We study the security of the concatenation combiner H1(M)‖H2(M) for two independent iterated hash functions with n-bit outputs that are built using the Merkle-Damg̊ard construction. In 2004 Joux showed that the concatenation combiner of hash functions with an n-bit internal state does not offer better collision and preimage resistance compared to a single strong n-bit hash function. On the other...

In this paper, we present preimage attacks on up to 43step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2, 2 for finding pseudo-preimages and 2, 2 compression function operatio...

DHA-256 (Double Hash Algorithm) was proposed at the Cryptographic Hash Workshop hosted by NIST in November 2005. DHA-256 is a dedicated hash function with output length of 256 bits and 64 steps of operations designed to enhance SHA-256 security. In this paper, we show an attack on 35-step DHA-256. The attack finds pseudo-preimage and preimage of 35-step DHA-256 with the time complexity of 2 and...

SM3 [11] is the Chinese cryptographic hash standard which was announced in 2010 and designed by Wang et al.. It is based on the Merkle-Damgård design and its compression function can be seen as a block cipher used in DaviesMeyer mode. It uses message block of length 512 bits and outputs hash value of length 256 bits. This paper studies the security of SM3 hash function against preimage attack a...

In this paper we investigate the security of the compression function of HAS-160 in encryption mode. The structure of HAS-160 is similar to SHA-1 besides some modifications.This is the first cryptographic attack that breaks the encryption mode of the full 80-round HAS-160. We apply a key recovery attack that requires 2 chosen plaintexts and 2 80-round HAS-160 encryptions. The attack does not ai...

In this paper we construct preimage attack on the truncated variant of the MD4 hash function. Specifically, we study the MD4-39 function defined by the first 39 steps of the MD4 algorithm. We suggest a new attack on MD4-39, which develops the ideas proposed by H. Dobbertin in 1998. Namely, the special relaxation constraints are introduced in order to simplify the equations corresponding to the ...

We propose a variant of the CGL hash [5] that is significantly faster than the original algorithm, and prove that it is preimage and collision resistant. For n = log p where p is the characteristic of the finite field, the performance ratio between CGL and the new proposal is (2n + 104.8)/(1.8 logn + 12.6). Assuming the best quantum preimage attack on the hash has complexityO(p 1 4 ), we attain...

We study the security of AES in the open-key setting by showing an analysis on hash function modes instantiating AES including Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel modes. In particular, we propose preimage attacks on these constructions, while most of previous work focused their attention on collision attacks or distinguishers using non-ideal differential properties. This res...

In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2. This kind of attack is expected to cost 2 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2 operations, as explai...

In this paper, we propose preimage attacks on 41-step SHA-256 and 46-step SHA-512, which drastically increase the number of attacked steps compared to the best previous preimage attack working for only 24 steps. The time complexity for 41-step SHA-256 is 2 compression function operations and the memory requirement is 2 × 10 words. The time complexity for 46-step SHA-512 is 2 compression functio...