Phase 1: 2` + n2 · 2n/2 Phase 2: 2g+s 28/60 Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1 - Step 2 H1 Phase 2 - Step 3 - Step 4 MkL−q−2 ˆx - Step 5 Phase 3 IV1 mˆ - Step 6 M x m¯ SEM 0 [m]q−1 k pad ¯x ⊕ = V ˆ [m]q−1 ¯y MSEM y k pad IV2 mˆ m¯ y0 MkL−q−2

Phase 1: 2` + n2 · 2n/2 Phase 2: 2g+s Phase 3: 23n/2−3g/2−s/2 + 25n/2−9g/2−3s/2+` + 2n−2g+` 28/60 Improved Preimage Attack on XOR Combiners Based on FGDI 2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 MD / HAIFA 6 2n 6 22n 6 22n n/2 n n H1 k H2 ≈ 2 ≈ 2 ≈ 2 Ideal 2n/2 2n 2n H1 ⊕ H2 n n HAIFA n/2 6 2 6 2 2 5n/6 5n/6 H1 ⊕ H2 ≈ 2 ≈ 2 5n/6 5n/6 MD n/2 6 2 6 2 2 2n/3 2n/3 H1 ⊕ H2 ≈ 2 ≈ 2

28/60 Improved Preimage Attack on XOR Combiners Based on FGDI - Step 1 Phase 1 - Step 2 H1 Phase 2 - Step 3 - Step 4 MkL−q−2 ˆx - Step 5 Phase 3 IV1 mˆ - Step 6 M x m¯ SEM 0 [m]q−1 k pad ¯x ⊕ = V ˆ [m]q−1 ¯y MSEM y k pad IV2 mˆ m¯ y0 MkL−q−2

28/60 Outline

29/60 Statistical Properties of Functional Graph [FO89] (recap)

max n/2 I E{µ | FN } = 0.78 · 2 largest n max n/2 I E{tree | FN } = 0.48 · 2 I E{λ | FN } = 1.74 · 2 largest n max n/2 I E{component | FN } = 0.76 · 2 I E{ρ | FN } = 2.41 · 2 30/60 Functional Graph Multiple Cycles (FGMC)

n L ≈ 2 2

I Observation 1: It is easy to locate the largest cycle: Repeat the cycle search algorithm n n a few times T : 2 2 , M : 1, D : 2 2 I Observation 2: It is effortlessly to loop around the cycles to correct differences

between the distances to target points. 31/60 correctable distance bias the probability of reaching (¯x, ¯y) from a random pair at a common distance is amplified by roughly t times, where t is the number of cycles to the maximum.

Functional Graph Multi-cycles (FGMC)

d1 L1 d1+i·L1 f1 (xr) = ¯x, f1 (¯x) = ¯x ⇒ f1 (xr) = ¯x for ∀ i d2 L2 d2+j·L2 f2 (yr) = ¯y, f2 (¯y) = ¯y ⇒ f2 (yr) = ¯y for ∀ j ⇓ d d ∃ (i, j) s.t. d1 − d2 = j · L2 − i · L1 ⇒ ∃ d s.t. f1 (xr) = ¯x, f2 (yr) = ¯y

xr loop ¯x m[d1]

m[d2] yr ¯y loop

L2 32/60 Functional Graph Multi-cycles (FGMC)

d1 L1 d1+i·L1 f1 (xr) = ¯x, f1 (¯x) = ¯x ⇒ f1 (xr) = ¯x for ∀ i d2 L2 d2+j·L2 f2 (yr) = ¯y, f2 (¯y) = ¯y ⇒ f2 (yr) = ¯y for ∀ j ⇓ d d ∃ (i, j) s.t. d1 − d2 = j · L2 − i · L1 ⇒ ∃ d s.t. f1 (xr) = ¯x, f2 (yr) = ¯y correctable distance bias the probability of reaching (¯x, ¯y) from a random pair at a common distance is amplified by roughly t times, where t is the number of cycles to the maximum.

xr loop ¯x m[d1]

m[d2] yr ¯y loop

L2 32/60 I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` I Search for t and s that give the lowest Cplx, the total Cplx: 2` + 25n/6−`/3

Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2

ˆx IV1 MSEM

MSEM ˆy IV2

33/60 I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` I Search for t and s that give the lowest Cplx, the total Cplx: 2` + 25n/6−`/3

Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2 m n/2 H - Step 2 - 2 1 / b n n n n / h1 / / f1 / xi xi+1 xi xi+1 L1 ˆx IV1 MSEM loop

MSEM ˆy IV2

/ b n n n n L2 H2 / h2 / / f2 / yi yi+1 yi yi+1

33/60 I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` I Search for t and s that give the lowest Cplx, the total Cplx: 2` + 25n/6−`/3

Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2 - Step 2 - 2n/2 H1 - Step 3 - 2s+n/2 L1 ˆx IV1 loop m¯ MSEM k pad ¯x ⊕ = V ˆy MSEM ¯y k pad IV2 m¯

L2 H2

33/60 I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` I Search for t and s that give the lowest Cplx, the total Cplx: 2` + 25n/6−`/3

Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2 - Step 2 - 2n/2 H1 - Step 3 - 2s+n/2 t n/2 L1 - Step 4 - 2 + 2 ˆx IV1 loop m¯ MSEM k pad ¯x ⊕ = V ˆy MSEM ¯y k pad IV2 m¯ loop

L2 H2

33/60 I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` I Search for t and s that give the lowest Cplx, the total Cplx: 2` + 25n/6−`/3

Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2 - Step 2 - 2n/2 H1 - Step 3 - 2s+n/2 t n/2 L1 - Step 4 - 2 + 2 2n−t−s ˆx - Step 5 - 2 /L IV1 mˆ M x0 loop m¯ SEM [m]d1 k pad ¯x ⊕ = V ˆy [m]d2 MSEM ¯y k pad IV2 mˆ m¯ y0 loop

L2 H2

33/60 I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` I Search for t and s that give the lowest Cplx, the total Cplx: 2` + 25n/6−`/3

Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2 - Step 2 - 2n/2 H1 - Step 3 - 2s+n/2 t n/2 L1 - Step 4 - 2 + 2 2n−t−s MkL−q−3 ˆx - Step 5 - 2 /L IV1 mˆ - Step 6 - O(L) M x0 loop m¯ SEM [m]d1 k pad ¯x ⊕ = V ˆy [m]d2 MSEM ¯y k pad IV2 mˆ m¯ y0 MkL−q−3 loop

