Second Preimages on n-bit Hash Functions for Much Less than 2 Work

We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damg̊ardMerkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2-message-block message with about k × 2n/2+1+2n−k+1 work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2 byte message in about 2 work, rather than the previously expected 2 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damg̊ard-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.