TCS SHA-3 is a family of four cryptographic hash functions that are covered by an US patent (US 2009/0262925). The digest sizes are 224, 256, 384 and 512 bits. The hash functions use bijective functions in place of the standard, compression functions. In this paper we describe first and second preimage attacks on the full hash functions. The second preimage attack requires negligible time and t...

Abstract. The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO’94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to b...

In this paper, we present the pseudo-collision, pseudo-second-preimage and pseudo-preimage attacks on the SHA-3 candidate algorithm Luffa. The pseudocollisions and pseudo-second-preimages can be found easily by computing the inverse of the message injection function at the beginning of Luffa. We explain in details the pseudo-preimage attacks. For Luffa-224/256, given the hash value, only 2 iter...

In this paper, we study security of a certain class of permutation-based compression functions. Denoted lp231 in [10], they are 2n-to-n-bit compression functions using three calls to a single n-bit random permutation. We prove that lp231 is asymptotically preimage resistant up to 2 2n 3 /n query complexity and collision resistant up to 2 n 2 /n query complexity for any > 0. Based on a single pe...

A “strong” cryptographic hash function suitable for practical applications should simultaneously satisfy many security properties, like pseudo-randomness, collision resistance and unforgeability. This paper shows how to combine two hash function families each satisfying different security property into one hash function family, which satisfies both properties. In particular, given two hash func...

In this paper, we present the first cryptographic preimage attack on the full MD5 hash function. This attack, with a complexity of 2, generates a pseudo-preimage of MD5 and, with a complexity of 2, generates a preimage of MD5. The memory complexity of the attack is 2×11 words. Our attack is based on splice-and-cut and localcollision techniques that have been applied to step-reduced MD5 and othe...

We consider the problem of determining robot manipulation plans when sensing and control uncertainties are specified as conditional probability densities. Traditional approaches are usually based on worst-case error analysis in a methodology known as preimage backchaining. We have developed a general framework for determining sensor-based robot plans by blending ideas from stocbastic optimal co...

We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an n-bit block cipher into a 2n-bit hash function. The collision attack is the first below the birthday bound to be described for MDC-2 and, with n = 128, it has complexity 2, which is to be compared to the birthday attack having complexity 2. The preimage attacks con...

In this paper we propose a new sequential mode of operation – the Fast wide pipe or FWP for short – to hash messages of arbitrary length. The mode is shown to be (1) preimage-resistance preserving, (2) collision-resistance-preserving and, most importantly, (3) indifferentiable from a random oracle up to O(2) compression function invocations. In addition, our rigorous investigation suggests that...

We propose an improved preimage attack on one-block MD4 with the time complexity 2 MD4 compression function operations, as compared to 2 in [3]. We research the attack procedure in [3] and formulate the complexity for computing a preimage attack on one-block MD4. We attain the result mainly through the following two aspects with the help of the complexity formula. First, we continue to compute ...