Meet-in-the-Middle Preimage Attacks on Sponge-Based Hashing

In FSE 2011, Sasaki presented the preimage attacks on Davies-Meyer (DM) scheme of 7-round AES and explained conversion of it to the attack on the hash function for 12 secure PGV schemes. In this paper, we apply Sasaki's work to Double-Block-Length (DBL) hash modes based on arbitrary blockcipher. We generalize compression functions in several DBL hash modes. Assuming a Sasaki's preimage attack on DM scheme of the underlying blockcipher is faster than brute-force attack, we evaluate securities of the hash modes against preimage or second-preimage attacks. Hence, we analyzed the hash modes against preimage or second-preimage attacks except some case of the generalized MDC-4.

This paper shows new preimage attacks on reduced Tiger and SHA-2. Indesteege and Preneel presented a preimage attack on Tiger reduced to 13 rounds (out of 24) with a complexity of 2128.5. Our new preimage attack finds a one-block preimage of Tiger reduced to 16 rounds with a complexity of 2161. The proposed attack is based on meet-in-the-middle attacks. It seems difficult to find “independent words” of Tiger at first glance, since its key schedule function is much more complicated than that of MD4 or MD5. However, we developed techniques to find independent words efficiently by controlling its internal variables. Surprisingly, the similar techniques can be applied to SHA-2 including both SHA-256 and SHA-512. We present a one-block preimage attack on SHA-256 and SHA-512 reduced to 24 (out of 64 and 80) steps with a complexity of 2240 and 2480, respectively. To the best of our knowledge, our attack is the best known preimage attack on reduced-round Tiger and our preimage attack on reduced-step SHA-512 is the first result. Furthermore, our preimage attacks can also be extended to second preimage attacks directly, because our attacks can obtain random preimages from an arbitrary IV and an arbitrary target.Keywordshash functionpreimage attacksecond preimage attackmeet-in-the-middleTigerSHA-256SHA-512

In this paper, we present improved preimage attacks on the reduced-round GOST hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round GOST-256 is proposed which is the first preimage attack for GOST-256 at the hash function level. Then we extend the (previous) attacks on 5-round GOST-256 and 6-round GOST-512 to 6.5 and 7.5 rounds respectively by exploiting the involution property of the GOST transposition operation.Secondly, inspired by the preimage attack on GOST-256, we also study the impacts of four representative truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against AES-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack. Based on our investigations, we are able to slightly improve the previous pseudo preimage attacks on reduced-round Grøstl-256.KeywordsHash functionCryptanalysisPreimage GOST Grøstl-256 The Meet-in-the-Middle preimage attackTruncation patterns

The Grostl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grostl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grostl-256 hash function and 8-round Grostl-512 hash function, and the complexities of these attacks are (2^(239.90), 2^(240.40)) (in time and memory) and (2^(499.50), 2^(499)), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grostl-256 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grostl-256 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are (2^(253.26), 2^(253.67)) and (2^(251.0), 2^(252.0)), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grostl hash function.

At ASIACRYPT 2012, Sasaki et al. introduced the guess-and-determine approach to extend the meet-in-the-middle (MITM) preimage attack. At CRYPTO 2021, Dong et al. proposed a technique to derive the solution spaces of nonlinear constrained neutral words in the MITM preimage attack. In this paper, we try to combine these two techniques to further improve the MITM preimage attacks. Based on the previous MILP-based automatic tools for MITM attacks, we introduce new constraints due to the combination of guess-and-determine and nonlinearly constrained neutral words to build a new automatic model.As a proof of work, we apply it to the Russian national standard hash function Streebog, which is also an ISO standard. We find the first 8.5-round preimage attack on Streebog-512 compression function and the first 7.5-round preimage attack on Streebog-256 compression function. In addition, we give the 8.5-round preimage attack on Streebog-512 hash function. Our attacks extend the best previous attacks by one round. We also improve the time complexity of the 7.5-round preimage attack on Streebog-512 hash function and 6.5-round preimage attack on Streebog-256 hash function.

This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2224 compression function evaluations instead of 2256. We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 296 trials instead of 2128. Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected.

We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash functions using the Merkle-Damgard construction with only slightly more work than the previously known attack, but allow enormously more control of the contents of the second preimage found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup's UOWHF[26] and the ROX hash construction [2].We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, including sequences which are much stronger than those in Rivest's proposals. Finally, we show that both the existing second preimage attacks [8,16] and our new attack can be applied even more efficiently to multiple target messages; in general, given a set of many target messages with a total of 2R message blocks, these second preimage attacks can find a second preimage for one of those target messages with no more work than would be necessary to find a second preimage for a single target message of 2R message blocks.

This paper proposes preimage attacks on hash function HAVAL whose output length is 256 bits. This paper has three main contributions; a preimage attack on 3-pass HAVAL at the complexity of 2225, a preimage attack on 4-pass HAVAL at the complexity of 2241, and a preimage attack on 5-pass HAVAL reduced to 151 steps at the complexity of 2241. Moreover, we optimize the computational order for brute-force attack on full 5-pass HAVAL and its complexity is 2254.89. As far as we know, the proposed attack on 3-pass HAVAL is the best attack and there is no preimage attack so far on 4-pass and 5-pass HAVAL. Note that the complexity of the previous best attack on 3-pass HAVAL is 2230. Technically, our attacks find pseudo-preimages of HAVAL by combining the meet-in-the-middle and local-collision approaches, then convert pseudo-preimages to a preimage by using a generic algorithm.

