Multicollision Attacks on Some Generalized Sequential Hash Functions

Multicollision Attacks on Soe Generalized Sequential Hash Functions M. Nandi David R. Cheriton School of Coputer Science University of Waterloo Waterloo, Ontario N2L 3G1, Canada 2nandi@uwaterloo.ca D. R. Stinson David R. Cheriton School of Coputer Science University of Waterloo Waterloo, Ontario N2L 3G1, Canada dstinson@uwaterloo.ca February 11, 2008 Abstract A ulticollision for a function is a set of inputs whose outputs are all identical. A. Joux showed ulticollision attacks on the classical iterated hash function. He also showed how these ulticollision attacks can be used to get a collision attack on a concatenated hash function. In this paper, we study ulticollision attacks in a ore general class of hash functions which we ter generalized sequential hash functions. We show that ulticollision attacks exist for this class of hash functions provided that every essage block is used at ost twice in the coputation of the essage digest. 1 Introduction In this paper, we discuss ulticollision attacks on generalized sequential hash functions (a precise definition of this class of hash functions will be given in Section 3). A ulticollision is a generalized notion of collision on a function. A collision on a function g : X Y is an unordered pair {x, y} X such that g(x) = g(y). For an integer r 2, an r-way collision (or r-ulticollision) on a function, g( ), is an r-subset {x 1,..., x r } X such that g(x 1 ) = g(x 2 ) =... = g(x r ) = z (say). The coon output value, z, is known as the collision value for this r-way collision set. An r-way collision or r-ulticollision attack is an algorith which finds an r-ulticollision set with soe non-negligible probability. The birthday attack for r-way collisions has tie coplexity Θ( Y (r 1)/r ). When r = 2, the tie coplexity for finding a collision is Θ( Y 1/2 ). The tie coplexity of an attack algorith is usually proportional to the nuber of coputations of the underlying function, g, required to get a ulticollision set. Fro now on, we will use the word coplexity to ean tie coplexity, as easured by the nuber of coputations of the underlying function. 1

A classical iterated hash function [3] [17], H : {0, 1} {0, 1} n, is based on a copression function, f : {0, 1} n {0, 1} n {0, 1} n. Here, we copute the value of H in the following way; 1. Given a essage, we first apply soe good padding rule, which includes soe representation of the length of the essage, so that the length of the padded input becoes a ultiple of n (see [3], [16] and [17] for ore details). To analyze the hash function in a sipler way, we will usually ignore the padding rule. For exaple, a padding rule is irrelevant if we are concerned with essages of soe fixed length. 2. Let M = 1 l be a padded essage 1 with i = n for 1 i l, and let h 0 be soe fixed n-bit initial value. Then the classical iterated hash function, H, based on the copression function f and the initial value h 0, is defined as follows: H(M) = h l, where h i = f(h i 1, i ), 1 i l. For each 1 i < l, h i is known as an interediate hash value, and H(M) is the output hash value (also known as a essage digest). The above-described ethod is the ost frequently used technique for the design of practical hash functions. Recently, A. Joux [11] found an algorith to construct a 2 r -ulticollision set on a classical iterated hash function, having tie coplexity O(r 2 n/2 ), which is a considerable iproveent over the birthday attack (see Theore 2.2). This ulticollision attack can be considered as a weakness of the iterated hash function design because of the following reasons: 1. Joux also showed how the ulticollision attack can be used to construct a collision attack, which is better than the birthday attack, on the concatenated hash function H G where H is the classical hash function and G is any hash function. 