Second Preimages on n-Bit Hash Functions for Much Less than 2n Work

We provide a second preimage attack on all n-bit iterated hash functions with Damgard-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2-messageblock message with about k× 2 + 2n−k+1 work. Using SHA1 as an example, our attack can find a second preimage for a 2 byte message in 2 work, rather than the previously expected 2 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux[J04]. Both of these results are based on expandable messages– patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We also provide algorithms for finding expandable messages for a hash function, using only a small multiple of the work done to find a single collision in the hash function.