L2 H2

33/60 Improved Preimage Attack on XOR Combiners Based on FGMC - Step 1 - L + n2 · 2n/2 - Step 2 - 2n/2 H1 - Step 3 - 2s+n/2 t n/2 L1 - Step 4 - 2 + 2 2n−t−s MkL−q−3 ˆx - Step 5 - 2 /L IV1 mˆ - Step 6 - O(L) M x0 loop m¯ SEM [m]d1 k pad ¯x ⊕ = V ˆy [m]d2 MSEM ¯y k pad IV2 mˆ m¯ y0 MkL−q−3 loop

L2 H2

I The overall Cplx: 2` + 2s+n/2 + 2t + 2t + 2n/2 + 22n−t−s−` ` 5n/6−`/3 I Search for t and s that give the lowest Cplx, the total Cplx: 2 + 2 33/60 Improved Preimage Attack on XOR Combiners Based on FGMC

2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 MD / HAIFA 6 2n 6 22n 6 22n n/2 n n H1 k H2 ≈ 2 ≈ 2 ≈ 2 Ideal 2n/2 2n 2n H1 ⊕ H2 n n HAIFA n/2 6 2 6 2 2 5n/6 5n/6 H1 ⊕ H2 ≈ 2 ≈ 2 2n/3 2n/3 MD n/2 6 2 6 2 2 5n/8 5n/8 H1 ⊕ H2 ≈ 2 ≈ 2

L2 H2

2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 MD / HAIFA 6 2n 6 22n 6 22n n/2 n n H1 k H2 ≈ 2 ≈ 2 ≈ 2 Ideal 2n/2 2n 2n H1 ⊕ H2 n n HAIFA n/2 6 2 6 2 2 5n/6 5n/6 H1 ⊕ H2 ≈ 2 ≈ 2 2n/3 2n/3 MD n/2 6 2 6 2 2 5n/8 11n/18 5n/8 11n/18 H1 ⊕ H2 ≈ 2 ⇒ 2 ≈ 2 ⇒ 2

33/60 Outline

34/60 Concatenation Combiner XOR Combiner Second-Preimage Attack on Concatenation Combiner M M

IV IV IV IV Goal of the attack 1 2 1 2 Given a challenge message M, find another message M 0, s.t. H1 H2 H1 H2 0 0 n H1(M ) k H2(M ) = H1(M) k H2(M) with Cplx 2 H1(M) H2(M) H1(M) H2(M) n n n L n H1 k

2n n IV1 h1 h1 ··· h1 0 0 ··· 0 CH1,H2 (M) = H (M)kH (M) CH1,H2 (M) = H (M)LH (M) x0 x1 xi−1 1 2 1 2 n 2n 2n (collision 2 , 2nd-preimage 2 , preimage 2 ) (collision 2n/2, 2nd-preimage 2n, preimage 2n)

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 H1(M) m0 m m0 m ··· m0 m ··· m 1 1 2 2 i i L H(M) k

H2(M) IV2 h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1

m1 m2 mp mp+1 mL IV2 h2 h2 ··· h2 H(M) 0 0 ··· 0 a1 a2 ap aL y0 y1 yi−1 IV 0 H m 2 - Step 1 IV MEM - Step 2 x Mkp−1 - Step 3 35/60 - Step 2 n+gPhase−` 2 3n/2−3g/2 6n/5−3`/5 Phase- Step 2: 2 3 Phase 3: 2 Cplx: 2 for l < 3n/4 - Step 4 Mkp−d−2 - Step 5 Phase 3 mˆ ¯x - Step 6 d x0 [m] m¯

mˆ [m]d m¯ y0 Mkp−d−2 ¯y

Second-Preimage Attack on Concatenation Combiner Based on FGDI - Step 1 Phase 1

ˆx IV1 MSEM m1 m2 mp mL IV1 a0 a1 a2 ap−1 ap aL−1 aL k m1 m2 mp mL bL IV2 b0 b1 b2 bp−1 bp bL−1 MSEM ˆy IV2

Phase 1: 2` + n2 · 2n/2 36/60 Phase 3: 23n/2−3g/2 Cplx: 26n/5−3`/5 for l < 3n/4 - Step 4 Mkp−d−2 - Step 5 Phase 3 mˆ - Step 6 d x0 [m]

mˆ [m]d y0 Mkp−d−2

Second-Preimage Attack on Concatenation Combiner Based on FGDI - Step 1 Phase 1 - Step 2 Phase 2 H1 - Step 3

ˆx ¯x IV1 ¯ MSEM m m1 m2 mp mL IV1 a0 a1 a2 ap−1 ap aL−1 aL k m1 m2 mp mL bL IV2 b0 b1 ˆy b2 bp−1 bp bL−1 MSEM m¯ IV2 ¯y

Phase 1: 2` + n2 · 2n/2 Phase 2: 2n+g−` 36/60 Cplx: 26n/5−3`/5 for l < 3n/4

Second-Preimage Attack on Concatenation Combiner Based on FGDI - Step 1 Phase 1 - Step 2 Phase 2 H1 - Step 3 - Step 4 Mkp−d−2 ˆx - Step 5 Phase 3 IV mˆ ¯x - Step 6 1 d ¯ MSEM x0 [m] m m1 m2 mp mL IV1 a0 a1 a2 ap−1 ap aL−1 aL k m1 m2 mp mL bL IV2 b0 b1 ˆy b2 bp−1 bp bL−1 MSEM [m]d m¯ IV2 mˆ y0 Mkp−d−2 ¯y

Phase 1: 2` + n2 · 2n/2 Phase 2: 2n+g−` Phase 3: 23n/2−3g/2 36/60 Second-Preimage Attack on Concatenation Combiner Based on FGDI - Step 1 Phase 1 - Step 2 Phase 2 H1 - Step 3 - Step 4 Mkp−d−2 ˆx - Step 5 Phase 3 IV mˆ ¯x - Step 6 1 d ¯ MSEM x0 [m] m m1 m2 mp mL IV1 a0 a1 a2 ap−1 ap aL−1 aL k m1 m2 mp mL bL IV2 b0 b1 ˆy b2 bp−1 bp bL−1 MSEM [m]d m¯ IV2 mˆ y0 Mkp−d−2 ¯y

