Advertisement

Generic Attacks on Hash Combiners

  • Zhenzhen Bao
  • Itai Dinur
  • Jian GuoEmail author
  • Gaëtan Leurent
  • Lei Wang
Article
  • 17 Downloads

Abstract

Hash combiners are a practical way to make cryptographic hash functions more tolerant to future attacks and compatible with existing infrastructure. A combiner combines two or more hash functions in a way that is hopefully more secure than each of the underlying hash functions, or at least remains secure as long as one of them is secure. Two classical hash combiners are the exclusive-or (XOR) combiner \( \mathcal {H}_1(M) \oplus \mathcal {H}_2(M) \) and the concatenation combiner \( \mathcal {H}_1(M) \Vert \mathcal {H}_2(M) \). Both of them process the same message using the two underlying hash functions in parallel. Apart from parallel combiners, there are also cascade constructions sequentially calling the underlying hash functions to process the message repeatedly, such as Hash-Twice \(\mathcal {H}_2(\mathcal {H}_1(IV, M), M)\) and the Zipper hash \(\mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})\), where \(\overleftarrow{M}\) is the reverse of the message M. In this work, we study the security of these hash combiners by devising the best-known generic attacks. The results show that the security of most of the combiners is not as high as commonly believed. We summarize our attacks and their computational complexities (ignoring the polynomial factors) as follows:
  1. 1.
    Several generic preimage attacks on the XOR combiner:
    • A first attack with a best-case complexity of \( 2^{5n/6} \) obtained for messages of length \( 2^{n/3} \). It relies on a novel technical tool named interchange structure. It is applicable for combiners whose underlying hash functions follow the Merkle–Damgård construction or the HAIFA framework.

    • A second attack with a best-case complexity of \( 2^{2n/3} \) obtained for messages of length \( 2^{n/2} \). It exploits properties of functional graphs of random mappings. It achieves a significant improvement over the first attack but is only applicable when the underlying hash functions use the Merkle–Damgård construction.

    • An improvement upon the second attack with a best-case complexity of \( 2^{5n/8} \) obtained for messages of length \( 2^{5n/8} \). It further exploits properties of functional graphs of random mappings and uses longer messages.

    These attacks show a rather surprising result: regarding preimage resistance, the sum of two n-bit narrow-pipe hash functions following the considered constructions can never provide n-bit security.
     
  2. 2.

    A generic second-preimage attack on the concatenation combiner of two Merkle–Damgård hash functions. This attack finds second preimages faster than \( 2^n \) for challenges longer than \( 2^{2n/7} \) and has a best-case complexity of \( 2^{3n/4} \) obtained for challenges of length \( 2^{3n/4} \). It also exploits properties of functional graphs of random mappings.

     
  3. 3.

    The first generic second-preimage attack on the Zipper hash with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is \( 2^{3n/5} \), obtained for challenge messages of length \( 2^{2n/5} \).

     
  4. 4.

    An improved generic second-preimage attack on Hash-Twice with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is \( 2^{13n/22} \), obtained for challenge messages of length \( 2^{13n/22} \).

    The last three attacks show that regarding second-preimage resistance, the concatenation and cascade of two n-bit narrow-pipe Merkle–Damgård hash functions do not provide much more security than that can be provided by a single n-bit hash function.

     
Our main technical contributions include the following:
  1. 1.

    The interchange structure, which enables simultaneously controlling the behaviours of two hash computations sharing the same input.

     
  2. 2.

    The simultaneous expandable message, which is a set of messages of length covering a whole appropriate range and being multi-collision for both of the underlying hash functions.

     
  3. 3.

    New ways to exploit the properties of functional graphs of random mappings generated by fixing the message block input to the underlying compression functions.

     

Keywords

Hash function Generic attack Hash combiner XOR combiner Concatenation combiner Zipper hash Hash-Twice (Second) Preimage attack 

Notes

Acknowledgements

This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore, under its Strategic Capability Research Centres Funding Initiative, Nanyang Technological University under research Grant M4082123 and Singapore’s Ministry of Education under Grant M4012049. Itai Dinur is supported in part by the Israeli Science Foundation through Grant No. 573/16. Lei Wang is supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th five-year National Development Fund of Cryptography (MMJJ20170114).

