In this article, we analyze the security of the GOST hash function with respect to (second) preimage resistance. The GOST hash function, defined in the Russian standard GOST-R 34.11-94, is an iterated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterated structure, a...

Bellare and Micciancio’s MuHASH applies a pre-existing hash function to map indexed message blocks into a secure group. The resulting hash is the product. Bellare and Micciancio proved, in the random oracle model, that MuHASH is collision-resistant if the group’s discrete logarithm problem is infeasible. MuHASH, however, relies on a pre-existing hash being collision resistant. In this paper, we...

This paper proposes preimage attacks on hash function HAVAL whose output length is 256 bits. This paper has three main contributions; a preimage attack on 3-pass HAVAL at the complexity of 2, a preimage attack on 4-pass HAVAL at the complexity of 2, and a preimage attack on 5-pass HAVAL reduced to 151 steps at the complexity of 2. Moreover, we optimize the computational order for brute-force at...

We propose a variant of the CGL hash [5] that is significantly faster than the original algorithm, and prove that it is preimage and collision resistant. For n = log p where p is the characteristic of the finite field, the performance ratio between CGL and the new proposal is (2n + 104.8)/(1.8 logn + 12.6). Assuming the best quantum preimage attack on the hash has complexityO(p 1 4 ), we attain...

In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks follow the framework of Knudsen et al.’s time/memory tradeoff preimage attack on MDC-2. We find how to apply it to our objects. When the block length of the underlying block cipher is n bits, the most efficient preimage attack on MDC-4 requires time and spac...

Liskov proposed several weakened versions of the random oracle model, called weakened random oracle models (WROMs), to capture the vulnerability of ideal compression functions, which are expected to have the standard security of hash functions, i.e., collision resistance, second-preimage resistance, and one-wayness properties. The WROMs offer additional oracles to break such properties of the r...

Cryptographic hash functions map input strings of arbitrary length to fixed length output strings. They are expected to satisfy several security properties that include preimage resistance, second preimage resistance, and collision resistance. The free availability of efficient software-oriented hash functions such as MD4, MD5 and SHA-1 has resulted in a very broad deployment of hash functions,...

Some of the existing time memory tradeoff attacks (TMTO) on specific systems can be reinterpreted as methods for inverting general oneway functions. We apply these methods back to specific systems in ways not considered before. This provides the following startling results. No streamcipher can provide security equal to its key length; some important blockcipher modes of operations are vulnerabl...

In this paper, we present a new technique to construct a collision attack from a particular preimage attack which is called a partial target preimage attack. Since most of the recent meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a collision attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo collisions of the...