2. There are soe other practical applications where ulticollision secure hash functions are required. These include the icropayent schee Microint [21], the identification schee of Girault and Stern [7], the signature schee of Brickell et al [1], etc. 3. (Multi)collision secure hash function design is an interesting fundaental question, because a function having an efficient (ulti)collision attack gives evidence of the non-randoness of the function. 1.1 Our Contribution and Related Work In light of the above discussion, it is an interesting question to find a good design technique for hash functions that are secure against ulticollision attacks. In this paper, we provide soe negative answers to this question. We study a certain generalization of the classical iterated hash function in which every essage block is used up to two ties in the coputation of a essage digest. This generalization is a natural way to attept to prevent Joux s attack fro succeeding, and it is therefore worthwhile to study this approach in detail. Unfortunately, we show that these generalized sequential hash functions also have efficient ulticollision attacks. We find 2 r -ulticollision attacks with expected coplexity O(r 2 ln r(n + ln ln r)2 n/2 ). Thus, we rule out a natural and large class of hash functions as candidates for ulticollision secure hash functions. 1 Soeties we ay write M as an l-tuple, i.e., M = ( 1,..., l ). 2

The attacks presented in this paper were first described in a ore inforal way in the PhD thesis of the first author [18] and in the unpublished anuscript [19]. In the current paper, we are presenting coplete descriptions of the attacks as well as precise coplexity analyses. In [18] and [19], siilar attacks on so-called tree-based hash functions were also pointed out. The attacks assued that every essage block is used at ost twice (siilar to the assuption we ake regarding generalized sequential hash functions). Recently, our attacks were extended and generalized by Hoch and Shair [10]. Their paper considers generalized sequential or tree-based hash functions that have a fixed expansion rate, which indicates the axiu nuber of ties a essage block is processed in the evaluation of a essage digest (our attacks concern hash functions with expansion rate 2). 1.2 Organization of Our Paper In Section 2 we provide an introduction to birthday attacks, Joux s attack and its applications. In Section 3, we provide a definition of a general class of iterated hash functions. The generalized sequential hash functions we study in this paper are a special case of this definition. Section 4 defines soe useful terinology and results on sequences and partial orders. Then, in Section 5, we describe our attacks and provide a detailed coplexity analysis. Finally, Section 6 is a brief conclusion. 2 Preliinaries In this section, we give a brief introduction to the birthday attack, which is the basis for the attacks to be used throughout this paper. We also state soe recent results on ulticollision attacks which otivate the rest of the paper. Naely, we discuss Joux s ulticollision attack on classical iterated hash functions. Finally we give soe siple but iportant applications of ulticollision attacks. 2.1 The Birthday Attack A hash function usually has two ain coponents: a copression function, f : {0, 1} n {0, 1} n {0, 1} n, and a ethod to extend the doain of the copression function into {0, 1}. The second coponent is also known as the design of iteration as we generally iterate the copression function several ties. Throughout this paper, we consider only attacks which treat the underlying copression function, f, as a black-box. Thus, the attacker is not exploring any internal structure of f. The attacker can only ake soe queries to the function f, and, based on the responses of the queries, he finally outputs soe value or values. Here a query denotes an input to f, say x, and the response denotes the output, y = f(x). This type of attack can be applied to any copression function, and hence it ainly points out the security of the design of iteration. We recall that the coplexity of an r-ulticollision attack algorith is the nuber of queries of f required to get an r-ulticollision. A natural (and the ost popular) attack is the birthday attack. It is well-known that the standard birthday attack (which finds a 2-way collision) has coplexity Θ(2 n/2 ) when essage digests are n bits in length. In a birthday attack on a function g : X Y, we assue that the function g is a rando oracle; i.e., every output value g(x) is chosen uniforly at rando fro Y. Rando oracles are the usual odel for hash functions which can be accessed in a black-box anner. 3