Phase 1: 2` + n2 · 2n/2 Phase 2: 2n+g−` Phase 3: 23n/2−3g/2 Cplx: 26n/5−3`/5 for l < 3n/4 36/60 Second-Preimage Attack on Concatenation Combiner Based on FGDI 2nd-Preimage Collision Resistance Preimage Resistance Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal 2n 22n 22n H1 k H2 HAIFA 6 2n 6 22n 6 22n n/2 n n H1 k H2 ≈ 2 ≈ 2 ≈ 2 MD 6 2n 6 22n 6 2n n/2 n 3n/4 H1 k H2 ≈ 2 ≈ 2 ≈ 2 Ideal 2n/2 2n 2n H1 ⊕ H2 n n HAIFA n/2 6 2 6 2 2 5n/6 5n/6 H1 ⊕ H2 ≈ 2 ≈ 2 n n MD n/2 6 2 6 2 2 5n/8 5n/8 H1 ⊕ H2 ≈ 2 ≈ 2 36/60 Second-Preimage Attack on Concatenation Combiner Based on FGDI - Step 1 Phase 1 - Step 2 Phase 2 H1 - Step 3 - Step 4 Mkp−d−2 ˆx - Step 5 Phase 3 IV mˆ ¯x - Step 6 1 d ¯ MSEM x0 [m] m m1 m2 mp mL IV1 a0 a1 a2 ap−1 ap aL−1 aL k m1 m2 mp mL bL IV2 b0 b1 ˆy b2 bp−1 bp bL−1 MSEM [m]d m¯ IV2 mˆ y0 Mkp−d−2 ¯y

37/60 Combiners of Iterative Hash Functions - Cascade H ,H I Hash Twice: C 1 1 (M) = H2(H1(IV, M), M)

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 xL m1 m2 ··· mi ··· mL

h2 h2 ··· h2 ··· h2 H(M) xL y0 y1 ··· yi−1 yi yL−1

H ,H ←− I Zipper Hash: C 1 1 (M) = H2(H1(IV, M), M )

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 L

m1 m2 ··· mi ··· mL x = L y H(M) h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1 38/60 Second-Preimage Attack on the Zipper Hash

There are two main differences between the attack on the Zipper hash and the 2nd-preimage attack on concatenation combiners and the preimage attacks on XOR combiners. I One is that linking random starting node ˜x to targeted deep-iterate ¯x and random starting node ˜y to targeted deep-iterate ¯y can be carried out independently, resulting in a meet-in-the-middle-like effect. I The other is that the message length is embedded inside the expandable message MSEM, which enables to choose the length of second preimage to optimize the complexity.

39/60 Simultaneous Expandable Message – Cascade

C − 1 t

C − 1 1 C − 1 1 C − 1 1

0 m1 0 m2 0 mC−1+t0 x0 =x ¯ sp1 x1 sp2 x2 spC−1+t xC−1+t

xp1 0 0 m xp2 0 m ~0 1 m ~0 xp C−1+t ~0 2 C−1+t

C − 1 1 + i C − 1 2 + i C − 1 C2t−1 + 1

m1 m2 mC−1+t 0 0 0 0 y˜ = y0 y1 y2 yC−1+t

m0 0 1 0 mC−1+t ~ m2 0 ~ 0 ~0

[C(C − 1),C2 − 1] C[t, 2t + t − 1]

[C(C − 1) + tC, C2 − 1 + (2t + t − 1)C]-expandable message

40/60 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 MMC2 0 [m d r Mkq - Step 4 - 2` ] 1 - Step 5 - 2n−` M2 ˇx ¨x r n−t ˜ MMC1 MSEM - Step 6 - 2 · 2 m¯ x ˆx

r n−t )

- Step 7 ∼ 8 - 2 · 2 0 `0 0 L - Step 9 - 2 m , ) 0 0 L m , x ¨ ( 1 h ( 2 h = y ¨ m¯ r Mkq [m]d2 ˇy M1 ˆy MMC2 ˜y MSEM MMC1 t |G2| = 2

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

- Step 1 - 2n/2

¯x

m1 mp mL−1 mL

a0 = IV a1 ap−1 ap aL−2 aL−1 aL m1 mp mL−1 mL

H(M) = b0 b1 bp−1 bp bL−2 bL−1 bL = aL

¯y H2

41/60 - Step 3 - 2n/2 MMC2 0 [m d r Mkq - Step 4 - 2` ] 1 - Step 5 - 2n−` M2 ˇx ¨x r n−t ˜ MMC1 MSEM - Step 6 - 2 · 2 m¯ x ˆx

r n−t )

- Step 7 ∼ 8 - 2 · 2 0 `0 0 L - Step 9 - 2 m , ) 0 0 L m , x ¨ ( 1 h ( 2 h = y ¨ m¯ r Mkq [m]d2 ˇy M1 ˆy MMC2 ˜y MSEM MMC1

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2

¯x

m1 mp mL−1 mL

a0 = IV a1 ap−1 ap aL−2 aL−1 aL m1 mp mL−1 mL

H(M) = b0 b1 bp−1 bp bL−2 bL−1 bL = aL

¯y H2

t |G2| = 2

41/60 MMC2 0 [m d Mkq - Step 4 - 2` ] 1 - Step 5 - 2n−` M2 ˇx ¨x r n−t ˜ MSEM - Step 6 - 2 · 2 m¯ x

r n−t )

- Step 7 ∼ 8 - 2 · 2 0 `0 0 L - Step 9 - 2 m , ) 0 0 L m , x ¨ ( 1 h ( 2 h = y ¨ m¯ Mkq [m]d2 ˇy M1 ˜y MSEM MMC1

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 H1 r

¯x MMC1 ˆx

m1 mp mL−1 mL

a0 = IV a1 ap−1 ap aL−2 aL−1 aL m1 mp mL−1 mL

H(M) = b0 b1 bp−1 bp bL−2 bL−1 bL = aL

MMC2 ¯y H2 ˆy

t |G2| = 2

41/60 MMC2 [m Mkq ] d1 - Step 5 - 2n−` M2 ˇx r n−t ˜ - Step 6 - 2 · 2 m¯ x - Step 7 ∼ 8 - 2r · 2n−t 0 - Step 9 - 2`

m¯ Mkq [m]d2 ˇy M1

MMC1

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 H1 0 r - Step 4 - 2` ¨x ¯x MMC1 ˆx MSEM ) 0 0 L m ,

m1 mp mL−1 m ) L 0 0 L m

a0 = IV a1 ap−1 ap aL−2 aL−1 aL , x ¨ m1 mp mL−1 mL ( 1 h (

H(M) = b b1 b −1 bp b −2 b −1 b = a 2 0 p L L L L h = y ¨ r

MMC2 ¯y ˜ MSEM H2 ˆy y

t |G2| = 2

41/60 MMC2 [m Mkq ] d1 M2 ˇx - Step 6 - 2r · 2n−t - Step 7 ∼ 8 - 2r · 2n−t 0 - Step 9 - 2`

