Some Cryptanalytic Results on Zipper Hash and Concatenated Hash

At SAC 2006, Liskov proposed the zipper hash, a technique for constructing secure (indifferentiable from random oracles) hash functions based on weak (invertible) compression functions. Zipper hash is a two pass scheme, which makes it unfit for practical consideration. But, from the theoretical point of view it seemed to be secure, as it had resisted standard attacks for long. Recently, Andreeva et al. gave a forced-suffix herding attack on the zipper hash, and Chen and Jin showed a second preimage attack provided f1 is strong invertible. In this paper, we analyse the construction under the random oracle model as well as when the underlying compression functions have some weakness. We show (second) preimage, and herding attacks on an n-bit zipper hash and its relaxed variant with f1 = f2, all of which require less than 2 n online computations. Hoch and Shamir have shown that the concatenated hash offers only n 2 bits security when both the underlying compression functions are strong invertible. We show that the bound is tight even when only one of the underlying compression functions is strong invertible.