For the standard birthday attack, we will ake use of the following bound (see [16, 24, 25] for a ore detailed discussion). Theore 2.1. (Coplexity of the Standard Birthday Attack) For a rando oracle g : X {0, 1} n, the birthday attack with coplexity q finds a 2-way collision with probability roughly equal to 1 e q2 /2 n+1. The following algorith describes the generalized birthday attack of coplexity q for (possibly) finding an r-ulticollision of the function g, based on aking q queries to the function g. Generalized Birthday Attack Input: A rando oracle g : X {0, 1} n ; coplexity q; and desired ulticollision size r. 1. Choose x 1,..., x q fro the doain X and copute y i = g(x i ) for 1 i q. 2. If there is a subset C {x 1,..., x q } of size r such that C is an r-way ulticollision subset for the function g, then return C. Otherwise return the output failure. We note that the standard birthday attack is just the special case r = 2 of the generalized birthday attack. The next theore gives an estiate of the coplexity of the generalized birthday attack in finding an r-ulticollision with soe specified probability p. Theore 2.2. (Coplexity of the Generalized Birthday Attack) For a rando oracle g : X {0, 1} n, the birthday attack with coplexity q finds an r-way collision with probability p provided that q (r!) 1/r 2 n(r 1)/r (ln(1/(1 p))) 1/r. For fixed p, the coplexity is Θ(r 2 n(r 1)/r ). For fixed p and r, the coplexity is Θ(2 n(r 1)/r ). Proof. We use an estiate given by Diaconis and Mosteller [5]. They state that the generalized birthday attack having coplexity q finds an r-way collision with probability p, where ( ) q e q/(r2n ) q 1/r ( ( )) 1 1/r 1 (r + 1)2 n 2 n(r 1) r! ln. (1) 1 p For values of n and r of cryptographic interest, the left side of (1) is essentially equal to q. Using the facts that (r!) 1/r is θ(r) and li r (ln(1/(1 p))) 1/r = 1, the stated results follow. 2.2 Joux s Multicollision Attack In a recent paper by Joux [11], it was shown that there is a 2 r -way collision attack for the classical iterated hash function based on a copression function, f : {0, 1} n+n {0, 1} n, where the attack has coplexity O(r 2 n/2 ). This coplexity is uch less than the coplexity for the generalized birthday attack (see Theore 2.2). Here is the basic idea of Joux s attack. Consider the set of n-tuples {0, 1} n. We use the notation h h (a labeled arc) to ean f(h, ) = h, where h = h = n and = n. The strategy of Joux s attack is to first find r successive collisions by perforing r successive birthday attacks (each having coplexity 2 n/2 ), as follows: 4

h 1 1 0 h 1 and h 2 1 0 h 1 for soe h 1, where 1 1 2 1 h 1 2 1 h 2 and h 2 2 1 h 2 for soe h 2, where 1 2 2 2 h r 1. 1 r h r and h 2 r r 1 h r for soe h r, where 1 r 2 r. In other words, for 1 i r, we apply a birthday attack to find 1 i 2 i such that f(h i 1, 1 i ) = f(h i 1, 2 i ) = h i, for soe h i. Then the set { 1 1, 2 1} { 1 2, 2 2} { 1 r, 2 r} is a 2 r -way collision set. Of course, the birthday attack is itself a probabilistic attack. Fro Theore 2.1, we see that a birthday attack with coplexity 2 n/2 succeeds with probability approxiately equal to 0.4, and therefore the expected nuber of applications of each birthday attack is about 2.5. We do not carry out the ith birthday attack until the (i 1)st attack has succeeded. Therefore the total expected nuber of birthday attacks required in Joux s attack is about 2.5r, which is just O(r). The coplexity of each birthday attack is 2 n/2, so the overall expected coplexity