- Email: [email protected]
Secure hashing in practice
Information Security Technical Report, Vol 4, No. 4 (1999) 53-62
Secure Hashing in Practice Hans Dobbertin, German Information Security Agency, l?O. Box 20 03 63, D-53133 Bonn, Gevmany
Introduction
sending (signing without hashing would, at least, double the size of a message). A fundamental requirement for a hash function h is that it must be collision-resistant: ??
Modern asymmetric cryptology started with the invention of digital signatures by Diffie and Hellman in the mid-seventies, and shortly after Rivest, Shamir and Adleman made this idea concrete by introducing their famous RSA scheme. Signing and verification in this scheme uses modular exponentiation, where the public modulus is the product of two (secret) large primes. The system can be broken if it is possible to factorize the modulus, since it is then easy to compute the secret key (the exponent for signing) from the public key (the exponent for verification). Thus the security of RSA relies on the difficulty of factorizing large numbers. Other newer digital signature schemes depend on the difficulty of the Discrete Log Problem in finite groups (for instance the multiplicative groups of a large finite prime field). To implement practical digital signature additional needs an schemes one cryptographic primitive, a so-called (cryptographic) hash function. A hash algorithm computes the output (or hash value), that is a short string of fixed length say n bits - as a function of the input (message), a bit string of arbitrary length (that is usually much larger than the fixed length). In digital signature schemes a message is hashed before signing. The reasons for applying a hash function are to save computation time (hash algorithms are significantly faster than asymmetric mechanisms; to be more precise: a slow hash function would be useless for practical applications), storage space and time for
0167-4048/99/$20.00
0 1999, Elsevier Science Ltd
Collision resistance: it is practically impossible to find a collision which is a pair of two different messages X and X’ with h(X)=h(X’).
Of course the existence of collisions is unavoidable. The point is that they cannot be found in practice. The reason for this requirement is as follows. Eve could misuse a collision: she convinces Alice to sign X and later she can replace X by X’. The signature for X is also valid for X’, since the verification process only refers to the (identical) hash value of X and X’. Therefore a hash function must be collision resistant (see section entitled ‘MD4: Three rounds are not enough’). In what follows we shall use the term ‘secure hash function’ to imply collision resistance. Hash functions also occur as components in various other cryptographic applications (e.g. protection of pass-phrases) where usually much weaker cryptological requirements are sufficient, namely pre-image resistance and second pre-image resistance: he-image resistance: given an n-bit value V it is practically impossible to find a message X with h(X)=V. Second pre-image resistance: given a message Y it is practically impossible to find a message X different from Y with h(X)=h(Y). If both pre-image and second pre-image resistance is satisfied then we say that h is oneway. If we ignore ‘pathological’ examples of
53
Secure Hashing in Practice
hash functions that do not behave like a random function (a good hash function should behave like a random function), then collision resistance implies both pre-image resistance and second pre-image resistance. If the one-way requirement is violated then the cryptographic defect is dramatically worse than in the case of violated collision resistance: Eve does not depend on the cooperation of Alice. If she gets hold of any message signed by Alice then she is able to replace it with a different message. We must admit that the above notions of collision resistance and one-way requirement are pragmatic and not ‘hard’ mathematical definitions. (What is the precise meaning of ‘practically impossible’?) It is possible to make them precise by introducing suitable formalisms but these definitions are not useful in practice. This is a common problem in cryptology where we develop theory for practical cryptographic mechanisms, and conversely have to derive practical cryptographic mechanisms starting from a theoretical perspective. How can we prove that a concrete practical hash function is secure (collision resistant)? The answer is that we cannot. The answer is even worse: trying to develop a design that allows us to prove ‘security’ in a weaker sense than collision resistance might cause a cryptographical risk. To avoid an over-interpretation of this rather rigorous statement a few remarks should be added. The Discrete Log Problem (DLP) can be transformed into a collision-finding problem. Suppose you have a finite cyclic group G of order, then the DLP means that given random u, b in G, where u generates G, you have to find an integer X, smaller than the order t of G, such that a” = b.
54
This looks like a pre-image problem, for which we would need about t computations of uyin order to match b. But actually it can be treated much more effectively, since we have the homomorphic equation
We define the functions E(X) = uXand F(x) = (a”b)-’ for x = OJ,..., t-1. By a collision of E and F we mean a pair of integers x,, x, with E(x,) = F(x,). Such a collision leads to the solution x=x,-x, mod t of ax=b: a q-‘;?= E(x,)F(xJ’b
=b
Note that conversely if we have a solution of ax= b then x,0 forms a collision of E and E Only after computing a total of dt values of E and F do we have a good chance of finding a collision (see section entitled ‘Birthday Attack’). This connection between the DLP and collision finding explains why one can construct hash functions for which the intractability of DLP implies collision resistance. (Details can be found in Section 7.4 of the standard cryptography book by Douglas Stinson [21].) However, this hash function, for which we have at least provable relative security, is similar to the situation we have with RSA. Therefore it does not meet our requirement of being fast. It remains an open challenge to find fast hash functions for which we can prove security, in the sense of collision resistance, relative to a mathematical problem that is believed to be hard. Until we can reach this situation we have to make ad-hoc designs of practical hash functions. Here we have the pitfall of developing a hash function that is ‘provably secure’ in the sense that, for instance, all hash values occur with about the same probability. On the one hand, it would of course be nice to have such a property from the theoretical point of view. On the other hand, experience has shown that we run the risk of having a design
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice
that allows us to prove a certain restricted aspect of security but also causes other weaknesses. As long as our theoretical knowledge is as limited as it is today, we think that for pracficnl applications it is better to follow another approach, loosely speaking: trial and error. Proposals are discussed in the cryptographic community. Their analysis leads to (partial) attacks, and in this way we derive more and more insight on how to avoid the observed weaknesses. The survivors of this cryptographical evolution are the candidates for becoming standards. The design of practical block ciphers, in particular the current AES design exercise (covered by Sean Murphy in this issue) is another example of this procedure. Almost all currently used hash functions are derivatives of the hash function MD4. Therefore, in this article I focus on this class of hash functions. However, much more can be said about hash functions. We shall not examine topics like building hash functions from block ciphers (see e.g. 1161) or MAC algorithms based on hash functions (see e.g. [3,4]). Chapter 9 of the Handbook of Applied Cryptography [17] gives thorough exposition of hash functions. MD4 was introduced by Ron Rivest [lS, 191 in 1990. This was the starting point for the development of a series of similar hash functions. These MDklike hash functions are: Extended MD4, the 256-bit extension MD4 (Rivest [18]);
of
MD5, the strengthened successor of MD4 introduced by Rivest [20] in 1991; SHA, the ‘Secure Hash Algorithm’ designed by NIST/NSA in 1992, later substituted by the slightly revised SHA-1 [I] in 1995;
information
Security Technical
Report, Vol. 4, No. 4
HAVAL published by Zheng, Pieprzyk and Seberry [23] in 1993; RIPEMD designed 1993 within the framework of the European project RIPE 121; RIPEMD-160 and RIPEMD-128, strengthened versions of RIPEMD, published by Bosselaers, Preneel and the authors in Ref. [12] in 1996.
