A Second Preimage Attack on the Merkle-Damgard Scheme with a Permutation for Hash Functions

A SECOND PREIMAGE ATTACK ON THE MERKLE-DAMGARD SCHEME WITH A PERMUTATION FOR HASH FUNCTIONS

Shiwei Chen and Chenhui Jin Institute of Information Science and Technology, Zhengzhou 450004, China

Keywords: Hash functions, MD construction, MDP, Multicollisions, Second preimage attack, Computational complexity.

Abstract: Using one kind of multicollsions of the Merkle-Damgard(MD) construction for hash functions proposed by Kelsey and Schneier, this paper presents a second preimage attack on MDP construction which is a simple variant of MD scheme with a permutation for hash functions. Then we prove that the computational complexity of our second preimage attack is k × 2n/2+1 + 2n−k less than 2n where n is the size of the hash value and 2k + k + 1 is the length of the target message.

1 INTRODUCTION into two kinds: - Cryptanalytic attacks: Mainly apply to the com- A cryptographic hash function H maps a message M pression functions of the hash functions. Using the with arbitrary length to a fixed-length hash value h. internal properties of the compression functions, an It has to satisfy the following three security require- adversary can attack the hash functions. For exam- ments: ple, the collision attacks on MD-family proposed in - Preimage resistance: For a given hash value h, (Xiaoyun and Hongbo, 2005); it is computationally infeasible to find a message M - Generic attacks: Apply to the domain extension such that h = H(M); transforms directly with some assumptions on the - Second preimage resistance: For a given mes- compression functions. Examples are long-message sage M, it is computationally infeasible to find a sec- second preimage attack(Kelsey and Schneier, 2005), ′ ′ ond message M 6= M such that H(M ) = H(M); herding attack(Kelsey and Kohno, 2006) and the at- - Collision resistance: It is computationally infea- tack on the MD with XOR-linear/additive checksum ′ sible to find two different messages M and M such in (Gauravaram and Kelsey, 2007). ′ that H(M ) = H(M). Since Wang et al.(Xiaoyun and Hongbo, 2005) The resistance of a hash function to collision at- presented the collision attacks on MD-family hash tack or second preimage attack mainly depends on the functions and the recent results on the MD con- size n of the hash value. Regardless of how a hash struction, some cryptographers have been trying to function is designed, an adversary will always be able propose new domain extension transforms for hash to find a preimage or a second preimage after trying functions, such as MD with XOR-linear/additive 2n different messages, or find a collision pair after checksum(Gauravaram and Kelsey, 2007), ChopMD 2n/2 trials according to the birthday attack. There- construction (Coron et al., 2005), EMD construc- fore, if the computational complexity of finding a col- tion(Bellare and Ristenpart, 2006), MD with a per- lision pair or a (second) preimage for a particular hash mutation (MDP)(Hirose and Park, 2007), and so function is less than what could be expected based on. In 2007, Praveen Gauravaram and John Kelsey on the size of the hash value, then the hash function (Gauravaram and Kelsey, 2007) pointed out that the is considered to be broken. Generally, a hash func- MD with XOR-linear/additive checksum construction includes two parts, that is, the compression function gained almost no security against generic at- tion which maps a fixed-length value to a fixed-length tacks. Coron et al.(Coron et al., 2005) presented value, and the domain extension transform which can that the prefix-free MD and ChopMD were indiffer- transfer a message with arbitrary length to a fixed- entiable from a random oracle and gave out the se- length hash value. Aimed to these two parts, the re- curity bounds. However, Mihir Bellare and Thomas sults of analyzing on hash functions can be divided Ristenpart(Bellare and Ristenpart, 2006) proved that

245 Chen S. and Jin C. (2009). A SECOND PREIMAGE ATTACK ON THE MERKLE-DAMGARD SCHEME WITH A PERMUTATION FOR HASH FUNCTIONS. In Proceedings of the International Conference on Security and Cryptography, pages 245-248 DOI: 10.5220/0002230202450248 Copyright c SciTePress SECRYPT 2009 - International Conference on Security and Cryptography

pseudorandom-oracle preserving did not imply the 3 OUR SECOND PREIMAGE collision-resistance preserving and presented that the ATTACK ON MDP variants of MD construction presented in (Coron et al., 2005) was not collision-resistance preserving. In CONSTRUCTION Asiacrypt 2007, Hirose et al.(Hirose and Park, 2007) proposed a simple variant of the Merkle-Damgard Though Hirose et al.(Hirose and Park, 2007) have an- scheme with a permutation and analyzed its security alyzed the security of MDP construction using the in- by using the indifferentiability formulism. However, differentiability formulism, up to now no paper has there is no paper discussing whether the MDP resists discuss whether the MDP resists the second preimage the second preimage attack or not. attack or not. In this paper, using the multicollisions In this paper, using the multicollsions of MD con- of MD construction, we will present a second preim- struction proposed in (Kelsey and Schneier, 2005), we age attack on the MDP construction. Through all this will present a second preimage attack on MDP con- paper, we assume that the compression function f is struction, the computational complexity of which is random. less than what could be expected based on the size of f the hash value. 3.1 Building the Multicollisions of MD