Supplementary material

References

  1. 1.
    E. Andreeva, C. Bouillaguet, O. Dunkelman, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    E. Andreeva, C. Bouillaguet, O. Dunkelman, J. Kelsey, Herding, second preimage and trojan message attacks beyond Merkle–Damgård, in M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini, editors, Selected Areas in Cryptography, 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5867 (Springer, 2009), pp. 393–414Google Scholar
  3. 3.
    E. Andreeva, C. Bouillaguet, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, Second preimage attacks on dithered hash functions, in N.P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 270–288Google Scholar
  4. 4.
    L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors. Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7-11, 2008, Proceedings, Part II—Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations. Lecture Notes in Computer Science, vol. 5126 (Springer, 2008)Google Scholar
  5. 5.
    D. Boneh, X. Boyen. On the impossibility of efficiently combining collision resistant hash functions, in C. Dwork, editor, Advances in Cryptology—CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 570–583Google Scholar
  6. 6.
    E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA. IACR Cryptol. ePrint Arch. 2007, 278 (2007)Google Scholar
  7. 7.
    Z. Bao, J. Guo, L. Wang, Functional graphs and their applications in generic attacks on iterated hash constructions. IACR Trans. Symmetric Cryptol. 2018(1), 201–253 (2018)Google Scholar
  8. 8.
    G. Brassard, editor. Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 1989, Proceedings. Lecture Notes in Computer Science, vol. 435 (Springer, 1990)Google Scholar
  9. 9.
    S.R. Blackburn, D.R. Stinson, J. Upadhyay, On the complexity of the herding attack and some related attacks on hash functions. Des. Codes Cryptogr. 64(1–2), 171–193 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Z. Bao, L. Wang, J. Guo, D. Gu, Functional graph revisited: updates on (second) preimage attacks on hash combiners, in J. Katz, H. Shacham, editors, Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10402 (Springer, 2017), pp. 404–427Google Scholar
  11. 11.
    S. Chen, C. Jin, A second preimage attack on Zipper hash. Secur. Commun. Netw. 8(16), 2860–2866 (2015)CrossRefGoogle Scholar
  12. 12.
    R. Cramer, editor. Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005)Google Scholar
  13. 13.
    R. Canetti, R.L. Rivest, M. Sudan, L. Trevisan, S.P. Vadhan, H. Wee, Amplifying collision resistance: a complexity-theoretic treatment, in Menezes [43], pp. 264–283.Google Scholar
  14. 14.
    R.D. Dean, A. Appel. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University Princeton (1999)Google Scholar
  15. 15.
    T. Dierks, C. Allen, The TLS protocol version 1.0. RFC 2246, 1–80 (1999)Google Scholar
  16. 16.
    I. Damgård, A design principle for hash functions, in Brassard [8], pp. 416–427Google Scholar
  17. 17.
    I. Dinur. New attacks on the concatenation and XOR hash combiners, in M. Fischlin, J.-S. Coron, editors, Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9665 (Springer, 2016), pp. 484–508Google Scholar
  18. 18.
    I. Dinur, G. Leurent, Improved generic attacks against hash-based MACs and HAIFA, in Garay and Gennaro [27], pp. 149–168Google Scholar
  19. 19.
    O. Dunkelman, B. Preneel, Generalizing the herding attack to concatenated hashing schemes, in In ECRYPT Hash Function Workshop (Citeseer, 2007)Google Scholar
  20. 20.
    T. Dierks, E. Rescorla, The transport layer security (TLS) protocol version 1.2. RFC 5246, 1–104 (2008)Google Scholar
  21. 21.
    A.O. Freier, P. Karlton, P.C. Kocher, The secure sockets layer (SSL) protocol version 3.0. RFC 6101:1–67 (2011)Google Scholar
  22. 22.
    M. Fischlin, A. Lehmann, Security-amplifying combiners for collision-resistant hash functions, in Menezes [43], pp. 224–243Google Scholar
  23. 23.
    M. Fischlin, A. Lehmann, Multi-property preserving combiners for hash functions, in R. Canetti, editor, Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. Lecture Notes in Computer Science, vol. 4948 (Springer, 2008), pp. 375–392Google Scholar