of Joux s attack is 2.5r 2 n/2, which is O(r 2 n/2 ). Reark 2.1. The ter expected coplexity is used in its usual sense, i.e., to denote the averagecase coplexity of the attack. All the attacks in this paper will be analyzed in ters of average-case coplexity. Reark 2.2. Within each birthday attack in Joux s attack, it would ore efficient to keep increasing the saple size until a collision is found (provided that there is sufficient eory available). However, the analysis is siplified by using birthday attacks with a fixed saple size q = 2 n/2. We note that the asyptotic coplexity of the attack is not affected by this siplification. For siplicity of presentation and analysis, we will eploy birthday attacks with fixed saple size in all our attacks. 2.3 Applications of Multicollision Attacks The birthday attack is feasible for sall sized output hash values. To ake the birthday attack infeasible, one siply specifies a large output hash value. There are any approaches of designing hash functions having large output hash values based on secure block ciphers; see [8], [9], [14], [13], [20], [23]. However, ost of these designs were proven to be insecure; see [8], [14] [13], [20], [23]. Recently, Hirose [9] designed secure double length hash functions based on secure block ciphers. But the efficiency of the design is fairly low. A natural and efficient approach to produce large output hash values is the concatenation of several saller output hash values. For exaple, given two classical iterated hash functions, H and G, one can define a hash function H(M) G(M). This idea has been suggested because it is efficient, siple to ipleent, and it apparently iproves security (see, for exaple, [16, p. 334]). However, due to the attacks of Joux [11], there exists a collision attack that is ore efficient than 5

than the birthday attack. The coplexity of the attack is roughly the axiu of the coplexity of the ulticollision birthday attack on H and the coplexity of the standard birthday attack on G. We briefly describe the attack (see [11] for ore details). Let H and G have output hash values of n H and n G bits in length, respectively. 1. By using Joux s ulticollision attack, find 2 n G/2 essages which have coon output hash value (say h ) on H. 2. Find two essages, say M and N where M N, which are ebers of the set of 2 n G/2 essages found in step 1, such that they have sae output hash value (say g ) on G. Note that we expect to be able to find a collision on an n G -bit function fro a set of 2 n G/2 essages using the standard birthday attack. Thus, we have H(M) G(M) = H(N) G(N) = h g. The overall coplexity of this attack is O(n G 2 n H/2 + 2 n G/2 ). Note that we only assue that H is a classical iterated hash function; G can be any hash function at all. Reark 2.3. As entioned previously, we ignore the padding that includes the binary representation of the length of the inputs. Note that, even if we included the padding, it does not affect the above attack, as the ulticollision sets consist of essages of equal length. 3 A General Class of Hash Functions We have seen in Section 2.2 that the classical iterated hash function is vulnerable to a ulticollision attack. Thus one cannot use the classical iterated hash function if ulticollision secure hash functions are needed. There are soe other disadvantages of using classical iterated hash functions. For exaple, Kelsey and Schneier [12] have found a generic second preiage attack that is better than the birthday attack. To fix all these probles, one can try to use soe suitable variant of the classical iterated hash function. We note that, recently, Lucks [15] designed a hash function that is secure against ulticollision attack. In his construction a wide copression function is used. The hash function is proven to be secure if the copression function and the output transforation are both rando oracles. Alternatively, one ight consider a odification of the classical iterated hash function where essage blocks are used ore than once. Another approach