Designing Hash Functions The design of hash functions is certainly one of the most difficult goals in cryptography. The difficulty is to find a design that is both fast and cryptographically strong. To be more precise, to find an appropriate balance between performance and a degree of ‘complexity’ that is adequate from the point of view of collision resistance. Birthday Attack A general form of the well-known paradox’ states the following: ??
‘birthday
Birthday paradox: Suppose that F is a function that takes on precisely, say, f values. Then about d(f) many evaluations of F suffice to find a collision.
The term ‘birthday’ refers to a real example, namely birthday collisions: in a group of only 23 people the probability that there are two of them that have the same birthday is greater than half. The term ‘paradox’ is used because this number is surprisingly low. Of course this is not a real paradox. Actually the statement of the ‘birthday paradox’ is true, since - arguing in a heuristic way - the number of pairs of evaluations (and therefore chances for a collision), that occur among t evaluations, is in the order of d(f)’ = f. On the other hand, the chance of a random pair of evaluations colliding is 1 /t.
55
Secure Hashing in Practice
An n-bit hash function can take on 2” values. Thus after computing hash values for about 2”/* = d(2”) messages we expect to find a collision. Important research is focussed on practical implementations of collision searches that exploit the birthday paradox or its variants, on restricting the storage space (a naive implementation needs storage for 2”‘* hash values, but you can reduce it to ‘almost nothing’), on exploiting parallelism and so on. We mention the fundamental and brilliant work of John Pollard (see Ref. [17] for recent references to this direction of research). The birthday attack, i.e. application of the birthday paradox in order to attack a cryptographic mechanism, is a fundamental tool in many parts of cryptanalysis.
M = M[l] M[2] ... M[s]. The hashing process is initialized with some fixed n-bit initial value IV*, which is a part of the specification of the hash algorithm. The hash value of M is then computed by an iterative application off, where the M[i]‘s are taken as inputs and each output off is the initial value for the next application off: H(0) := IV”, H(i) :=f(H(i-l);M[i]),
i=l,...,s.
The last output of the compression functionf is defined to be the hash value of M, i.e. h(M) := H(s).
To prevent an attacker from finding collisions by the birthday attack, n should be large enough so that computing PI* hash values is practically impossible. While n = 160 is still considered to be sufficient today, we should be prepared to move to a minimum of n = 192 (the next multiple of 32) in a few years. Hashing by Iterated Compression Hash functions belonging to the MD4 family follow a design principle of Merkle and Damgard [8]. The basic idea is that hashing, like encryption, should be done blockwise. The Merkle-Damgard principle defines how a hash function h, with n-bit hash values, can be built up from a compression functionf, loosely speaking, a ‘small hash function’. It is assumed that the computation of f is initialized by M-bit vectors, that f compresses input blocks of fixed size, say Y bits, and returns n-bit outputs. (For instance, we have n=128 and r=512 for MD4 and MD5.) Suppose that, after appropriate padding (which increases the length of the message) a given message M is split into a sequence of s blocks of length r:
56
Collisions and Pseudo-Collisions of the Compression Suppose an iterated hash function h based on a compression functionfis given. A collision of the compression function consists of an initial value IV and two different inputs X and X’ such that f(lV;X) =f(lV; X’). It is an important observation that an attack leading to collisions of the compression function is already very close to finding collisions for the hash function itself. What remains is to extend the attack in a way that it is possible to prescribe the initial value above as the initial value IV* of the hash algorithm. In fact, in this case we would have: h(X)
=f(f(IV”;X);P) =fV(IP;
X’);P)
= h( X’).
Information Security Technical Report, Vol. 4, No. 4
Secure Hashing in Practice
Here P is the block that has to be appended according to a padding rule similar to the one used in all MD4-like hash functions. This block is identical for both messages X and X’, since they have the same length. Informally speaking we can state that: ??
collisions of the compression function are (instances of) collisions of the hash function with a wrong initial value.
On the other hand we use the more general term pseudo-collision of the compression function if two initial values IV, IV’ and inputs X, X’ are given such that: f(IV;X) = f(lV’; X’). and such that (IV,X) and (IV’,X’) are different. Thus we allow different initial values here. The fundamental theoretical result of the described Merkle-Damgard construction (hashing by iterated compression) is: Merkle-Damgard Theorem. rf the compression function f is pseudo-collision resistant then the derived hashfunction h is collision resistant. Unfortunately we cannot apply this theorem to decide on the collision resistance of MD4like hash functions, neither in the positive nor in the negative sense. Finding pseudocollisions off with different initial values (see the section entitiled ‘MD5: Four rounds are not enough for collision resistance’) does not necessarily provide any hint on finding collisions of 11.(We do not have the converse of the Merkle-Damgard Theorem.) On the other hand, for the reasons discussed above, we cannot currently construct a practical compression function (small hash function) with provable pseudo-collision resistance. In contrast, collisions of the compression function are already close to being hash
Information
Security Technical
Report, Vol. 4, No. 4
collisions since only the initial value is wrong. Hence, in order to avoid misinterpretations of the cryptanalytic result it is very important to distinguish between collisions and pseudocollisions of the compression function (caution: some authors call a collision what we call a pseudo-collision; see for instance [6]). Compression of MD6like Hash Functions The individual steps of the compression process from the MD4-family are based on the following operations on words, where a word is a 32-bit quantity: ??
bitwise Boolean operations;
??
addition module Z3*;
??
cyclic shifts.