The k messages M1,M2,...,Mk are called k- multicollision of MD construction if 2 DESCRIPTION OF MDP f f f CONSTRUCTION AND MD (M1)= MD (M2)= ··· = MD (Mk) NOTATIONS The papers (Kelsey and Schneier, 2005)(Kelsey and Kohno, 2006)(Joux, 2004) have presented dif- Let f : {0,1}n ×{0,1}b →{0,1}n be a compression ferent methods to construct the multicollisions of function and M be a l-block b-bit message. We can MD construction. Specifically, in (Kelsey and describe the MD f below, which is MD construction Schneier, 2005) they introduced a way to construct with the compression function f : (a,b)-expandable messages, which are (b − a + 1)- Function : MD f (IV,M) multicollison naturally whose lengths can vary in a let M = (m ,m ,...,m ) and h = IV range from a to b. Using the method introduced in 1 2 l 0 (Kelsey and Schneier, 2005), now we describe the al- for i = 1 tol do t h ← f (h ,m ) gorithm 1 to construct (t,2 +t − 1)-expandable mes- i i−1 i sages with a starting chaining value IV and lengths return hl. t pad varying from t to 2 + t − 1, which will be used to Let M be a padded message according to the f padding functiongiven in (Hirose and Park, 2007)and propose our second preimage attack on MDP . φ is a random permutation. Then the MDP f is defined Algorithm 1: ′ as follows: Step1. Find two messages B1,B such that f pad 1 Function : MDP (IV,M ) ′ pad f f let M = (m1,m2,...,ml ) and h0 = IV MD (IV,B1)= MD (IV,B1)= H1 f hl−1 ← MD (IV,(m1,m2,...,ml−1)) ′ 0 where |B1| = 1,|B1| = 2 + 1; hl ← f (φ(hl−1),ml) Step2. Use H1 as the starting chaining value to con- return hl. ′ Since the padding function of MDP construction struct the next collision pair B2,B2 satisfying requires that the last block of the padded message en- f f ′ MD (H1,B2)= MD (H1,B )= H2 codes the q-bitrepresentation of the length of the orig- 2 ′ 1 inal message, the second preimage attack proposed where |B2| = 1,|B2| = 2 + 1; in the following paper need to find a second preim- Step3. For the ith step, we need to start with the chain- age with the same length as the target message. Re- ′ ing value Hi−1 and find a collision pair Bi,Bi such that fer to (Hirose and Park, 2007) for the specifics of the f f ′ padding function of MDP construction. MD (Hi−1,Bi)= MD (Hi−1,Bi)= Hi Note that |M| represents the number of blocks of ′ i−1 th where |Bi| = 1,|Bi| = 2 + 1; a message M, mi is the i b-bit block of M and hi is ′ the ith intermediate chaining value in hashing of M. If Step4. Until obtaining t pairs messages (Bi,Bi)(i = 1,2,...,t), we can construct the (t,2t + t − 1)- there is no special explanation, the notations represent ′ the same means throughout this paper. expandable messages by choosing Bi orBi(i = 1,2,...,t) in every pair.

