One-way compression function: Difference between revisions

A second preimage attack (given a message m1 an attacker finds another message m2 to satisfy hash(m1) = hash(m2) ) can be done according to Kelsey and Schneier <ref name="ks05">John Kelsey and Bruce Schneier. Second preimages on n-bit hash functions for much less than 2ⁿ work. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of LNCS, pages 474–490. Springer, 2005.</ref> for a 2^k-message-block message in time k x&times; 2^n/2+1+2^n-k+1. Note that the complexity is above 2^n/2 but below 2ⁿ when messages are long and that when messages get shorter the complexity of the attack approaches 2ⁿ.

The Davies–Meyer single-block-length compression function feeds each block of the message (m_i) as the key to a block cipher. It feeds the previous hash value (H_i-1) as the plaintext to be encrypted. The output ciphertext is then also [[exclusive-or|XORed]] (<math>\oplus</math>⊕) with the previous hash value (H_i-1) to produce the next hash value (H_i). In the first round when there is no previous hash value it uses a constant pre-specified initial value (H₀).

A notable property of the Davies–Meyer construction is that even if the underlying block cipher is totally secure, it is possible to compute [[Fixed point (mathematics)|fixed points]] for the construction : for any <math>{{mvar|m</math>}}, one can find a value of <math>{{mvar|h</math>}} such that <math>E_m(h) \oplus h = h</math> : one just has to set <math>h = E_m^{-1}(0)</math>.<ref>Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone. Fifth Printing (August 2001) page 375.</ref> This is a property that [[random function]]s certainly do not have. So far, no practical attack has been based on this property, but one should be aware of this "feature". The fixed-points can be used in a second preimage attack (given a message m1, attacker finds another message m2 to satisfy hash(m1) = hash(m2) ) of Kelsey and Schneier <ref name="ks05"/> for a 2^k-message-block message in time 3 x&times; 2^n/2+1+2^n-k+1 . If the construction does not allow easy creation of fixed points (like Matyas–Meyer–Oseas or Miyaguchi–Preneel) then this attack can be done in k x&times; 2^n/2+1+2^n-k+1 time. Note that in both cases the complexity is above 2^n/2 but below 2ⁿ when messages are long and that when messages get shorter the complexity of the attack approaches 2ⁿ.

It feeds each block of the message (m_i) as the plaintext to be encrypted. The output ciphertext is then also XORed (<math>\oplus</math>⊕) with the same message block (m_i) to produce the next hash value (H_i). The previous hash value (H_i-1) is fed as the key to the block cipher. In the first round when there is no previous hash value it uses a constant pre-specified initial value (H₀).

A second preimage attack (given a message m1 an attacker finds another message m2 to satisfy hash(m1) = hash(m2) ) can be done according to Kelsey and Schneier<ref name="ks05"/> for a 2^k-message-block message in time k x&times; 2^n/2+1+2^n-k+1. Note that the complexity is above 2^n/2 but below 2ⁿ when messages are long and that when messages get shorter the complexity of the attack approaches 2ⁿ.

It feeds each block of the message (m_i) as the plaintext to be encrypted. The output ciphertext is then XORed (<math>\oplus</math>⊕) with the same message block (m_i) and then also XORed with the previous hash value (H_i-1) to produce the next hash value (H_i). The previous hash value (H_i-1) is fed as the key to the block cipher. In the first round when there is no previous hash value it uses a constant pre-specified initial value (H₀).

A second preimage attack (given a message m1 an attacker finds another message m2 to satisfy hash(m1) = hash(m2) ) can be done according to Kelsey and Schneier<ref name="ks05"/> for a 2^k-message-block message in time k x&times; 2^n/2+1+2^n-k+1. Note that the complexity is above 2^n/2 but below 2ⁿ when messages are long and that when messages get shorter the complexity of the attack approaches 2ⁿ.