Mkq [m]d2 ˇy M1

MMC1

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 H1 0 r - Step 4 - 2` n−` ¨x - Step 5 - 2 ¯ ˜ x MMC1 MSEM m¯ x ˆx ) 0 0 L m ,

m1 mp mL−1 m ) L 0 0 L m

a0 = IV a1 ap−1 ap aL−2 aL−1 aL , x ¨ m1 mp mL−1 mL ( 1 h (

H(M) = b b1 b −1 bp b −2 b −1 b = a 2 0 p L L L L h = y ¨ m¯ r

MMC2 ¯y ˜ MSEM H2 ˆy y

t |G2| = 2

41/60 Mkq

- Step 7 ∼ 8 - 2r · 2n−t 0 - Step 9 - 2`

Mkq [m]d2 ˇy M1

MMC1

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 MMC2 H1 0 [m d r - Step 4 - 2` ] 1 n−` ¨x - Step 5 - 2 M2 ˇx ¯ r n−t ˜ x MMC1 MSEM - Step 6 - 2 · 2 m¯ x ˆx ) 0 0 L m ,

m1 mp mL−1 m ) L 0 0 L m

a0 = IV a1 ap−1 ap aL−2 aL−1 aL , x ¨ m1 mp mL−1 mL ( 1 h (

H(M) = b b1 b −1 bp b −2 b −1 b = a 2 0 p L L L L h = y ¨ m¯ r

MMC2 ¯y ˜ MSEM H2 ˆy y

t |G2| = 2

41/60 Mkq

0 - Step 9 - 2`

Mkq

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 MMC2 H1 0 [m d r - Step 4 - 2` ] 1 n−` ¨x - Step 5 - 2 M2 ˇx ¯ r n−t ˜ x MMC1 MSEM - Step 6 - 2 · 2 m¯ x ˆx

r n−t )

- Step 7 ∼ 8 - 2 · 2 0 0 L m ,

m1 mp mL−1 m ) L 0 0 L m

a0 = IV a1 ap−1 ap aL−2 aL−1 aL , x ¨ m1 mp mL−1 mL ( 1 h (

H(M) = b b1 b −1 bp b −2 b −1 b = a 2 0 p L L L L h = y ¨ m¯ r [m]d2 ˇy M1 MMC2 ¯y ˜ MSEM H2 ˆy y MMC1 t |G2| = 2

41/60 0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t 0 I Search for t and r that give the lowest Cplx, the total Cplx: 2n/2+r/2 + 2` + 2n−`

Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 MMC2 H1 0 [m d r Mkq - Step 4 - 2` ] 1 n−` ¨x - Step 5 - 2 M2 ˇx ¯ r n−t ˜ x MMC1 MSEM - Step 6 - 2 · 2 m¯ x ˆx

r n−t )

- Step 7 ∼ 8 - 2 · 2 0 `0 0 L - Step 9 - 2 m ,

m1 mp mL−1 m ) L 0 0 L m

a0 = IV a1 ap−1 ap aL−2 aL−1 aL , x ¨ m1 mp mL−1 mL ( 1 h (

H(M) = b b1 b −1 bp b −2 b −1 b = a 2 0 p L L L L h = y ¨ m¯ r Mkq [m]d2 ˇy M1 MMC2 ¯y ˜ MSEM H2 ˆy y MMC1 t |G2| = 2

41/60 Second-Preimage Attack on the Zipper Hash

n/2 - Step 1 - 2 t - Step 2 - 2t |G1| = 2 - Step 3 - 2n/2 MMC2 H1 0 [m d r Mkq - Step 4 - 2` ] 1 n−` ¨x - Step 5 - 2 M2 ˇx ¯ r n−t ˜ x MMC1 MSEM - Step 6 - 2 · 2 m¯ x ˆx

r n−t )

- Step 7 ∼ 8 - 2 · 2 0 `0 0 L - Step 9 - 2 m ,

m1 mp mL−1 m ) L 0 0 L m

a0 = IV a1 ap−1 ap aL−2 aL−1 aL , x ¨ m1 mp mL−1 mL ( 1 h (

H(M) = b b1 b −1 bp b −2 b −1 b = a 2 0 p L L L L h = y ¨ m¯ r Mkq [m]d2 ˇy M1 MMC2 ¯y ˜ MSEM H2 ˆy y MMC1 t |G2| = 2

0 I The overall Cplx: 2t + 2` + 2n−` + 2r · 2n−t n/2+r/2 `0 n−` I Search for t and r that give the lowest Cplx, the total Cplx: 2 + 2 + 2 41/60 Second-Preimage Attack on the Zipper Hash Collision Resistance Preimage Resistance 2nd-Preimage Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal Zipper 2n/2 2n 2n HAIFA 2n/2 2n 2n Zipper 6 2n MD Zipper 2n/2 2n ≈ 25n/8, L ≤ 2n/2 ≈ 23n/5, No limit L Ideal 2n/2 2n 2n Hash-Twice HAIFA 2n/2 2n 2n Hash-Twice MD 6 2n 2n/2 2n Hash-Twice ≈ 22n/3

42/60 Outline

43/60 Combiners of Iterative Hash Functions - Cascade H ,H I Hash Twice: C 1 1 (M) = H2(H1(IV, M), M)

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 xL m1 m2 ··· mi ··· mL

h2 h2 ··· h2 ··· h2 H(M) xL y0 y1 ··· yi−1 yi yL−1

H ,H ←− I Zipper Hash: C 1 1 (M) = H2(H1(IV, M), M )

