New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity

Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damg̊ard hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second preimage attacks on the dithered Merkle-Damg̊ard construction. These attacks consume significantly less memory in the online phase (with a negligible increase in the online time complexity) than previous attacks. For example, in the case of MD5 with the Keränen sequence, we reduce the memory complexity from about 2 blocks to about 2 blocks (about 545 MB). We also present an essentially memoryless variant of Andreeva et al. attack. In case of MD5-Keränen or SHA1-Keränen, the offline and online memory complexity is 2 message blocks (about 188–235 KB), at the expense of increasing the offline time complexity.