These operations have been chosen since they can be computed quickly on 32-bit processors and since the mixing of Boolean functions and addition is believed to be cryptographically strong. In the following sections ‘+’ is used to denote addition modulo 232, and ‘CC s’ to denote a left circular shift by s positions. As an example I take a closer look at the MD4 compression function to illustrate its internal structure. The 512-bit input X and 12%bit initial value IV are split into words. The compression process operates on four word registers (chaining registers): A, B, C, D, which are initialized with IV. The compression algorithm has three rounds. A round consists of 16 steps. In each round all input words X[i] (i<16) are applied in a different order, as shown in the following table: ??
X[i] in round 1: i = 0,,,,,,,,,, 1 2 3 4 5 6 7 8 9 10,11,12,13,14,15
57
Secure Hashing in Practice
X[i] in round 2: i = 0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15
computational five rounds.
X[i] in round 3: i = 0,8,4,12,2,10,6,14 I 19I I5 I 13,3,11,7,15
The following table of Antoon Bosselaers shows the relative performance of the members of the MD4-family:
In every step, one of the chaining registers is updated. A typical step operation of the compression in MD4 is: A := (A + Q(B,C,D) + X[i] + K) << s, where Q is a round-dependent Boolean function (e.g. XOR), K is a step-dependent constant and the rotation amount s is stepdependent. After processing the three rounds, the compression value is obtained by wordwise addition (modulo 232) of IV to the chaining registers. The design of the compression function of the other MD4-like hash function is based more or less on MD4. They have different numbers of rounds, the step operation is modified and so on. SHA, SHA-1, RIPEMD and IUPEMD-160, the MD4 derivatives with 160-bit hash values, use five registers instead of four. Extended MD4 with 256-bit hash values uses eight registers or, more precisely, two instances of four registers, which are used in parallel. Hash function
Rounds
MD4 3 Extended MD4 6 5 SHA SHA-1 5 RIPEMD 6 Variable HAVAL RIPEMD-128 8 RIPEMD-160 10
Output size (bit) 128 256 160 160 128 Variable 128 160
Here a round consists of 16 steps. SHA/SHA1 needs a special comment; their compression function has no rounds, but consists of 80 steps that are (with respect to the
58
effort required) equivalent to
Hash function
Performance
RIPEMD-160 RIPEMD-128 SHA-1 SHA RIPEMD MD5 Extended MD4 MD4
0.24 0.38 0.28 0.28 0.46 0.68 0.49 1.00
Attacks on MD44ike Hash Functions In what follows we shall describe the status of the analysis of all MD4-like hash functions. A first analysis of MD4 and MD5 were made by Merkle (unpublished), den Boer and Bosselaers 1992 [5] and 1993 [6], and by Vaudenay 1995 [21]. Then the author developed a new general technique to attack MD4-like hash functions and applied it to RIPEMD, MD4, Extended MD4 and MD5 in a series of papers (1996-1998 [9-11,13, 141). The basic idea of this method is a taming of the avalanche effect by restriction to collisions of a special form: we assume for the collision message pair X, X’that all words coincide, with one exception, say X[i,,] and X’[i,]: X’[i,] = X[i,] + F, where 6 is some non-zero word with small Hamming weight. Loosely speaking this is saying that X’[i,] and X[i,] differ only in a small number of bit positions. The most recent result is the analysis of SHA by Chabaud and Joux [7] in 1998.
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice
MD4: Three Rounds Are Not Enough
applied within the single steps is identical. This allows us to attack both lines simultaneously (i.e. in parallel).
The best achieved analytic result for MD4 is a collision consisting of two contracts (see ‘Alf swindles Ann’ [9]):
At the price of $176 495 Alf Blowfish sells his house to Ann Bonidea...
The 1993 design of RIPEMD is modelled after Extended MD4, and unfortunately it also suffered from the same design defect. Thus the author was able to find attacks on two-round reductions of RIPEMD [ll]. 1
At the price of $276 495 Alf Blowfish sells his house to Ann Bonidea... Here the asterisks represent 20 ‘random’ bytes that form a header. These two contracts have the same MD4 hash value. Moreover, if the third round in the compression function of MD4 is cancelled then it is shown in Ref. [15] how pre-images can be constructed. This result settles the one-way-requirement question for MD4. Despite this rather devastating analysis it does not mean that the MD4 design principle is compromised. The moral is simply: three compression rounds are not enough. Extended MD4 and RIPEMD: Too Much Symmetry The compression of Extended MD4 consists of two instances of a modified MD4 compression that run in parallel, with some interaction. Although the Extended MD4 compression has six rounds (two multiplied by three) it is surprisingly weak. The reason for this weakness, that in 1996 led to the finding of collisions of the compression function [14, Section 81, can be clearly identified: the two parallel lines in the compression are too similar. The ordering in which the words are
Information
Security Technical
Report, Vol. 4, No. 4
MD5: Four Rounds Are Not Enough for Collision Resistance MD5 is a slightly modified version of MD4 with a four round compression. In 1993 den Boer and Bosselaers [6] found pseudocollisions for the compression function of MD5 with differenf inifia2 values, but common input. This result implies that the Merkle-Damgard Theorem (see above), that derives the security of a hash function from its underlying compression function, cannot be invoked for MD5. This finding of pseudocollisions shows that the compression function, considered as a cryptographic primitive of its own, has a weakness. However, as already discussed above, the pseudo-collisions alone do not lead us closer to collisions of the hash function. In 1996, the author [lo] constructed collisions of the MD5 compression, i.e. MD5 collisions with a wrong initial value. This comes close enough to collisions of MD5 (see above) to suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a collision-resistant hash function is required. The conclusion is that four compression rounds are still not enough for collision resistance. SHA: Too Much Linearity The hash function SHA published by NIST in 1992 also belongs to the MD4-family. The SHA compression function has 80 steps. The most
59
Secure Hashing in Practice
remarkable design idea in SHA, which is essentially different to the design of all other MD4-like hash functions, is a linear expansion of the sequence of input words for the compression instead of multiple applications of input words in different rounds. To be precise, this change caused a ‘flaw’ such that NIST/NSA had to replace SHA with SHA-1 (see [SHA]). Information about this ‘flaw’found by NSA was never published. In 1998, Chaubaud and Joux [7] found an attack on SHA (in which the effort was not practical) but whose effort was an improvement on the birthday attack.
On a scale ranging from ‘0’ for ‘one-way requirement disproved’ to ‘10’ for ‘can be regarded as definitively secure (i.e. collision resistant)’ the author would estimate the cryptographic strength of the MD4-like hash functions to be as follows:
SHA-1: Expansion Repaired
Hash function
Grade
In the revised version of SHA, the expansion of the compression input from 20 to 80 words is no longer linear; each step in the linear recursion is now combined with a cyclic onebit shift.