is to use a parallel design, which is characterized by a directed tree; see [22]. One can also cobine these two approaches. These types of generalized hash functions could be considered as an alternative to the classical iterated hash function since Joux s attack cannot be applied. For exaple, the hash function H (M) = H(H(IV, M), M) uses each essage block twice. Here H denotes the classical iterated hash function. We call this hash function a doubly iterated hash function as it uses the classical iteration technique twice. Obviously, Joux s attack can not be applied directly to this hash function. Thus it is worthwhile to study this class in ore detail. Reark 3.1. The idea of cycling through the essage blocks twice is apparently due to Davies and Price [4]. Their construction uses an encryption function instead of a copression function, and it is susceptible to eet-in-the-iddle attacks (see [2, 6]). The eet-in-the-iddle attacks exploit the invertibility of an encryption function and cannot be applied in the context we are considering. 6

We define a very general class of hash functions. Let f : {0, 1} N {0, 1} n be a copression function. A hash function H fro the class behaves in the following anner: 1. It invokes f a finite nuber of ties. 2. The entire output of any interediate invocation (not the final invocation) is fed into the input of other invocations of f. 3. Each bit of the essage, M, is fed into at least one invocation of f. 4. The output of the final invocation is the output of the hash function, H. We define a general class D of hash functions satisfying the above conditions. We will assue that our essage has the for M = 1 l, where each i is a essage block that is an n -bit string. We also assue that we have a fixed set of initial values, denoted v 1, v 2,, each of which is an n-bit string. Every input to f is of the for h x. Each h is the concatenation of d n-bit strings, each of which is a previously coputed output of f or an initial value; and each x is the concatenation of d essage blocks. We will require that d 0, d 0 and nd + n d = N. Then we can specify the coputation of the hash function by a list of triples where the following conditions hold for all i: 1. f(h i x i ) = y i, 2. h i = h 1 i hd i, 3. h j i {v 1, v 2,... } {y 1,..., y i 1 }, 4. x i = x 1 i xd i, and 5. x j i { 1,..., l }. L = {(h i, x i, y i ) : 1 i s}, Each y i is an interediate hash value and y s is the output hash value. Note that the values of d and d do not have to be constant; they ay depend on i. However, nd + n d = N ust always hold. 3.1 Generalized Sequential Hash Functions In this paper, we consider a special (but still quite general) subclass of D, which are tered generalized sequential hash functions and denoted by S. The class D will contain the classical iterated hash function as one of its ebers. In the class S of generalized sequential hash functions, we have d = d = 1 for all i and N = n + n. Define a sequence α = α 1,, α s where α i {1, 2,..., l}. Let h 1 = v 1 (an initial value), h i = y i 1 for all i 2, and let x i = αi for all i 1. Hence, we can express the coputation in the for h i = f(h i 1, αi 1 ), 2 i s + 1, 7

where h 1 is an initial value and h s+1 is the final hash value. We can present this hash function diagraatically, as follows: h 1 α1 h 2 α2 h 3 α3 αs 1 h s αs h s+1. Note that each essage block ust be used at least once in the above coputation. In the case of the classical iterated hash function, however, we have α i = i for all i, and s = l. Also, in the classical iterated hash function, each essage block is used exactly once. To define a hash function with arbitrary doain ({0, 1} N ), say H : ({0, 1} N ) {0, 1} n, we have a sequence of sequences α 1, α 2, such that H(M) is defined based on the sequence α l, where α l contains eleents fro {1,..., l}, whenever M is an l-block essage. Also, each sequence α l should use every eleent in {1,..., l}. 