MD4 is Not One-Way

Leurent, Gaëtan

doi:10.1007/978-3-540-71039-4_26

Cited by 84 publications

(74 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…After Saarinen [11] and Leurent [12] showed examples of meet-in-the-middle preimage attacks, the techniques for such preimage attacks have been developed very rapidly. Attacks based on the concept of meet-in-the-middle have been reported for various hash functions, for example MD5 [13], SHA-1, HAVAL [14], and so on [15,16,17,18].…”

Section: Introductionmentioning

confidence: 99%

Preimages for Step-Reduced SHA-2

Aoki

Guo

Matusiewicz

et al. 2009

Lecture Notes in Computer Science

117

View full text Add to dashboard Cite

Abstract. In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2 251.9 , 2 509 for finding pseudo-preimages and 2 254.9 , 2 511.5 compression function operations for full preimages. The memory requirements are modest, around 2 6 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

show abstract

Section: Introductionmentioning

confidence: 99%

Preimages for Step-Reduced SHA-2

Aoki

Guo

Matusiewicz

et al. 2009

Lecture Notes in Computer Science

117

View full text Add to dashboard Cite

show abstract

“…In addition, it is possible to improve the algorithm further by building a layered hash tree, similar to the one used in [10]. The optimized algorithm yields a less marginal improvement factor of 2 9 = 512 over exhaustive search, which is about 20 times better than the attack published by Thomas Fuhr [2].…”

Section: Using Pseudo Preimages To Obtain Second Preimages For Hamsi-256mentioning

confidence: 99%

“…It uses the layered hash tree construction, as described in [10]: We start by selecting the root of the tree from the chaining values that are generated during the computation of the hash of the message. We then find a pseudo preimage of the root and add it to the tree.…”

Section: E Appendix: Details Of the Improved Short Messagementioning

confidence: 99%

An Improved Algebraic Attack on Hamsi-256

Dinur

Shamir

2011

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. Hamsi is one of the 14 second-stage candidates in NIST's SHA-3 competition. The only previous attack on this hash function was a very marginal attack on its 256-bit version published by Thomas Fuhr at Asiacrypt 2010, which is better than generic attacks only for very short messages of fewer than 100 32-bit blocks, and is only 26 times faster than a straightforward exhaustive search attack. In this paper we describe a different algebraic attack which is less marginal: It is better than the best known generic attack for all practical message sizes (up to 4 gigabytes), and it outperforms exhaustive search by a factor of at least 512. The attack is based on the observation that in order to discard a possible second preimage, it suffices to show that one of its hashed output bits is wrong. Since the output bits of the compression function of Hamsi-256 can be described by low degree polynomials, it is actually faster to compute a small number of output bits by a fast polynomial evaluation technique rather than via the official algorithm.

show abstract

“…The attack, with a complexity of 2 100. 5 , generates a preimage [9]. The first preimage attack on MD5 was presented by De et al in 2007.…”

Section: History Of Preimage Attacks On Md4-familymentioning

confidence: 99%

Finding Preimages in Full MD5 Faster Than Exhaustive Search

Sasaki

Aoki

2009

Lecture Notes in Computer Science

159

106

View full text Add to dashboard Cite

Abstract. In this paper, we present the first cryptographic preimage attack on the full MD5 hash function. This attack, with a complexity of 2 116.9 , generates a pseudo-preimage of MD5 and, with a complexity of 2 123.4 , generates a preimage of MD5. The memory complexity of the attack is 2 45 × 11 words. Our attack is based on splice-and-cut and localcollision techniques that have been applied to step-reduced MD5 and other hash functions. We first generalize and improve these techniques so that they can be more efficiently applied to many hash functions whose message expansions are a permutation of message-word order in each round. We then apply these techniques to MD5 and optimize the attack by considering the details of MD5 structure.

show abstract

MD4 is Not One-Way

Cited by 84 publications

References 21 publications

Preimages for Step-Reduced SHA-2

Preimages for Step-Reduced SHA-2

An Improved Algebraic Attack on Hamsi-256

Finding Preimages in Full MD5 Faster Than Exhaustive Search

Contact Info

Product

Resources

About