RIPEMD-128/160 SHA-1 SHA RIPEMD MD5 Extended MD4 MD4
10 9 8 6 5 4 1
Various promising new characteristics are included in the design of HAVAL. (For example, the invention of a Boolean function with seven variables in HAVAL, instead of only three as in all other members of the MD4family, gives the designer more flexibility in choosing cryptographically strong components.) These ideas probably improve the cryptographic strength, but might also introduce unexpected weaknesses. It should be investigated whether there is a suitable modification of the MD4 attack that could be applied to the three-round version of HAVAL. Until such analysis has been performed, the strength of HAVAL cannot be assessed. RIPEMD-128 and RIPEMD-160: a Design Based on Present Analytic Experiences The design of RIPEMD-160 is directly based on RIPEMD (and the 256-bit extension of MD4). However, conclusions of the recent analytic results are taken into account (how to choose, or not to choose, certain parameters),
60
and the number of rounds is extended from three to five (for each of two parallel lines), i.e. there are 160 steps. RIPEMD-160 produces 160-bit hash values (nomerzest omen).
Conclusions
Of course the precise grades in this table should not be taken literally. There is no objective measure for cryptographic strength. The intention of the table is to give an indication of how the relative security can be rated from the author’s point of view. As mentioned above, we cannot estimate the various versions of HAVAL, since to date no analysis has been performed. We should also emphasize that the above table only considers the resistance against analytic attacks, not the birthday attack, which becomes more and more relevant in future for 12%bit hash functions MD5, RIPEMD and RIPEMD-128. Van Oorschot and Wiener calculated that at a cost of $10 million one can build a ‘birthday attack’ machine that finds MD5 collisions in about a month. In summary, we can recommend RIPEMD-160 and SHA-1 as collision resistant (and therefore
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice
one-way) hash functions. If only a one-way hash function is needed we recommend in addition MD5, since it is very fast. However, the other hash functions in the above table can also be used as one-way functions with one exception, namely MD4 itself.
References ‘I’FIPS 180-1, Secure hash standard, NIST, US Department April 1995.
of Commerce,
Washington
DC,
I21RIPE Consortium, Ripe Integrity Primitives Final report of RACE integrity Primitives Evaluation (RZ040), Lecture Notes in Computer Science, Vol. 1007, Springer-Verlag, 1995. 131M.Bellare, R. Canetti and H. Krawczyk, The HMAC Construction, CryptoBytes, 2(l), 1996, pp. 12-15. I41M. Bellare, R. Canetti and H. Krawczyk, Keyed hash functions for message authentication, Advances in Cryptology Crypt0 ‘96, Lecture Notes in Computer Science, Springer-Verlag, 1996, pp. l-15. IsIB. den Boer and A. Bosselaers, An attack on the last two rounds of MD4, Advances in Cryptology - Crypt0 ‘91, Lecture Notes in Computer Science, Vol. 576, Springer-Verlag, 1992, pp. 194-203.
I81I.B. Damgard, A design principle for hash functions, Advances in Cryptology Crypt0 ‘89, Lecture Notes in Computer Science, Vol. 435, Springer-Verlag, 1990, pp. 416-427. L91H.Dobbertin, Alf swindles Ann, CvyptoBytes, l(3), 1995, p. 5. ilo’H. Dobbertin, The status of MD5 after a recent attack, CryptoBytes, 2(2), 1996, pp. 1-6. (l’l H. Dobbertin, RIPEMD with two-round compress function is not collision-free, Journd of Cryptology, 10 (1997), pp. 51-68. [I21H. Dobbertin, A. Bosselaers and B. Preneel, RIPEMD-160: A strengthened version of RIPEMD, Fast Software Encryption Cambridge Workshop, Lecture Notes in Computer Science, Vol. 1039, Springer-Verlag, 1996, pp. 71-82. [I’] H. Dobbertin, Cryptanalysis of MD4, Fast Cambridge Software Encryption Workshop, Lecture Notes in Computer Science, Vol. 1039, Springer-Verlag, 1996, pp. 53-69. ual H. Dobbertin, Cryptanalysis MD4, Journal of Cryptology, 11 (1998), 253-274.
of pp.
Ih’B. den Boer and A. Bosselaers, Collisions for the compression function of MD5, Advances in Cryptology - Eurocrypt ‘93, Lecture Notes in Computer Science, Vol. 773, SpringerVerlag, 1994, pp. 293-304.
~~1H. Dobbertin, The first two rounds of MD4 are not one-way, Fast Software Encryption - Paris Workshop, Lecture Notes in Computer Science, Vol. 1372, Springer-Verlag, 1998.
I71F. Chabaud and A. Joux, Differential an explanation for SHA-1, collisions: Advances in Cryptology - Crypt0 ‘98, Lecture Notes in Computer Science, SpringerVerlag, 1998.
~~1L. Knudsen and B. Preneel, Fast and secure hashing based on codes, Advances in Cryptology - Crypt0 ‘97, Lecture Notes in Computer Science, Vol. 1294, Springer-Verlag, 1997, pp. 485498.
Information Security Technical Report, Vol. 4, No. 4
61
Secure Hashing in Practr
cl71PC. van Oorschot and M.J. Wiener, Parallel collision search with applications to hash functions and discrete logarithms, Journal of Cryptology, 12 (1999). [I*] R. Rivest, The MD4 message digest algorithm, Advances in Cryptology Crypt0 ‘90, Lecture Notes in Computer Science, Vol. 537, Springer-Verlag, 1991, pp. 303-311. ~~1 R. Rivest, The MD4 message-digest algorithm, Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992. 1201R. Rivest, The MD5 message-digest algorithm, Request for Comments (RFC) 1321,
62
Internet Activities Board, Internet Task Force, April 1992.
Privacy
PII D.R. Stinson, Cryptograyhy: Theory and Practice, CRC Press, Boca Raton, 1995. lz21 S. Vaudenay, On the need for multipermutations: cryptanalysis of MD4 and SAFER, Fast Software Encryption - Leuven Workshop, Lecture Notes in Computer Science, Vol. 1008, Springer-Verlag, 1995, pp. 286-297. Lz31 Y. Zheng, J. Pieprzyk and J. Seberry. HAVAL - a one-way hashing algorithm with variable length and output, Advances in Cryptology Auscrypt ‘92, Lecture Notes in Computer Science, Springer-Verlag, 1993, pp. 83-104.