4 Soe Terinologies on Sequences and Partial Orders Consider a fixed, finite sequence α = α 1, α 2,, α s of sybols, where each sybol is an eleent of the sybol set S = {1,..., l} and every sybol occurs at least once in the sequence. The length of the sequence α is s and it is denoted by α. The index set of the sequence α is {1,..., s}. For a sequence of distinct indices, i.e., I = i 1,..., i k, α(i) denotes the sequence α i1, α i2,..., α ik. We also write this sequence as α i 1,..., i k. The interval [i, j] is defined to be the sequence i, i + 1,..., j. An initial interval is an interval of the for [1, j]. For 1 i < j α, we define α[i, j] = α i, α i+1,..., α j. We next define a relation on the sybol set S. For x, y S, x y, define x y if every occurrence of x in α precedes every occurrence of y in α. It is easy to see that the relation is antisyetric and transitive; hence is a partial order. Two sybols x y are incoparable with respect to a partial order on a finite set X if it is not the case that x y or y x. A list of sybols x 1,..., x d is a chain if x 1 x 2 x d. A set of chains is a chain decoposition if the chains are disjoint and their union is X. Later, we will use the classical result known as Dilworth s Theore, which applies to any partial order. Theore 4.1. (Dilworth s Theore) Suppose that is a partial order on a finite set X. Then the axiu nuber of utually incoparable eleents in X is equal to the iniu nuber of chains in any chain decoposition of (X, ). We denote the axiu nuber of eleents in a chain by axchain(x). For our partial order defined with respect to a sequence α, this quantity is denoted by axchain(α). Obviously, if there are k eleents which appear exactly once in the sequence α, then axchain(α) k. We now consider soe exaples illustrating the above definition and terinologies. Later, we also show ulticollision attacks on the generalized sequential hash functions based on these sequences. Exaple 4.1. Let Ψ (1,l) = 1, 2,..., l (the sequence for the classical iterated hash function). It is easy to see that 1 2 l and hence axchain(ψ (1,l) ) = l. Exaple 4.2. Let Ψ (2,l) = 1, 2,..., l, 1, 2,..., l. The doubly iterated hash function is based on the sequence Ψ (2,l). It is easy to observe that there is no chain of length two in the sequence Ψ (2,l) and hence axchain(ψ (2,l) ) = 1. 8

Exaple 4.3. Let Φ l = 1, 2, 1, 3, 2, 4, 3,, l 1, l 2, l, l 1, l. Thus, for exaple, we have Φ 3 = 1, 2, 1, 3, 2, 3, Φ 4 = 1, 2, 1, 3, 2, 4, 3, 4, and Φ 5 = 1, 2, 1, 3, 2, 4, 3, 5, 4, 5. Observe also that Φ l can be constructed fro Φ l 1 by deleting the last sybol in the sequence (naely, l 1), and concatenating the sequence l, l 1, l. Here, it is easy to see that l + 1 axchain(φ l ), 2 because (if l is odd) or 1 3 l 1 3 l 1 (if l is even) are chains. To prove that these are chains, consider the partition of the index set into intervals [1, 3], [4, 7], [8, 11],... [2l 2, 2l]. Assue that l is odd (the result for even l can be proved siilarly). Now one can see that 1 Φ l [1, 3], 3 Φ l [4, 7],..., l Φ l [2l 2, 2l]. These eleents do not appear in other intervals. Thus 1 3 l is a chain for the sequence Φ l. In fact, we have axchain(φ l ) = l+1 l+1 2. This can be proven as follows: For any 2 + 1 eleents fro {1,..., l} there are two consecutive sybols (by applying the pigeonhole principle), say i and i + 1, and hence there is a (non-contiguous) subsequence i, i + 1, i of Φ l. Thus no + 1 eleents can for a chain. l+1 2 For a sequence α on sybols {1,..., l} and a sybol x {1,..., l} we define freq(x, α) = {i : α(i) = x}. Soeties we write this as freq(x) and we call it the frequency of x. This value denotes the nuber of ties x appears in the sequence α. We also write freq(α) (frequency of the sequence) for the axiu frequency of any eleent fro the sequence. More precisely, freq(α) = ax{freq(x) : x {1,..., l}}. Note that, for all 1 i l, freq(i, Ψ (2,l) ) = 2 and freq(i, Φ l ) = 2. Thus freq(ψ (2,l) ) = 2 and freq(φ l ) = 2. We will show soe ulticollision attacks on sequential hash functions based on sequences whose frequencies are at ost two. 5 Multicollision Attacks on Generalized Sequential Hash Functions In this section, we describe our ulticollision attacks. All our attacks will be 2 r -way ulticollision attacks, where r is a positive integer. We will assue throughout this section that r > 1 (if r = 1, 9