IV1 h1 h1 ··· h1 ··· h1 x0 x1 ··· xi−1 xi xL−1 L

m1 m2 ··· mi ··· mL x = L y H(M) h2 h2 ··· h2 ··· h2 y0 y1 ··· yi−1 yi yL−1 44/60 Diamond Structure (DS [KK06]) and the 2nd-Preimage Attack on Hash-Twice [And+08; And+09] √ (n+t) t t I A 2 -diamond maps 2 starting states to a common final state. Cplx: n · t · 2 2 I The 2nd-preimage attack Cplx: 2(n+t)/2 + 2n−` + 2n−t, 2` is the message len. - Step 1 - Step 2 - Step 3 - Step 4 - Step 5 - Step 6

n n p − (n − t) − t · 2 − 1 n − t t · 2 1 L − p

M M mq+1k ... kmL x m MEM MC1 MC2 m¯ 1 00 x10 IV m x¯ x¯ x 10 xˆ L 2 m01 x20

x m m m mp m 3 02 x11 1 L m11 20 a1 ap−1 ap aL−1 aL x4 m03 a0 = IV x x m 5 04 x12 m1 mp mL m 12 21 x6 m m05 x21 b0 = aL b1 bp−1 bp bL−1 H(M) = bL x m 7 06 x13 m13 m¯ MDS x8 m07 MEM MMC1 MMC2 y¯0 =x ¯L yˆ y¯ yˇ

(a) A 23-diamond (b) Second-preimage attack on Hash-Twice using DS 45/60 - Step 2 - √Step 3 - Step 4 - Step 5 - Step 6 - Step 7 - Step 8 2t n s · 2(n+s)/2 2n−` + 2` 2` + n2 · 2n/2 2n/2+2r 2r · 2n−t · 2n−2r−s−` 2`

MIS X MDS m k · · · k m ˆ m¯ p+1 L MSEM x ˇxmˇ IV x0 d1 [m] ˜x ¯xL ME MI MJ

MI m¯ MJ MIS Y ˇy y0 ME ˆy mˇ MMC ˜y [m]d2 ¯xL MSEM

Second-Preimage Attack on Hash-Twice - Step 1 2n/2

L1 ¯x1 ¯x2s ¯xj ¯xi

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL

¯y

L2 46/60 - √Step 3 - Step 4 - Step 5 - Step 6 - Step 7 - Step 8 n s · 2(n+s)/2 2n−` + 2` 2` + n2 · 2n/2 2n/2+2r 2r · 2n−t · 2n−2r−s−` 2`

MIS X MDS m k · · · k m ˆ m¯ p+1 L MSEM x ˇxmˇ IV x0 d1 [m] ˜x ¯xL ME MI MJ

MI m¯ MJ ˇy y0 ME ˆy mˇ MMC ˜y d M [m] 2 ¯xL SEM MIS Y

Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 2n/2 2t

L1 ¯x1 ¯x2s ¯xj ¯xi

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL

¯y

L2 46/60 - Step 4 - Step 5 - Step 6 - Step 7 - Step 8 2n−` + 2` 2` + n2 · 2n/2 2n/2+2r 2r · 2n−t · 2n−2r−s−` 2`

MIS X m k · · · k m ˆ m¯ p+1 L MSEM x ˇxmˇ IV x0 d1 [m] ¯xL ME MI MJ

MI m¯ MJ ˇy y0 ME ˆy mˇ d M [m] 2 ¯xL SEM MIS Y

Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 - √Step 3 2n/2 2t n s · 2(n+s)/2

L1 M ¯x1 DS ¯x2s ¯xj ¯xi ˜x

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL

¯y MMC ˜y

L2 46/60 - Step 5 - Step 6 - Step 7 - Step 8 2` + n2 · 2n/2 2n/2+2r 2r · 2n−t · 2n−2r−s−` 2`

MIS X M ˆx ˇx SEM mˇ x IV 0 [m]d1 ME MI MJ

MI MJ ˇy y0 ME ˆy mˇ d M [m] 2 SEM MIS Y

Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 - √Step 3 - Step 4 2n/2 2t n s · 2(n+s)/2 2n−` + 2`

L1 M ¯x1 DS ¯x2s m¯ mp+1 k · · · k mL ¯xj ¯xi ˜x ¯xL

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL m¯

¯y MMC ˜y

¯xL L2 46/60 - Step 6 - Step 7 - Step 8 2n/2+2r 2r · 2n−t · 2n−2r−s−` 2`

MIS X ˇx mˇ x 0 [m]d1 ME MI MJ

MI MJ ˇy y0 ME mˇ [m]d2 MIS Y

Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 - √Step 3 - Step 4 - Step 5 2n/2 2t n s · 2(n+s)/2 2n−` + 2` 2` + n2 · 2n/2

L1 M ¯x1 DS ¯x2s m¯ mp+1 k · · · k mL MSEM ˆx IV ¯xj ¯xi ˜x ¯xL

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL m¯

ˆy ¯y MMC ˜y

¯xL MSEM L2 46/60 - Step 7 - Step 8 2r · 2n−t · 2n−2r−s−` 2`

ˇx mˇ x 0 [m]d1 ME MI MJ

MI MJ ˇy y0 ME mˇ [m]d2

Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 - √Step 3 - Step 4 - Step 5 - Step 6 2n/2 2t n s · 2(n+s)/2 2n−` + 2` 2` + n2 · 2n/2 2n/2+2r

MIS X L1 M ¯x1 DS ¯x2s m¯ mp+1 k · · · k mL MSEM ˆx IV ¯xj ¯xi ˜x ¯xL

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL m¯

ˆy ¯y MMC ˜y M ¯xL SEM MIS Y L2 46/60 - Step 8 2`

ME MJ

Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 - √Step 3 - Step 4 - Step 5 - Step 6 - Step 7 2n/2 2t n s · 2(n+s)/2 2n−` + 2` 2` + n2 · 2n/2 2n/2+2r 2r · 2n−t · 2n−2r−s−`

MIS X L1 M ¯x1 DS ¯ s m +1 k · · · k m M ˆx ˇ x2 m¯ p L SEM xmˇ ¯x IV x0 d1 j [m] ¯xi ˜x ¯xL MI

m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL MI m¯ ˇy y0 ˆy mˇ ¯y MMC ˜y d M [m] 2 ¯xL SEM MIS Y L2 46/60 Second-Preimage Attack on Hash-Twice - Step 1 - Step 2 - √Step 3 - Step 4 - Step 5 - Step 6 - Step 7 - Step 8 2n/2 2t n s · 2(n+s)/2 2n−` + 2` 2` + n2 · 2n/2 2n/2+2r 2r · 2n−t · 2n−2r−s−` 2`