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice Hans Dobbertin, German Information Security Agency, l?O. Box 20 03 63, D-53133 Bonn, Gevmany
Introduction
sending (signing without hashing would, at least, double the size of a message). A fundamental requirement for a hash function h is that it must be collision-resistant: ??
Modern asymmetric cryptology started with the invention of digital signatures by Diffie and Hellman in the mid-seventies, and shortly after Rivest, Shamir and Adleman made this idea concrete by introducing their famous RSA scheme. Signing and verification in this scheme uses modular exponentiation, where the public modulus is the product of two (secret) large primes. The system can be broken if it is possible to factorize the modulus, since it is then easy to compute the secret key (the exponent for signing) from the public key (the exponent for verification). Thus the security of RSA relies on the difficulty of factorizing large numbers. Other newer digital signature schemes depend on the difficulty of the Discrete Log Problem in finite groups (for instance the multiplicative groups of a large finite prime field). To implement practical digital signature additional needs an schemes one cryptographic primitive, a so-called (cryptographic) hash function. A hash algorithm computes the output (or hash value), that is a short string of fixed length say n bits - as a function of the input (message), a bit string of arbitrary length (that is usually much larger than the fixed length). In digital signature schemes a message is hashed before signing. The reasons for applying a hash function are to save computation time (hash algorithms are significantly faster than asymmetric mechanisms; to be more precise: a slow hash function would be useless for practical applications), storage space and time for
0167-4048/99/$20.00
0 1999, Elsevier Science Ltd
Collision resistance: it is practically impossible to find a collision which is a pair of two different messages X and X’ with h(X)=h(X’).
Of course the existence of collisions is unavoidable. The point is that they cannot be found in practice. The reason for this requirement is as follows. Eve could misuse a collision: she convinces Alice to sign X and later she can replace X by X’. The signature for X is also valid for X’, since the verification process only refers to the (identical) hash value of X and X’. Therefore a hash function must be collision resistant (see section entitled ‘MD4: Three rounds are not enough’). In what follows we shall use the term ‘secure hash function’ to imply collision resistance. Hash functions also occur as components in various other cryptographic applications (e.g. protection of pass-phrases) where usually much weaker cryptological requirements are sufficient, namely pre-image resistance and second pre-image resistance: he-image resistance: given an n-bit value V it is practically impossible to find a message X with h(X)=V. Second pre-image resistance: given a message Y it is practically impossible to find a message X different from Y with h(X)=h(Y). If both pre-image and second pre-image resistance is satisfied then we say that h is oneway. If we ignore ‘pathological’ examples of
53
Secure Hashing in Practice
hash functions that do not behave like a random function (a good hash function should behave like a random function), then collision resistance implies both pre-image resistance and second pre-image resistance. If the one-way requirement is violated then the cryptographic defect is dramatically worse than in the case of violated collision resistance: Eve does not depend on the cooperation of Alice. If she gets hold of any message signed by Alice then she is able to replace it with a different message. We must admit that the above notions of collision resistance and one-way requirement are pragmatic and not ‘hard’ mathematical definitions. (What is the precise meaning of ‘practically impossible’?) It is possible to make them precise by introducing suitable formalisms but these definitions are not useful in practice. This is a common problem in cryptology where we develop theory for practical cryptographic mechanisms, and conversely have to derive practical cryptographic mechanisms starting from a theoretical perspective. How can we prove that a concrete practical hash function is secure (collision resistant)? The answer is that we cannot. The answer is even worse: trying to develop a design that allows us to prove ‘security’ in a weaker sense than collision resistance might cause a cryptographical risk. To avoid an over-interpretation of this rather rigorous statement a few remarks should be added. The Discrete Log Problem (DLP) can be transformed into a collision-finding problem. Suppose you have a finite cyclic group G of order, then the DLP means that given random u, b in G, where u generates G, you have to find an integer X, smaller than the order t of G, such that a” = b.
54
This looks like a pre-image problem, for which we would need about t computations of uyin order to match b. But actually it can be treated much more effectively, since we have the homomorphic equation
We define the functions E(X) = uXand F(x) = (a”b)-’ for x = OJ,..., t-1. By a collision of E and F we mean a pair of integers x,, x, with E(x,) = F(x,). Such a collision leads to the solution x=x,-x, mod t of ax=b: a q-‘;?= E(x,)F(xJ’b
=b
Note that conversely if we have a solution of ax= b then x,0 forms a collision of E and E Only after computing a total of dt values of E and F do we have a good chance of finding a collision (see section entitled ‘Birthday Attack’). This connection between the DLP and collision finding explains why one can construct hash functions for which the intractability of DLP implies collision resistance. (Details can be found in Section 7.4 of the standard cryptography book by Douglas Stinson [21].) However, this hash function, for which we have at least provable relative security, is similar to the situation we have with RSA. Therefore it does not meet our requirement of being fast. It remains an open challenge to find fast hash functions for which we can prove security, in the sense of collision resistance, relative to a mathematical problem that is believed to be hard. Until we can reach this situation we have to make ad-hoc designs of practical hash functions. Here we have the pitfall of developing a hash function that is ‘provably secure’ in the sense that, for instance, all hash values occur with about the same probability. On the one hand, it would of course be nice to have such a property from the theoretical point of view. On the other hand, experience has shown that we run the risk of having a design
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice
that allows us to prove a certain restricted aspect of security but also causes other weaknesses. As long as our theoretical knowledge is as limited as it is today, we think that for pracficnl applications it is better to follow another approach, loosely speaking: trial and error. Proposals are discussed in the cryptographic community. Their analysis leads to (partial) attacks, and in this way we derive more and more insight on how to avoid the observed weaknesses. The survivors of this cryptographical evolution are the candidates for becoming standards. The design of practical block ciphers, in particular the current AES design exercise (covered by Sean Murphy in this issue) is another example of this procedure. Almost all currently used hash functions are derivatives of the hash function MD4. Therefore, in this article I focus on this class of hash functions. However, much more can be said about hash functions. We shall not examine topics like building hash functions from block ciphers (see e.g. 1161) or MAC algorithms based on hash functions (see e.g. [3,4]). Chapter 9 of the Handbook of Applied Cryptography [17] gives thorough exposition of hash functions. MD4 was introduced by Ron Rivest [lS, 191 in 1990. This was the starting point for the development of a series of similar hash functions. These MDklike hash functions are: Extended MD4, the 256-bit extension MD4 (Rivest [18]);
of
MD5, the strengthened successor of MD4 introduced by Rivest [20] in 1991; SHA, the ‘Secure Hash Algorithm’ designed by NIST/NSA in 1992, later substituted by the slightly revised SHA-1 [I] in 1995;
information
Security Technical
Report, Vol. 4, No. 4
HAVAL published by Zheng, Pieprzyk and Seberry [23] in 1993; RIPEMD designed 1993 within the framework of the European project RIPE 121; RIPEMD-160 and RIPEMD-128, strengthened versions of RIPEMD, published by Bosselaers, Preneel and the authors in Ref. [12] in 1996.
