Linear-XOR and Additive Checksums Don’t Protect Damg˚ard-Merkle Hashes from Generic Attacks Praveen Gauravaram1! and John Kelsey2 1 Technical University of Denmark (DTU), Denmark Queensland University of Technology (QUT), Australia. [email protected] 2 National Institute of Standards and Technology (NIST), USA [email protected] Abstract. We consider the security of Damg˚ard-Merkle variants which compute linear-XOR or additive checksums over message blocks, inter- mediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damg˚ard-Merkle variants gain almost no security against generic attacks such as the long-message sec- ond preimage attacks of [10,21] and the herding attack of [9]. 1 Introduction The Damg˚ard-Merkle construction [3, 14] (DM construction in the rest of this article) provides a blueprint for building a cryptographic hash function, given a fixed-length input compression function; this blueprint is followed for nearly all widely-used hash functions. However, the past few years have seen two kinds of surprising results on hash functions, that have led to a flurry of research: 1. Generic attacks apply to the DM construction directly, and make few or no assumptions about the compression function. These attacks involve attacking a t-bit hash function with more than 2t/2 work, in order to violate some property other than collision resistance. Exam- ples of generic attacks are Joux multicollision [8], long-message second preimage attacks [10,21] and herding attack [9]. 2. Cryptanalytic attacks apply to the compression function of the hash function. However, turning an attack on the compression function into an attack on the whole hash function requires properties of the DM construction. Examples of cryptanalytic attacks that involve the ! Author is supported by The Danish Research Council for Technology and Production Sciences grant no. 274-05-0151. construction as well as the compression function include multi-block collisions on MD5, SHA-0 and SHA-1 [24–26]. These results have stimulated interest in new constructions for hash functions, that prevent the generic attacks, provide some additional pro- tection against cryptanalytic attacks or both. The recent call for submis- sions for a new hash function standard by NIST [18] has further stimu- lated interest in alternatives to DM. In this paper, we consider a family of variants of DM, in which a linear-XOR checksum or additive checksum is computed over the message blocks, intermediate states of the hash function, or both, and is then included in the computation of the final hash value. In a linear-XOR checksum, each checksum bit is the result of XORing together some subset of the bits of the message, intermediate hash states, or both. In an additive checksum, the full checksum is the result of adding together some or all of the message blocks, intermediate hash values, or both, modulo some N. In both cases, the final checksum value is processed as a final, additional block in computing the hash value. Such DM variants can be seen as a special case of a cascade hash. Generic attacks such as the long-message second preimage attack or the herding attack appear at first to be blocked by the existence of this check- sum. (For example, see [6] for the analysis of 3C and MAELSTROM-0 against second preimage and herding attacks.) Unfortunately, these DM variants turn out to provide very little pro- tection against such generic attacks. We develop techniques, based on the multicollision result of Joux [8], which allow us to carry out the generic attacks described above, despite the existence of the checksum. More generally, our techniques permit the construction of a checksum control sequence, or CCS, which can be used to control the value of the checksum without altering the rest of the hash computation. To summarize our results: 1. The generic multicollision, second preimage and herding attacks on DM hash functions can be applied to linear-XOR/additive checksum variants of DM at very little additional cost, using our techniques. 