MIS X L1 M ¯x1 DS ¯ s m +1 k · · · k m M ˆx ˇ x2 m¯ p L SEM xmˇ ¯x IV x0 d1 j [m] ¯xi ˜x ¯xL ME MI MJ m1 mp mL

a0 = IV a1 ap−1 ap aL−1 aL m1 mp mL

b0 = aL b1 bp−1 bp bL−1 H(M) = bL MI m¯ MJ ˇy y0 ME ˆy mˇ ¯y MMC ˜y d M [m] 2 ¯xL SEM MIS Y L2 46/60 Second-preimage attack on Hash-Twice Collision Resistance Preimage Resistance 2nd-Preimage Resistance Ideal H 2n/2 2n 2n 6 2n MD H 2n/2 2n 2n/L HAIFA H 2n/2 2n 2n Ideal Zipper 2n/2 2n 2n HAIFA 2n/2 2n 2n Zipper 6 2n MD Zipper 2n/2 2n ≈ 25n/8, L ≤ 2n/2 ≈ 23n/5, No limit L Ideal 2n/2 2n 2n Hash-Twice HAIFA 2n/2 2n 2n Hash-Twice 6 22n/3 MD 2n/2 2n ≈ 211n/18, L ≤ 2n/2 Hash-Twice ≈ 213n/22, L > 2n/2 47/60 Outline

48/60 Extensions to the Combination of Three or More Hash Functions

Construct a building block for a 3-pass simultaneous expandable message:

1 n − 1 n ( n − 1) n ( n − 1) 1 n − 1 2 2 2 H1 2 2 2 m1 H1 H1 M 0 m1 0 x 1 x x 0 m1 x0 sp x1 x1 1 1 0 Step 1 x0 x1 sp x1 Step 1 Step 2 xp 0 xp M1 i−C m0 m0 i−C m0 [0] 1 1 [0]i−C [0] 1 n n n n n n (i − C) + 1 2 − 1 2 ( 2 − 1) 2 ( 2 − 1) (i − C) + 1 2 − 1 n 2 n 2 C ≈ ( 2 ) C ≈ ( 2 )

1 n − 1 n ( n − 1) 2 2 2 H m m 2 1 M H2 1 H2 m 0 1 M 0 y 1 y y y0 1 y1 y1 1 1 0 Step 3 y0 y1 Step 1 Step 2 yp 0 0 i−C M1 m i−C 0 [0] 0 1 [0] i−C 0 M1 m1 [0] m1 n n n (i − C) + 1 2 − 1 2 ( 2 − 1) n 2 C ≈ ( 2 )

M1 M1 m H3 H m1 H3 1 m1 3 z z 0 M z0 z1 1 0 Step 2 z0 z1 1 z1 Step 3 Step 3 0 i−C 0 i−C M1 [0] 0 0 m i−C [0] 0 m M 1 [0] M 0 m 1 1 1 1 (a) Parallel (b) Zipper (built in the front) (c) Zipper (built at the end)

49/60 Second-Preimage Attacks on 3-pass Zipper

d 1 ] n Mkq [m r · 2 m¯ mp+1k · kmL IV M2 xˇ MSEM x˜ x¯ MMC13 xˆ xˆp xˆL MMC2

]d2 Mkq r [m M1 m¯ mp+1k · kmL Let k be the # of passes y¨ yˇ MSEM yˆ MMC2 y¯ y˜ y˜p y˜L =x ˆL M MC13 n - Step 1 Cplx < 2 for k < 6 m1 mp mp+1 mL - Step 2 a a a a a a a0 = IV 1 p−1 p p+1 L−1 L  7n/10 - Step 3 2 for k = 3 m m  m1 p p+1 mL  - Step 4 24n/5 = 4 b0 b1 bp−1 bp bp+1 bL−1 bL = aL for k - Step 5  mp mp+1 9n/10 m1 mL 2 for k = 5 - Step 6 c0 = b0 c1 cp−1 cp cp+1 cL−1 cL - Step 7 ∼ 8 m¯ - Step 9 M r · n kq d 2 [m] 3 z¨ M2 zˇ MSEM z˜ z¯ MMC13 zˆ MMC2 50/60 Second-Preimage Attacks on 3-pass Hash-Twice

M X L IS x¯ 1 MDS [m]d1 1 x¯2s m¯ mp+1k · · · kmL MSEM xˆ xˇ IV mˇ x0 x¯j x¯i x˜ x¯L ME MI MJ MJ m¯ mp+1k · · · kmL

y¯ MMC y˜ y¯L Let k be the # of passes MSEM yˆ d2 yˇ y0 [m] x¯ mˇ L ME MI L2 Cplx < 2n for k < 7

m1 mp mL  15n/22 - Step 1 2 for k = 3 a a a a a a0 = IV 1 p−1 p L−1 L  - Step 2  17n/22 m1 mp mL 2 for k = 4 - Step 3 b0 = aL b1 bp−1 bp bL−1 bL 219n/22 = 5 - Step 4  for k m1 mp mL  - Step 5  21n/22 c c c c c 2 for k = 6 c0 = bL 1 p−1 p L−1 L - Step 6 MIS Z m¯ MJ - Step 7 zˇ z0 [m]d3 z¯ MMC z˜ MSEM zˆ mˇ - Step 8 y¯ L ME MI L3 51/60 Outline

52/60 Trade-offs curves on the complexity of attacks on parallel hash combiners 2 1 1 1 1 ( 7 , ) ( 3 , )

23 24 11 7 31 12 ( 17 , 34 ) 7 8 ( 1 , 5 ) 5 3 6 6 )

n 19 )/ 24 ( 3 , 17 ) C 3 11 22 3 3 ( ( , )

2 4 4 4 25 25 17 ( , )

log 34 34 24 1 2 2 ( 2 , 3 ) 3 1 9 5 ( , ) 5 5 8 2 14 ( 8 , 8 ) 11 11 7 Complexity ( ( , ) 12 18 18 13 Preimage on H1(M) ⊕ H2(M) of HAIFA, Tech. IS 24 Preimage on H1(M) ⊕ H2(M) of MD, Tech. SEM+FGDI 1 2 Preimage on H1(M) ⊕ H2(M) of MD, Tech. SEM+FGDI+IS Preimage on H1(M) ⊕ H2(M) of MD, Tech. SEM+FGMC Preimage on H1(M) ⊕ H2(M) of MD, Tech. SEM+FGMC+IS 2nd-preimage on H1(M) k H2(M) of MD, Tech. SEM+FGDI 2nd-preimage on H1(M) k H2(M) of MD, Tech. SEM+FGDI+IS