Designing Hash Functions The design of hash functions is certainly one of the most difficult goals in cryptography. The difficulty is to find a design that is both fast and cryptographically strong. To be more precise, to find an appropriate balance between performance and a degree of ‘complexity’ that is adequate from the point of view of collision resistance. Birthday Attack A general form of the well-known paradox’ states the following: ??
‘birthday
Birthday paradox: Suppose that F is a function that takes on precisely, say, f values. Then about d(f) many evaluations of F suffice to find a collision.
The term ‘birthday’ refers to a real example, namely birthday collisions: in a group of only 23 people the probability that there are two of them that have the same birthday is greater than half. The term ‘paradox’ is used because this number is surprisingly low. Of course this is not a real paradox. Actually the statement of the ‘birthday paradox’ is true, since - arguing in a heuristic way - the number of pairs of evaluations (and therefore chances for a collision), that occur among t evaluations, is in the order of d(f)’ = f. On the other hand, the chance of a random pair of evaluations colliding is 1 /t.
55
Secure Hashing in Practice
An n-bit hash function can take on 2” values. Thus after computing hash values for about 2”/* = d(2”) messages we expect to find a collision. Important research is focussed on practical implementations of collision searches that exploit the birthday paradox or its variants, on restricting the storage space (a naive implementation needs storage for 2”‘* hash values, but you can reduce it to ‘almost nothing’), on exploiting parallelism and so on. We mention the fundamental and brilliant work of John Pollard (see Ref. [17] for recent references to this direction of research). The birthday attack, i.e. application of the birthday paradox in order to attack a cryptographic mechanism, is a fundamental tool in many parts of cryptanalysis.
M = M[l] M[2] ... M[s]. The hashing process is initialized with some fixed n-bit initial value IV*, which is a part of the specification of the hash algorithm. The hash value of M is then computed by an iterative application off, where the M[i]‘s are taken as inputs and each output off is the initial value for the next application off: H(0) := IV”, H(i) :=f(H(i-l);M[i]),
i=l,...,s.
The last output of the compression functionf is defined to be the hash value of M, i.e. h(M) := H(s).
To prevent an attacker from finding collisions by the birthday attack, n should be large enough so that computing PI* hash values is practically impossible. While n = 160 is still considered to be sufficient today, we should be prepared to move to a minimum of n = 192 (the next multiple of 32) in a few years. Hashing by Iterated Compression Hash functions belonging to the MD4 family follow a design principle of Merkle and Damgard [8]. The basic idea is that hashing, like encryption, should be done blockwise. The Merkle-Damgard principle defines how a hash function h, with n-bit hash values, can be built up from a compression functionf, loosely speaking, a ‘small hash function’. It is assumed that the computation of f is initialized by M-bit vectors, that f compresses input blocks of fixed size, say Y bits, and returns n-bit outputs. (For instance, we have n=128 and r=512 for MD4 and MD5.) Suppose that, after appropriate padding (which increases the length of the message) a given message M is split into a sequence of s blocks of length r:
56
Collisions and Pseudo-Collisions of the Compression Suppose an iterated hash function h based on a compression functionfis given. A collision of the compression function consists of an initial value IV and two different inputs X and X’ such that f(lV;X) =f(lV; X’). It is an important observation that an attack leading to collisions of the compression function is already very close to finding collisions for the hash function itself. What remains is to extend the attack in a way that it is possible to prescribe the initial value above as the initial value IV* of the hash algorithm. In fact, in this case we would have: h(X)
=f(f(IV”;X);P) =fV(IP;
X’);P)
= h( X’).
Information Security Technical Report, Vol. 4, No. 4
Secure Hashing in Practice
Here P is the block that has to be appended according to a padding rule similar to the one used in all MD4-like hash functions. This block is identical for both messages X and X’, since they have the same length. Informally speaking we can state that: ??
collisions of the compression function are (instances of) collisions of the hash function with a wrong initial value.
On the other hand we use the more general term pseudo-collision of the compression function if two initial values IV, IV’ and inputs X, X’ are given such that: f(IV;X) = f(lV’; X’). and such that (IV,X) and (IV’,X’) are different. Thus we allow different initial values here. The fundamental theoretical result of the described Merkle-Damgard construction (hashing by iterated compression) is: Merkle-Damgard Theorem. rf the compression function f is pseudo-collision resistant then the derived hashfunction h is collision resistant. Unfortunately we cannot apply this theorem to decide on the collision resistance of MD4like hash functions, neither in the positive nor in the negative sense. Finding pseudocollisions off with different initial values (see the section entitiled ‘MD5: Four rounds are not enough for collision resistance’) does not necessarily provide any hint on finding collisions of 11.(We do not have the converse of the Merkle-Damgard Theorem.) On the other hand, for the reasons discussed above, we cannot currently construct a practical compression function (small hash function) with provable pseudo-collision resistance. In contrast, collisions of the compression function are already close to being hash
Information
Security Technical
Report, Vol. 4, No. 4
collisions since only the initial value is wrong. Hence, in order to avoid misinterpretations of the cryptanalytic result it is very important to distinguish between collisions and pseudocollisions of the compression function (caution: some authors call a collision what we call a pseudo-collision; see for instance [6]). Compression of MD6like Hash Functions The individual steps of the compression process from the MD4-family are based on the following operations on words, where a word is a 32-bit quantity: ??
bitwise Boolean operations;
??
addition module Z3*;
??
cyclic shifts.
These operations have been chosen since they can be computed quickly on 32-bit processors and since the mixing of Boolean functions and addition is believed to be cryptographically strong. In the following sections ‘+’ is used to denote addition modulo 232, and ‘CC s’ to denote a left circular shift by s positions. As an example I take a closer look at the MD4 compression function to illustrate its internal structure. The 512-bit input X and 12%bit initial value IV are split into words. The compression process operates on four word registers (chaining registers): A, B, C, D, which are initialized with IV. The compression algorithm has three rounds. A round consists of 16 steps. In each round all input words X[i] (i<16) are applied in a different order, as shown in the following table: ??