246 A SECOND PREIMAGE ATTACK ON THE MERKLE-DAMGARD SCHEME WITH A PERMUTATION FOR HASH FUNCTIONS

Remark: Preprocessing step: Construct (k,2k + k − 1)- (1) From the above algorithm 1, we know that the expandable messages with a starting value IV and an arbitrary target value H according to algorithm 1; shortest message in the multicollisions is B1 k B2 k k ′ ′ ′ Algorithm 2: ···k Bt and the longest message is B1 k B2 k···k Bt whose length is Step1. Randomly choose a one-block message B such t that the value of f (Hk,B) equals to one of the chaining i−1 t ∑(2 + 1)= 2 +t − 1 values h1,h2,...,h2k+k produced in the hashing of M, i=1 k that is, f (Hk,B)= hi0 where k + 1 ≤ i0 ≤ 2 + k; ′ Step2. Choose a message M of i − 1 blocks from Moreover, by choosing B or B (i = 1,2,...,t) in ev- 0 0 i i the (k,2k + k − 1)-expandable messages constructed ery pair, we can obtain messages of different lengths in the preprocessing step; varying from t to 2t +t − 1. Step3. Form a message (2) We can use the algorithm described in (Kelsey ′ ′ and Schneier, 2005) to construct a collision pair Bi,B i M = M0 k B k mi0+1 k···k m2k k 1 such that + + f ′ f k ′ satisfying MDP (M ) = MDP (M) (If i = 2 + k, MD f (H ,B )= MD f (H ,B )= H 0 i−1 i i−1 i i then only the last block of original message is in- ′ i−1 cluded in the second preimage). and |Bi| = 1,|Bi| = 2 + 1. The specifics are as follows: Step1. Assume m is one block chosen randomly in 3.3 Analysis of the Computational advance. Process 2i−1 given message blocks: Complexity of the Above Algorithm -Htemp = Hi−1; i−1 -For j = 0to2 − 1 do In the above algorithm, since the one-block mes- k ′ ′ sage B is chosen randomly and k + 1 ≤ i0 ≤ 2 + k, Htemp = f (Htemp,m) and Htemp = Htemp the probability of guaranteeing that f (Hk,B)= hi0 is Step2. Build lists A and B as follows: 2k/2n . So the computational complexity of step1 -For j = 0to2n/2−1 − 1 do is about 2n−k. And the computational complexity of the step2 and step3 can be ignored. Additionally, the A[ j]= f (Hi−1,a j) and B[ j]= f (Htemp,b j) computational complexity of the preprocessing step is about k × 2n/2+1. Hence, the computational complex- where a j and b j are chosen randomly and |a j| = ity of the above algorithm is about k × 2n/2+1 + 2n−k |b j| = 1; which is less than 2n. Step3. Find j1, j2 such that A[ j1]= B[ j2] and return the collision pairs (a j1 ,m k m k ... k m k b j2 ). Therefore, the computational complexity of find- ′ ing Bi,Bi such that 4 CONCLUSIONS f f ′ MD (hi−1,Bi)= MD (hi−1,Bi)= hi In this paper, using the (k,2k + k − 1)-expandable ′ messages with a starting chaining value IV, we and |B | = 1,|B | = 2i−1 + 1 is about 2i−1 + 2n/2+1 i i present a second preimage attack on hash functions compression function operations. Hence, the compu- with MDP construction and analyze the computa- tational complexity of algorithm 1 is about tional complexity of our second preimage attack t which is k × 2n/2+1 + 2n−k less than 2n. ∑(2i−1 + 2n/2+1)= t × 2n/2+1 + 2t ≈ t × 2n/2+1. i=1 3.2 Our Second Preimage Attack on REFERENCES MDP f Hash Function Xiaoyun W. and Hongbo Y. (2005), How to break MD5 and other hash functions. In Eurocrypt 2005, LNCS 3494, Let M m m m k be the target message = ( 1, 2,..., 2 +k+1) pp. 474-490. Berlin: Springer-Verlag, 2005. of 2k + k + 1 blocks. Our attack is to find another ′ k Kelsey J.and Schneier B.(2005), Second preimages on n-bit message M of2 +k+1 blocks different from M such hash functions for much less than 2n word. In Euro- f ′ f that MDP (M )= MDP (M). The specific algorithm crypt 2005, LNCS 3494, pp. 19-35. Berlin: Springer- is described below: Verlag, 2005.

247 SECRYPT 2009 - International Conference on Security and Cryptography

Kelsey J. and Kohno T.(2006), Herding hash functions and the Nostradamus attack. In Eurocrypt 2006, LNCS 4004, pp. 183-200. Berlin: Springer-Verlag, 2006. Gauravaram P. and Kelsey J.(2007), Cryptanalysis of a Class of Cryptographic Hash Functions. In CT-RSA 2008, http://eprint.iacr.org/2007/277. Coron J.S., Dodis Y., Malinaud C. and Puniya P.(2005), Merkle-Damgard Revisited: How to Construct a Hash Function. InCRYPTO 2005. LNCS 3621, pp. 430-448. Berlin: Springer-Verlag, 2005. Bellare M. and Ristenpart T.(2006), Multi-Property- Preserving Hash Domain Extension and the EMD Transform. In ASIACRYPT 2006. LNCS, vol. 4284, pp. 299-314. Berlin: Springer-Verlag, 2006. Hirose S., Park J.H. and Yun A.(2007), A Simple Variant of the Merkle-Damgard Scheme with a Permutation. In ASIACRYPT 2007. LNCS, vol. 4833, pp. 113-129. Berlin: Springer-Verlag, 2007. Joux A.(2004), Multicollisions in Iterated Hash Functions. In CRYPTO 2004, LNCS 3152, pp. 306-316. Berlin: Springer-Verlag, 2004.

248