1 1 1 1 5 1 7 1 3 5 11 1 13 7 5 2 17 3 19 5 7 11 23 1 24 12 8 6 24 4 24 3 8 12 24 2 24 12 8 3 24 4 24 6 8 12 24 53/60 Length of the original messages (log2(L)/n) Trade-offs curves on the complexity of attacks on cascade hash combiners

19 24

3 4 ) 5 2 n ( , ) 17 ( 1 , 2 ) 12 3 )/ 24 3 3 C

( 2 3 5 2 ( , ) 3 8 8 ( 1 , 11 ) 2 3 2 18 log ( , ) 5 5 5 ( 13 , 13 ) 8 22 22

7 12 2nd-preimage on Zipper of MD, Limit L ≤ 2n/2, Tech. SEM+MC+FGDI 13 2nd-preimage on Zipper of MD, No limit on L, Tech. SEM+MC+FGMC Complexity ( 24 2nd-preimage on Hash-Twice of MD, Tech. EM+MC+DS 1 2nd-preimage on Hash-Twice of MD for L ≤ 2n/2, Tech. SEM+IS+FGDI+DS 2 2nd-preimage on Hash-Twice of MD for L > 2n/2, Tech. SEM+IS+FGMC+DS

1 1 1 1 5 1 7 1 3 5 11 1 13 7 5 2 17 3 19 5 7 11 23 1 24 12 8 6 24 4 24 3 8 12 24 2 24 12 8 3 24 4 24 6 8 12 24

Length of the original messages (log2(L)/n)

54/60 Summary and Open Problems

I For combiners with underlying hash functions using MD, the gaps between the security upper bounds and the security lower bounds provided by security proof are quite narrow. However, that is true only for very long messages. I For short messages, the gap remains large. That mainly results from the limitation of the key techniques used in the attacks, which highly exploit the iterated property of the underlying hash functions. I Thus, one open problem is how to extend the attacks to apply to short messages. I Another open problem is how to improve the attacks to combiners with at least one underlying hash function following the HAIFA framework.

55/60 Thanks for your attention!

56/60 References I

[Bao+19] Zhenzhen Bao et al. “Generic Attacks on Hash Combiners”. In: Journal of Cryptology (2019). ISSN: 1432-1378. DOI: 10.1007/s00145-019-09328-w. URL: https://doi.org/10.1007/s00145-019-09328-w. [LW15] Gaëtan Leurent and Lei Wang. “The Sum Can Be Weaker Than Each Part”. In: Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I. Ed. by Elisabeth Oswald and Marc Fischlin. Vol. 9056. LNCS. Springer, 2015, pp. 345–367. ISBN: 978-3-662-46799-2. DOI: 10.1007/978-3-662-46800-5_14. URL: https://doi.org/10.1007/978-3-662-46800-5_14. [Din16] Itai Dinur. “New Attacks on the Concatenation and XOR Hash Combiners”. In: Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I. Ed. by Marc Fischlin and Jean-Sébastien Coron. Vol. 9665. LNCS. Springer, 2016, pp. 484–508. ISBN: 978-3-662-49889-7. DOI: 10.1007/978-3-662-49890-3_19. URL: https://doi.org/10.1007/978-3-662-49890-3_19. [Bao+17] Zhenzhen Bao et al. “Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners”. In: Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part II. Ed. by Jonathan Katz and Hovav Shacham. Vol. 10402. LNCS. Springer, 2017, pp. 404–427. ISBN: 978-3-319-63714-3. DOI: 10.1007/978-3-319-63715-0_14. URL: https://doi.org/10.1007/978-3-319-63715-0_14. [Her05] Amir Herzberg. “On Tolerant Cryptographic Constructions”. In: Topics in Cryptology - CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18, 2005, Proceedings. Ed. by Alfred Menezes. Vol. 3376. Lecture Notes in Computer Science. Springer, 2005, pp. 172–190. ISBN: 3-540-24399-2. DOI: 10.1007/978-3-540-30574-3\_13. URL: https://doi.org/10.1007/978-3-540-30574-3\_13. [Can+07] Ran Canetti et al. “Amplifying Collision Resistance: A Complexity-Theoretic Treatment”. In: Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings. Ed. by Alfred Menezes. Vol. 4622. Lecture Notes in Computer Science. Springer, 2007, pp. 264–283. ISBN: 978-3-540-74142-8. DOI: 10.1007/978-3-540-74143-5_15. URL: https://doi.org/10.1007/978-3-540-74143-5_15. [FL07] Marc Fischlin and Anja Lehmann. “Security-Amplifying Combiners for Collision-Resistant Hash Functions”. In: Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings. Ed. by Alfred Menezes. Vol. 4622. Lecture Notes in Computer Science. Springer, 2007, pp. 224–243. ISBN: 978-3-540-74142-8. DOI: 10.1007/978-3-540-74143-5_13. URL: https://doi.org/10.1007/978-3-540-74143-5_13.

57/60 References II

[FL08] Marc Fischlin and Anja Lehmann. “Multi-property Preserving Combiners for Hash Functions”. In: Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19-21, 2008. Ed. by Ran Canetti. Vol. 4948. Lecture Notes in Computer Science. Springer, 2008, pp. 375–392. ISBN: 978-3-540-78523-1. DOI: 10.1007/978-3-540-78524-8_21. URL: https://doi.org/10.1007/978-3-540-78524-8_21. [FLP08] Marc Fischlin, Anja Lehmann, and Krzysztof Pietrzak. “Robust Multi-property Combiners for Hash Functions Revisited”. In: Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7-11, 2008, Proceedings, Part II - Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations. Ed. by Luca Aceto et al. Vol. 5126. Lecture Notes in Computer Science. Springer, 2008, pp. 655–666. ISBN: 978-3-540-70582-6. DOI: 10.1007/978-3-540-70583-3_53. URL: https://doi.org/10.1007/978-3-540-70583-3_53. [Her09] Amir Herzberg. “Folklore, practice and theory of robust combiners”. In: Journal of Computer Security 17.2 (2009), pp. 159–189. DOI: 10.3233/JCS-2009-0336. URL: https://doi.org/10.3233/JCS-2009-0336. [Leh10] Anja Lehmann. “On the security of hash function combiners”. PhD thesis. Darmstadt University of Technology, 2010. URL: http://tuprints.ulb.tu-darmstadt.de/2094/. [FLP14] Marc Fischlin, Anja Lehmann, and Krzysztof Pietrzak. “Robust Multi-Property Combiners for Hash Functions”. In: J. Cryptology 27.3 (2014), pp. 397–428. DOI: 10.1007/s00145-013-9148-7. URL: https://doi.org/10.1007/s00145-013-9148-7. [BB06] Dan Boneh and Xavier Boyen. “On the Impossibility of Efficiently Combining Collision Resistant Hash Functions”. In: Advances in Cryptology - CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 2006, Proceedings. Ed. by Cynthia Dwork. Vol. 4117. Lecture Notes in Computer Science. Springer, 2006, pp. 570–583. ISBN: 3-540-37432-9. DOI: 10.1007/11818175_34. URL: https://doi.org/10.1007/11818175_34. [Pie07] Krzysztof Pietrzak. “Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don’t Exist”. In: Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings. Ed. by Moni Naor. Vol. 4515. Lecture Notes in Computer Science. Springer, 2007, pp. 23–33. ISBN: 978-3-540-72539-8. DOI: 10.1007/978-3-540-72540-4_2. URL: https://doi.org/10.1007/978-3-540-72540-4_2.