X[i] in round 1: i = 0,,,,,,,,,, 1 2 3 4 5 6 7 8 9 10,11,12,13,14,15
57
Secure Hashing in Practice
X[i] in round 2: i = 0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15
computational five rounds.
X[i] in round 3: i = 0,8,4,12,2,10,6,14 I 19I I5 I 13,3,11,7,15
The following table of Antoon Bosselaers shows the relative performance of the members of the MD4-family:
In every step, one of the chaining registers is updated. A typical step operation of the compression in MD4 is: A := (A + Q(B,C,D) + X[i] + K) << s, where Q is a round-dependent Boolean function (e.g. XOR), K is a step-dependent constant and the rotation amount s is stepdependent. After processing the three rounds, the compression value is obtained by wordwise addition (modulo 232) of IV to the chaining registers. The design of the compression function of the other MD4-like hash function is based more or less on MD4. They have different numbers of rounds, the step operation is modified and so on. SHA, SHA-1, RIPEMD and IUPEMD-160, the MD4 derivatives with 160-bit hash values, use five registers instead of four. Extended MD4 with 256-bit hash values uses eight registers or, more precisely, two instances of four registers, which are used in parallel. Hash function
Rounds
MD4 3 Extended MD4 6 5 SHA SHA-1 5 RIPEMD 6 Variable HAVAL RIPEMD-128 8 RIPEMD-160 10
Output size (bit) 128 256 160 160 128 Variable 128 160
Here a round consists of 16 steps. SHA/SHA1 needs a special comment; their compression function has no rounds, but consists of 80 steps that are (with respect to the
58
effort required) equivalent to
Hash function
Performance
RIPEMD-160 RIPEMD-128 SHA-1 SHA RIPEMD MD5 Extended MD4 MD4
0.24 0.38 0.28 0.28 0.46 0.68 0.49 1.00
Attacks on MD44ike Hash Functions In what follows we shall describe the status of the analysis of all MD4-like hash functions. A first analysis of MD4 and MD5 were made by Merkle (unpublished), den Boer and Bosselaers 1992 [5] and 1993 [6], and by Vaudenay 1995 [21]. Then the author developed a new general technique to attack MD4-like hash functions and applied it to RIPEMD, MD4, Extended MD4 and MD5 in a series of papers (1996-1998 [9-11,13, 141). The basic idea of this method is a taming of the avalanche effect by restriction to collisions of a special form: we assume for the collision message pair X, X’that all words coincide, with one exception, say X[i,,] and X’[i,]: X’[i,] = X[i,] + F, where 6 is some non-zero word with small Hamming weight. Loosely speaking this is saying that X’[i,] and X[i,] differ only in a small number of bit positions. The most recent result is the analysis of SHA by Chabaud and Joux [7] in 1998.
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice
MD4: Three Rounds Are Not Enough
applied within the single steps is identical. This allows us to attack both lines simultaneously (i.e. in parallel).
The best achieved analytic result for MD4 is a collision consisting of two contracts (see ‘Alf swindles Ann’ [9]):
At the price of $176 495 Alf Blowfish sells his house to Ann Bonidea...
The 1993 design of RIPEMD is modelled after Extended MD4, and unfortunately it also suffered from the same design defect. Thus the author was able to find attacks on two-round reductions of RIPEMD [ll]. 1
At the price of $276 495 Alf Blowfish sells his house to Ann Bonidea... Here the asterisks represent 20 ‘random’ bytes that form a header. These two contracts have the same MD4 hash value. Moreover, if the third round in the compression function of MD4 is cancelled then it is shown in Ref. [15] how pre-images can be constructed. This result settles the one-way-requirement question for MD4. Despite this rather devastating analysis it does not mean that the MD4 design principle is compromised. The moral is simply: three compression rounds are not enough. Extended MD4 and RIPEMD: Too Much Symmetry The compression of Extended MD4 consists of two instances of a modified MD4 compression that run in parallel, with some interaction. Although the Extended MD4 compression has six rounds (two multiplied by three) it is surprisingly weak. The reason for this weakness, that in 1996 led to the finding of collisions of the compression function [14, Section 81, can be clearly identified: the two parallel lines in the compression are too similar. The ordering in which the words are
Information
Security Technical
Report, Vol. 4, No. 4
MD5: Four Rounds Are Not Enough for Collision Resistance MD5 is a slightly modified version of MD4 with a four round compression. In 1993 den Boer and Bosselaers [6] found pseudocollisions for the compression function of MD5 with differenf inifia2 values, but common input. This result implies that the Merkle-Damgard Theorem (see above), that derives the security of a hash function from its underlying compression function, cannot be invoked for MD5. This finding of pseudocollisions shows that the compression function, considered as a cryptographic primitive of its own, has a weakness. However, as already discussed above, the pseudo-collisions alone do not lead us closer to collisions of the hash function. In 1996, the author [lo] constructed collisions of the MD5 compression, i.e. MD5 collisions with a wrong initial value. This comes close enough to collisions of MD5 (see above) to suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a collision-resistant hash function is required. The conclusion is that four compression rounds are still not enough for collision resistance. SHA: Too Much Linearity The hash function SHA published by NIST in 1992 also belongs to the MD4-family. The SHA compression function has 80 steps. The most
59
Secure Hashing in Practice
remarkable design idea in SHA, which is essentially different to the design of all other MD4-like hash functions, is a linear expansion of the sequence of input words for the compression instead of multiple applications of input words in different rounds. To be precise, this change caused a ‘flaw’ such that NIST/NSA had to replace SHA with SHA-1 (see [SHA]). Information about this ‘flaw’found by NSA was never published. In 1998, Chaubaud and Joux [7] found an attack on SHA (in which the effort was not practical) but whose effort was an improvement on the birthday attack.
On a scale ranging from ‘0’ for ‘one-way requirement disproved’ to ‘10’ for ‘can be regarded as definitively secure (i.e. collision resistant)’ the author would estimate the cryptographic strength of the MD4-like hash functions to be as follows:
SHA-1: Expansion Repaired
Hash function
Grade
In the revised version of SHA, the expansion of the compression input from 20 to 80 words is no longer linear; each step in the linear recursion is now combined with a cyclic onebit shift.