2. Our techniques are flexible enough to be used in many other situa- tions. Some cryptanalytic attacks on the compression function of a hash, which the linear-XOR/additive checksum appears to stop from becoming attacks on the full hash function, can be carried out on the full hash function at a relatively little additional cost using our tech- 2 niques. Future generic attacks will almost certainly be able to use our techniques to control checksums at very low cost 1.1 Related Work In unpublished work, Mironov and Narayan [15] developed a different technique to defeat linear-XOR checksums in hash functions; this tech- nique is less flexible than ours, and does not work for long-message second preimage attacks. However, it is quite powerful, and can be combined with our technique in attacking hash functions with complicated checksums. In [8], Joux provides a technique for finding 2k collisions for a DM hash function for only about k times as much work as is required for a single collision, and uses this technique to attack cascade hashes. The linear- XOR and additive checksum variants of DM we consider in this paper can be seen as a special (weak) case of a cascade hash. Multi-block collisions are an example of a cryptanalytic attack on a compression function, which must deal with the surrounding hash con- struction. Lucks [13] and Tuma and Joscak [22] have independently found that if there is a multi-block collision for a hash function with structured differences, concatenation of such a collision will produce a collision on 3C, a specific hash construction which computes checksum using XOR operation as the mixing function. (3C does not prevent Joux multicolli- sion attack over 1-block messages [6,20].) Nandi and Stinson [17] have shown the applicability of multicollision attacks to a variant of DM in which each message block is processed multiple times; Hoch and Shamir [7] extended the results of [17] showing that generalized sequential hash functions with any fixed repetition of message blocks do not resist multicollision attacks. The MD2 hash func- tion which uses a non-linear checksum was shown to not satisfy preimage and collision resistance properties [11, 16]. Coppersmith [2] has shown a collision attack on a DES based hash function which uses two supple- mentary checksum blocks computed using XOR and modular addition of the message blocks. Dunkelman and Preneel [4] applied herding attack of [9] to cascade hashes; their technique can be seen as an upper bound on the difficulty of herding DM variants with checksums no longer than the hash outputs. 1.2 Impact The main impact of our result is that new hash function constructions that incorporate linear-XOR/additive checksums as a defense against 3 generic attacks do not provide much additional security. Designers who wish to thwart these attacks need to look elsewhere for defenses. We can apply our techniques to specific hash functions and hashing constructions that have been proposed in the literature or are in practical use. They include 3C, GOST, MAELSTROM-0 and F-Hash. Both our techniques and the generic attacks which they make possible require the ability to (at least) find many collisions for the underlying compression function of the hash, and so probably represent only an academic threat on most hash functions at present. 1.3 Guide to the Paper This paper is organised as follows: First, we provide the descriptions of hash functions with linear checksums analysed in this paper. Next, we demonstrate new cryptanlytical techniques to defeat linear-XOR/additive checksums in these designs. We then provide a generic algorithm to carry out second preimage and herding attacks on these designs with an illus- tration on 3C. We then demonstrate multi-block collision attacks on these designs. We then compare our cryptanalysis with that of [15]. Finally, we conclude the paper with some open problems. 2 The DM construction and DM with linear checksums 2.1 The DM Construction The DM iterative structure [3,14] shown in Figure 1 has been a popular framework used in the design of standard hash functions MD5, SHA-1, SHA-224/256 and SHA-384/512. M1 M2 M3 ML 1 ML − f f f f f H0 H(M) = Hv H1 H2 H3 HL 1 − Fig. 1. The Damg˚ard-Merkle construction The message M, with M 2l 1 bits, to be processed using a DM | | ≤ − hash function H is always padded by appending it with a 1 bit followed by 0 bits until the padded message is l bits short of a full block of b bits. The last l bits are filled in with the binary encoded representation of the length 4 of true message M. This compound message is an integer multiple of b bits and is represented with b-bit data blocks as M = M1, M2, . ML. Each block Mi is processed using a fixed-length input compression function f as given by Hi = f(Hi 1, Mi) where Hi from i = 1 to L 1 are the − − intermediate states and H0 is the fixed initial state of H. The final state Hv = f(HL 1, ML) is the hash value of M. − 2.2 Linear-XOR/additive checksum variants of DM A number of variant constructions have been proposed, that augment the DM construction by computing some kind of linear-XOR/additive checksum on the message bits and/or intermediate states, and providing the linear-XOR/additive checksum as a final block for the hash function as shown in Figure 2. CHECKSUM M1 M2 ML 1 ML − f f f f f H0 Hv Fig.