58/60 References III

[Pie08] Krzysztof Pietrzak. “Compression from Collisions, or Why CRHF Combiners Have a Long Output”. In: Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings. Ed. by David A. Wagner. Vol. 5157. Lecture Notes in Computer Science. Springer, 2008, pp. 413–432. ISBN: 978-3-540-85173-8. DOI: 10.1007/978-3-540-85174-5_23. URL: https://doi.org/10.1007/978-3-540-85174-5_23. [Rja09] Michal Rjasko. “On Existence of Robust Combiners for Cryptographic Hash Functions”. In: Proceedings of the Conference on Theory and Practice of Information Technologies, ITAT 2009, Horský hotel Kralova studna, Slovakia, September 25-29, 2009. Ed. by Peter Vojtás. Vol. 584. CEUR Workshop Proceedings. CEUR-WS.org, 2009, pp. 71–76. URL: http://ceur-ws.org/Vol-584/paper10.pdf. [Dam89] Ivan Damgård. “A Design Principle for Hash Functions”. In: Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings. Ed. by Gilles Brassard. Vol. 435. Lecture Notes in Computer Science. Springer, 1989, pp. 416–427. ISBN: 3-540-97317-6. DOI: 10.1007/0-387-34805-0_39. URL: https://doi.org/10.1007/0-387-34805-0_39. [Mer89] Ralph C. Merkle. “One Way Hash Functions and DES”. In: Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings. Ed. by Gilles Brassard. Vol. 435. Lecture Notes in Computer Science. Springer, 1989, pp. 428–446. ISBN: 3-540-97317-6. DOI: 10.1007/0-387-34805-0_40. URL: https://doi.org/10.1007/0-387-34805-0_40. [BD07] Eli Biham and Orr Dunkelman. “A Framework for Iterative Hash Functions - HAIFA”. In: IACR Cryptology ePrint Archive 2007 (2007), p. 278. URL: http://eprint.iacr.org/2007/278. [Jou04] Antoine Joux. “Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions”. In: Advances in Cryptology - CRYPTO 2004, 24th Annual International CryptologyConference, Santa Barbara, California, USA, August 15-19, 2004, Proceedings. Ed. by Matthew K. Franklin. Vol. 3152. LNCS. Springer, 2004, pp. 306–316. ISBN: 3-540-22668-0. DOI: 10.1007/978-3-540-28628-8_19. URL: https://doi.org/10.1007/978-3-540-28628-8_19. [DA99] Richard Drews Dean and Andrew Appel. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University Princeton, 1999. [KS05] John Kelsey and Bruce Schneier. “Second Preimages on n-Bit Hash Functions for Much Less than 2n Work”. In: Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings. Ed. by Ronald Cramer. Vol. 3494. LNCS. Springer, 2005, pp. 474–490. ISBN: 3-540-25910-4. DOI: 10.1007/11426639_28. URL: https://doi.org/10.1007/11426639_28.

59/60 References IV

[FO89] Philippe Flajolet and Andrew M. Odlyzko. “Random Mapping Statistics”. In: Advances in Cryptology - EUROCRYPT ’89, Workshop on the Theory and Application of of Cryptographic Techniques, Houthalen, Belgium, April 10-13, 1989, Proceedings. Ed. by Jean-Jacques Quisquater and Joos Vandewalle. Vol. 434. LNCS. Springer, 1989, pp. 329–354. ISBN: 3-540-53433-4. DOI: 10.1007/3-540-46885-4_34. URL: https://doi.org/10.1007/3-540-46885-4_34. [KK06] John Kelsey and Tadayoshi Kohno. “Herding Hash Functions and the Nostradamus Attack”. In: Advances in Cryptology - EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28 - June 1, 2006, Proceedings. Ed. by Serge Vaudenay. Vol. 4004. LNCS. Springer, 2006, pp. 183–200. ISBN: 3-540-34546-9. DOI: 10.1007/11761679_12. URL: https://doi.org/10.1007/11761679_12. [And+08] Elena Andreeva et al. “Second Preimage Attacks on Dithered Hash Functions”. In: Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings. Ed. by Nigel P. Smart. Vol. 4965. LNCS. Springer, 2008, pp. 270–288. ISBN: 978-3-540-78966-6. DOI: 10.1007/978-3-540-78967-3_16. URL: https://doi.org/10.1007/978-3-540-78967-3_16. [And+09] Elena Andreeva et al. “Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård”. In: Selected Areas in Cryptography, 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13-14, 2009, Revised Selected Papers. Ed. by Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini. Vol. 5867. LNCS. Springer, 2009, pp. 393–414. ISBN: 978-3-642-05443-3. DOI: 10.1007/978-3-642-05445-7_25. URL: https://doi.org/10.1007/978-3-642-05445-7_25. [Men07] Alfred Menezes, ed. Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings. Vol. 4622. Lecture Notes in Computer Science. Springer, 2007. ISBN: 978-3-540-74142-8. DOI: 10.1007/978-3-540-74143-5. URL: https://doi.org/10.1007/978-3-540-74143-5. [Bra90] Gilles Brassard, ed. Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings. Vol. 435. Lecture Notes in Computer Science. Springer, 1990. ISBN: 3-540-97317-6. DOI: 10.1007/0-387-34805-0. URL: https://doi.org/10.1007/0-387-34805-0.

60/60