In this paper, we present a new technique to construct a collision attack from a particular preimage attack which is called a partial target preimage attack. Since most of the recent meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a collision attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo collisions of the 43-step reduced SHA-256 and the 46-step reduced SHA-512 can be obtained with complexities of 2126 and 2254.5, respectively. As far as we know, our results are the best pseudo collision attacks on both SHA-256 and SHA-512 in literature. Moreover, we show that our pseudo collision attacks can be extended to 52 and 57 steps of SHA-256 and SHA-512, respectively, by combined with the recent preimage attacks on SHA-2 by bicliques. Furthermore, since the proposed technique is quite simple, it can be directly applied to other hash functions. We apply our algorithm to several hash functions including Skein and BLAKE, which are the SHA-3 finalists. We present not only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between a meet-in-the-middle preimage attack and a pseudo collision attack.

Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damgard hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second preimage attacks on the dithered Merkle-Damgard construction. These attacks consume significantly less memory in the online phase (with a negligible increase in the online time complexity) than previous attacks. For example, in the case of MD5 with the Keranen sequence, we reduce the memory complexity from about \(2^{51}\) blocks to about \(2^{26.7}\) blocks (about 545 MB). We also present an essentially memoryless variant of Andreeva et al. attack. In case of MD5-Keranen or SHA1-Keranen, the offline and online memory complexity is \(2^{15.2}\) message blocks (about 188–235 KB), at the expense of increasing the offline time complexity.

The hash function RIPEMD-160 is a worldwide ISO/IEC standard and the hash function HAS-160 is the Korean hash standard and is widely used in Korea. On the basis of differential meet-in-the-middle attack and biclique technique, a preimage attack on 34-step RIPEMD-160 with message padding and a pseudo-preimage attack on 71-step HAS-160 without message padding are proposed. The former is the first preimage attack from the first step, the latter increases the best pseudo-preimage attack from the first step by 5 steps. Furthermore, we locate the linear spaces in another message words and exchange the bicliques construction process and the mask vector search process. A preimage attack on 35-step RIPEMD-160 and a preimage attack on 71-step HAS-160 are presented. Both of the attacks are from the intermediate step and satisfy the message padding. They improve the best preimage attacks from the intermediate step on step-reduced RIPEMD-160 and HAS-160 by 4 and 3 steps respectively. As far as we know, they are the best preimage and pseudo-preimage attacks on step-reduced RIPEMD-160 and HAS-160 respectively in terms of number of steps.

The Grøstl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grøstl hash function. We propose pseudo preimage attacks on Grøstl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10)-round Grøstl-256 has a complexity of (2244.85,2230.13) (in time and memory) and pseudo preimage attack on 8(out of 14)-round Grøstl-512 has a complexity of (2507.32,2507.00). To the best of our knowledge, our attacks are the first (pseudo) preimage attacks on round-reduced Grøstl hash function, including its compression function and output transformation. These results are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki. We also improve the time complexities of the preimage attacks against 5-round Whirlpool and 7-round AES hashes by Sasaki in FSE 2011.

Troika is a recently proposed sponge-based hash function for IOTA’s ternary architecture and platform, which is developed by CYBERCRYPT. In this paper, we introduce the preimage attack on 2 and 3 rounds of Troika with a divide-and-conquer approach. Instead of directly matching a given hash value, we propose equivalent conditions to determine whether a message is the preimage before computing the complete hash value. As a result, for the two-round hash value that can be generated with one block, we can search the preimage only in a valid space and efficiently enumerate the messages which can satisfy most of the equivalent conditions with a guess-and-determine technique. For the three-round preimage attack, an MILP-based method is applied to separate the one-block message space into two parts in order to obtain the best advantage over brute force. Our experiments show that the time complexity of the preimage attack on 2 (out of 24) rounds of Troika can be improved to \(3^{79}\), which is \(3^{164}\) times faster than the brute force. For the preimage attack on 3 (out of 24) rounds of Troika, we can obtain an advantage of \(3^{25.7}\) over brute force. In addition, how to construct the second preimage for two-round Troika in seconds is presented as well. Our attacks do not threaten the security of Troika.

In this paper, we show that some new variants of the Very Smooth Hash (VSH) hash function are susceptible to similar types of preimage attacks as the original VSH. We also generalise the previous mathematical results, which have been used in the preimage attacks. VSH is a hash function based on the multiexponentiation of prime numbers modulo some large product of two primes. The security proof of VSH is based on some computational problems in number theory, which are related to the problem of factoring large integers. However, the preimage resistance of VSH has been studied and found somewhat lacking especially in password protection. There have been many different variants of VSH proposed by the original authors and others. Especially the discrete logarithm version of VSH has been proposed in order to make the hash values shorter. Further proposals have used the discrete logarithm in finite fields and elliptic curves to gain even more advantage to the hash length. Our results demonstrate that even for these new variants, the same ideas for preimage attacks can be applied as for the original VSH and they result in effective preimage attacks.

This paper uses new types of local collisions named one-message-word local collisions to construct meet-in-the-middle preimage attacks on two double-branch hash functions RIPEMD and RIPEMD-128, and obtains the following results. 1 A pseudo-preimage and second preimage attacks on the first 47 steps of RIPEMD (full version: 48 steps) are proposed with complexities of 2119 and 2124.5 compression function computations, respectively. The number of the attacked steps is greatly increased from previous preimage attacks on the first 33 steps and intermediate 35 steps. 2 A pseudo-preimage and preimage attacks on intermediate 36 steps of RIPEMD-128 (full version: 64 steps) are proposed with complexities of 2123 and 2126.5 compression function computations, respectively, while previous attacks can work at most intermediate 35 steps.