  24. 24.
    M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions revisited, in Aceto et al. [4], pp. 655–666Google Scholar
  25. 25.
    M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions. J. Cryptol. 27(3), 397–428 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    P. Flajolet, A.M. Odlyzko, Random mapping statistics, in J.-J. Quisquater, J. Vandewalle, editors, Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, April 10–13, 1989, Proceedings. Lecture Notes in Computer Science, vol. 434 (Springer, 1989), pp. 329–354Google Scholar
  27. 27.
    J.A. Garay, R. Gennaro, editors. Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014)Google Scholar
  28. 28.
    J. Guo, T. Peyrin, Y. Sasaki, L. Wang, Updates on generic attacks against HMAC and NMAC, in Garay and Gennaro [27], pp. 131–148Google Scholar
  29. 29.
    M.E. Hellman, A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    A. Herzberg, On tolerant cryptographic constructions, in A. Menezes, editor, Topics in Cryptology—CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3376 (Springer, 2005), pp. 172–190Google Scholar
  31. 31.
    A. Herzberg, Folklore, practice and theory of robust combiners. J. Comput. Secur. 17(2), 159–189 (2009)MathSciNetCrossRefGoogle Scholar
  32. 32.
    J.J. Hoch, A. Shamir, Breaking the ICE—finding multicollisions in iterated concatenated and expanded (ICE) hash functions, in M.J.B. Robshaw, editor, Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4047 (Springer, 2006), pp. 179–194Google Scholar
  33. 33.
    J.J. Hoch, A. Shamir. On the strength of the concatenated hash combiner when all the hash functions are weak, in Aceto et al. [4], pp. 616–630Google Scholar
  34. 34.
    A. Jha, M. Nandi, Some cryptanalytic results on Zipper hash and concatenated hash. IACR Cryptol. ePrint Arch. 2015, 973 (2015)Google Scholar
  35. 35.
    A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in M.K. Franklin, editor, Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings Lecture Notes in Computer Science, vol. 3152 (Springer, 2004), pp. 306–316Google Scholar
  36. 36.
    A. Joux, Algorithmic Cryptanalysis (Chapman and Hall/CRC, Boca Raton, 2009)CrossRefzbMATHGoogle Scholar
  37. 37.
    J. Kelsey, T. Kohno, Herding hash functions and the nostradamus attack, in Serge Vaudenay, editor, Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4004 (Springer, 2006), pp. 183–200Google Scholar
  38. 38.
    J. Kelsey, B. Schneier, Second preimages on n-bit hash functions for much less than \(2{}^{{\rm n}}\) work, in Cramer [12], pp. 474–490Google Scholar
  39. 39.
    A. Lehmann. On the Security of Hash Function Combiners. PhD thesis, Darmstadt University of Technology (2010)Google Scholar
  40. 40.
    M. Liskov, Constructing an ideal hash function from weak ideal compression functions, in E. Biham, A.M. Youssef, editors, Selected Areas in Cryptography, 13th International Workshop, SAC 2006, Montreal, Canada, August 17-18, 2006 Revised Selected Papers. Lecture Notes in Computer Science, vol. 4356 (Springer, 2006), pp. 358–375Google Scholar
  41. 41.
    G. Leurent, T. Peyrin, L. Wang, New generic attacks against hash-based MACs, in K. Sako, P. Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part II. Lecture Notes in Computer Science, vol. 8270 (Springer, 2013), pp. 1–20Google Scholar
  42. 42.
    G. Leurent, L. Wang, The sum can be weaker than each part, in E. Oswald, M. Fischlin, editors, Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015), pp. 345–367Google Scholar
  43. 43.
    A. Menezes, editor. Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4622. (Springer, 2007)Google Scholar
  44. 44.
    R.C. Merkle. One way hash functions and DES, in Brassard [8], pp. 428–446Google Scholar
  45. 45.
    A. Mittelbach. Hash combiners for second pre-image resistance, target collision resistance and pre-image resistance have long output, in I. Visconti, R. De Prisco, editors, Security and Cryptography for Networks—8th International Conference, SCN 2012, Amalfi, Italy, September 5–7, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7485 (Springer, 2012), pp. 522–539Google Scholar