RIPEMD-128/160 SHA-1 SHA RIPEMD MD5 Extended MD4 MD4
10 9 8 6 5 4 1
Various promising new characteristics are included in the design of HAVAL. (For example, the invention of a Boolean function with seven variables in HAVAL, instead of only three as in all other members of the MD4family, gives the designer more flexibility in choosing cryptographically strong components.) These ideas probably improve the cryptographic strength, but might also introduce unexpected weaknesses. It should be investigated whether there is a suitable modification of the MD4 attack that could be applied to the three-round version of HAVAL. Until such analysis has been performed, the strength of HAVAL cannot be assessed. RIPEMD-128 and RIPEMD-160: a Design Based on Present Analytic Experiences The design of RIPEMD-160 is directly based on RIPEMD (and the 256-bit extension of MD4). However, conclusions of the recent analytic results are taken into account (how to choose, or not to choose, certain parameters),
60
and the number of rounds is extended from three to five (for each of two parallel lines), i.e. there are 160 steps. RIPEMD-160 produces 160-bit hash values (nomerzest omen).
Conclusions
Of course the precise grades in this table should not be taken literally. There is no objective measure for cryptographic strength. The intention of the table is to give an indication of how the relative security can be rated from the author’s point of view. As mentioned above, we cannot estimate the various versions of HAVAL, since to date no analysis has been performed. We should also emphasize that the above table only considers the resistance against analytic attacks, not the birthday attack, which becomes more and more relevant in future for 12%bit hash functions MD5, RIPEMD and RIPEMD-128. Van Oorschot and Wiener calculated that at a cost of $10 million one can build a ‘birthday attack’ machine that finds MD5 collisions in about a month. In summary, we can recommend RIPEMD-160 and SHA-1 as collision resistant (and therefore
Information
Security Technical
Report, Vol. 4, No. 4
Secure Hashing in Practice
one-way) hash functions. If only a one-way hash function is needed we recommend in addition MD5, since it is very fast. However, the other hash functions in the above table can also be used as one-way functions with one exception, namely MD4 itself.
References ‘I’FIPS 180-1, Secure hash standard, NIST, US Department April 1995.
of Commerce,
Washington
DC,
I21RIPE Consortium, Ripe Integrity Primitives Final report of RACE integrity Primitives Evaluation (RZ040), Lecture Notes in Computer Science, Vol. 1007, Springer-Verlag, 1995. 131M.Bellare, R. Canetti and H. Krawczyk, The HMAC Construction, CryptoBytes, 2(l), 1996, pp. 12-15. I41M. Bellare, R. Canetti and H. Krawczyk, Keyed hash functions for message authentication, Advances in Cryptology Crypt0 ‘96, Lecture Notes in Computer Science, Springer-Verlag, 1996, pp. l-15. IsIB. den Boer and A. Bosselaers, An attack on the last two rounds of MD4, Advances in Cryptology - Crypt0 ‘91, Lecture Notes in Computer Science, Vol. 576, Springer-Verlag, 1992, pp. 194-203.
I81I.B. Damgard, A design principle for hash functions, Advances in Cryptology Crypt0 ‘89, Lecture Notes in Computer Science, Vol. 435, Springer-Verlag, 1990, pp. 416-427. L91H.Dobbertin, Alf swindles Ann, CvyptoBytes, l(3), 1995, p. 5. ilo’H. Dobbertin, The status of MD5 after a recent attack, CryptoBytes, 2(2), 1996, pp. 1-6. (l’l H. Dobbertin, RIPEMD with two-round compress function is not collision-free, Journd of Cryptology, 10 (1997), pp. 51-68. [I21H. Dobbertin, A. Bosselaers and B. Preneel, RIPEMD-160: A strengthened version of RIPEMD, Fast Software Encryption Cambridge Workshop, Lecture Notes in Computer Science, Vol. 1039, Springer-Verlag, 1996, pp. 71-82. [I’] H. Dobbertin, Cryptanalysis of MD4, Fast Cambridge Software Encryption Workshop, Lecture Notes in Computer Science, Vol. 1039, Springer-Verlag, 1996, pp. 53-69. ual H. Dobbertin, Cryptanalysis MD4, Journal of Cryptology, 11 (1998), 253-274.
of pp.
Ih’B. den Boer and A. Bosselaers, Collisions for the compression function of MD5, Advances in Cryptology - Eurocrypt ‘93, Lecture Notes in Computer Science, Vol. 773, SpringerVerlag, 1994, pp. 293-304.
~~1H. Dobbertin, The first two rounds of MD4 are not one-way, Fast Software Encryption - Paris Workshop, Lecture Notes in Computer Science, Vol. 1372, Springer-Verlag, 1998.
I71F. Chabaud and A. Joux, Differential an explanation for SHA-1, collisions: Advances in Cryptology - Crypt0 ‘98, Lecture Notes in Computer Science, SpringerVerlag, 1998.
~~1L. Knudsen and B. Preneel, Fast and secure hashing based on codes, Advances in Cryptology - Crypt0 ‘97, Lecture Notes in Computer Science, Vol. 1294, Springer-Verlag, 1997, pp. 485498.
Information Security Technical Report, Vol. 4, No. 4
61
Secure Hashing in Practr
cl71PC. van Oorschot and M.J. Wiener, Parallel collision search with applications to hash functions and discrete logarithms, Journal of Cryptology, 12 (1999). [I*] R. Rivest, The MD4 message digest algorithm, Advances in Cryptology Crypt0 ‘90, Lecture Notes in Computer Science, Vol. 537, Springer-Verlag, 1991, pp. 303-311. ~~1 R. Rivest, The MD4 message-digest algorithm, Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992. 1201R. Rivest, The MD5 message-digest algorithm, Request for Comments (RFC) 1321,
62
Internet Activities Board, Internet Task Force, April 1992.
Privacy
PII D.R. Stinson, Cryptograyhy: Theory and Practice, CRC Press, Boca Raton, 1995. lz21 S. Vaudenay, On the need for multipermutations: cryptanalysis of MD4 and SAFER, Fast Software Encryption - Leuven Workshop, Lecture Notes in Computer Science, Vol. 1008, Springer-Verlag, 1995, pp. 286-297. Lz31 Y. Zheng, J. Pieprzyk and J. Seberry. HAVAL - a one-way hashing algorithm with variable length and output, Advances in Cryptology Auscrypt ‘92, Lecture Notes in Computer Science, Springer-Verlag, 1993, pp. 83-104.
Information
Security Technical
Report, Vol. 4, No. 4