In this paper, we develop a new attack on Damg̊ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We introduce a new property which hash functions should h...

In this paper we present a preimage attack on EnRUPT512. We exploit the fact that the internal state is only a little bit larger than the critical security level: 1152 bits against 1024 bits. The absence of a message expansion and a fairly simple compression function allow us to fix the values for some state words and thus reduce the size of birthday state space in the meet-in-the-middle attack...

In this note, we present a full key recovery attack on HMACAURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires 2 queries and the off-line complexity is 2 AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack ca...

We present a second pre-image attack on ECOH. Our attack requires 2143 time for ECOH-224 and ECOH-256, 2206 time for ECOH-384, and 2287 time for ECOH-512. The attack sets the checksum block to a fixed value and uses a collision search on the elliptic curve points. 1 An outline of ECOH We first give a description of the essential elements of ECOH. We restrict ourselves to messages that are an in...

This paper provides three improvements over previous work on analyzing CubeHash, based on its classes of symmetric states: (1) We present a detailed analysis of the hierarchy of symmetry classes. (2) We point out some flaws in previously claimed attacks which tried to exploit the symmetry classes. (3) We present and analyze new multicollision and preimage attacks. For the default parameter sett...

In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle­ Damg̊ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hash-twice” construction which process ...

Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg̊ard from 1989 states that a collision on the hash function cannot be found without finding a collisio...

MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 2 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2−2 to 2−6, and the complexity of finding ...

Some of the existing time memory tradeoff attacks (TMTO) on specific systems can be reinterpreted as methods for inverting general oneway functions. We apply these methods back to specific systems in ways not considered before. This provides the following startling results. No streamcipher can provide security equal to its key length; some important blockcipher modes of operations are vulnerabl...

We consider the problem of finding response curves for a class of binary two-dimensional cellular automata with L-shaped neighbourhood. We show that the dependence of the density of ones after an arbitrary number of iterations, on the initial density of ones, can be calculated for a fairly large number of rules by considering preimage sets. We provide several examples and a summary of all known...