  46. 46.
    A. Mittelbach, Cryptophia’s short combiner for collision-resistant hash functions, in M.J. Jacobson Jr., M.E. Locasto, P. Mohassel, R. Safavi-Naini, editors, Applied Cryptography and Network Security—11th International Conference, ACNS 2013, Banff, AB, Canada, June 25–28, 2013. Proceedings. Lecture Notes in Computer Science, vol. 7954 (Springer, 2013), pp. 136–153Google Scholar
  47. 47.
    B. Mennink, B. Preneel, Breaking and fixing cryptophia’s short combiner, in D. Gritzalis, A. Kiayias, I.G. Askoxylakis, editors, Cryptology and Network Security—13th International Conference, CANS 2014, Heraklion, Crete, Greece, October 22–24, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8813 (Springer, 2014), pp. 50–63Google Scholar
  48. 48.
    F. Mendel, C. Rechberger, M. Schläffer, MD5 is weaker than weak: attacks on concatenated combiners, in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5912 (Springer, 2009), pp. 144–161Google Scholar
  49. 49.
    M. Nandi, D. R. Stinson, Multicollision attacks on some generalized sequential hash functions. IEEE Trans. Inf. Theory 53(2), 759–767 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  50. 50.
    K. Pietrzak, Non-trivial black-box combiners for collision-resistant hash-functions don’t exist, in M. Naor, editor, Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4515 (Springer, 2007), pp. 23–33Google Scholar
  51. 51.
    K. Pietrzak, Compression from collisions, or Why CRHF combiners have a long output, in D.A. Wagner, editor, Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings. Lecture Notes in Computer Science, vol. 5157 (Springer, 2008), pp. 413–432Google Scholar
  52. 52.
    L. Perrin, D. Khovratovich, Collision spectrum, entropy loss, T-sponges, and cryptanalysis of GLUON-64, in C. Cid, C. Rechberger, editors, Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, March 3–5, 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540 (Springer, 2014), pp. 82–103Google Scholar
  53. 53.
    B. Preneel, Analysis and Design of Cryptographic Hash Functions. PhD thesis, Katholieke Universiteit te Leuven (1993)Google Scholar
  54. 54.
    T. Peyrin, L. Wang, Generic universal forgery attack on iterative hash-based MACs, in P.Q. Nguyen, E. Oswald, editors, Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441 (Springer, 2014), pp. 147–164Google Scholar
  55. 55.
    M. Rjasko, On existence of robust combiners for cryptographic hash functions. In P. Vojtás, editor, Proceedings of the Conference on Theory and Practice of Information Technologies, ITAT 2009, Horský hotel Kralova studna, Slovakia, September 25–29, 2009, volume 584 of CEUR Workshop Proceedings (CEUR-WS.org, 2009), pp. 71–76Google Scholar
  56. 56.
    P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    D.A. Wagner, A generalized birthday problem, in M. Yung, editor, Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings. Lecture Notes in Computer Science, vol. 2442 (Springer, 2002), pp. 288–303Google Scholar
  58. 58.
    X. Wang, H. Yu, How to break MD5 and other hash functions, in Cramer [12], pp. 19–35Google Scholar
  59. 59.
    X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in V. Shoup, editor, Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3621 (Springer, 2005), pp. 17–36Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Zhenzhen Bao
    • 1
    • 2
  • Itai Dinur
    • 3
  • Jian Guo
    • 1
    Email author
  • Gaëtan Leurent
    • 4
  • Lei Wang
    • 5
    • 6
  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  2. 2.Strategic Centre for Research in Privacy-Preserving Technologies and SystemsNanyang Technological UniversitySingaporeSingapore
  3. 3.Department of Computer ScienceBen-Gurion UniversityBeershebaIsrael
  4. 4.InriaParisFrance
  5. 5.Shanghai Jiao Tong UniversityShanghaiChina
  6. 6.Westone Cryptologic Research CenterBeijingChina

Personalised recommendations