then a 2 r -way ulticollision attack is just a standard collision attack, and we do not need to use our new ethods). For the sake of convenience, we slightly odify the notation used in the definition of the generalized sequential hash functions. Given a copression function f : {0, 1} n+n {0, 1} n, a fixed initial value h 0, and a sequence α = α 1,, α s on sybols {1,..., l}, the generalized sequential hash function based on α is defined to be H( 1 l ) = h s, where h i = f(h i 1, αi ) for all i 1. We present a 2 r -way ulticollision attack on the hash function based on a sequence α where axchain(α) = r. The coplexity of the attack is O(s 2 n/2 ) where s = α. In case of the classical iterated hash function, the corresponding sequence is Ψ (1,l) (see Exaple 4.1). Here we have axchain(ψ (1,l) ) = l and thus we have a 2 l -way ulticollision attack with coplexity O(l 2 n/2 ). This is the sae as the coplexity of Joux s attack. In fact, we will see that our attack is sae as Joux s attack in the case of the classical iterated hash function. The idea of the attack is to first identify essage blocks that coprise a chain, and then to find a sequence of interediate collisions by varying only those essage blocks. Exaple 5.1. We present an attack on the hash function based on the sequence Φ 5 = 1, 2, 1, 3, 2, 4, 3, 5, 4, 5 (see Exaple 4.3). Here 1 3 5 is a chain in Φ 5. The attack proceeds as follows: step 1 We first fix the essage blocks 2 and 4 by defining their values to be equal to soe arbitrary string IV. step 2 We use a birthday attack to find 1 1 2 1 such that f(f(f(h 0, 1 1 ), IV ), 1 1 ) = f(f(f(h 0, 2 1 ), IV ), 2 1 ) = h 3 for soe h 3. step 3 We use a second birthday attack to find 1 3 2 3 such that f(f(f(f(h 3, 1 3 ), IV ), IV )1 3 ) = f(f(f(f(h 3, 2 3 ), IV ), IV )2 3 ) = h 7 for soe h 7. step 4 Finally, we use a third birthday attack to find 1 5 2 5 such that f(f(f(h 7, 1 5 ), IV ), 1 5 ) = f(f(f(h 7, 2 5 ), IV ), 2 5 ) = h 10 for soe h 10. step 5 Define Then it is easy to see that M i = { { 1 i, 2 i } if i {1, 3, 5} {IV } if i {2, 4}. C = M 1 M 2 M 3 M 4 M 5 (2) is a 2 3 -way ulticollision set with collision value h 10. The coplexity of the attack is 10 2 n/2, because Φ 5 = 10. 10

Recall that the notation h h eans f(h, ) = h. More generally, given a sequence 1, 2,..., j we use the notation h 1, 2,..., j h to ean f (f(f(h, 1 ), 2 ),... ), j ) = h. Then steps 2 4 of the attack can be rewritten using this notation, as follows: h 1 1,IV,1 1 0 h 3 and h 2 1,IV,2 1 0 h 3 for soe h 3, where 1 1 2 1 h 1 3,IV,IV,1 3 3 h 7 and h 2 3,IV,IV,2 3 3 h 7 for soe h 7, where 1 3 2 3 h 1 5,IV,1 5 7 h 10 and h 2 5,IV,2 5 7 h 10 for soe h 10, where 1 5 2 5. In general, we have the following ulticollision attack on a generalized sequential hash function. Theore 5.1. Let H be a hash function based on a sequence α, where axchain(α) = r. Then there exists a 2 r -way ulticollision attack on H with coplexity O(s 2 n/2 ), where s = α. Proof. As axchain(α) = r, we have r eleents in α, say x 1 x r, which for a chain. For 1 i r 1, let b i be the index of the last occurrence of x i in α, and let b r = s. For 2 i r, let a i = b i 1 + 1, and let a 1 = 1. Then the intervals [a 1, b 1 ],..., [a r, b r ] for a partition of the interval [1, s]. Now fix the essage blocks i to be equal to an arbitrary string IV, for all i / {x 1,..., x r }. We will use r successive birthday attacks to find colliding values for x1,..., xr. Within any interval [a i, b i ], the values of all the essage blocks αai,,..., αai +1 α bi are fixed except for xi. Given a value for h ai 1, we can use a standard birthday attack to find two values (say 1 x i and 2 x i ) for xi which yield the sae value for h bi. After these r successive birthday attacks, we can construct a ulticollision set of size 2 r as follows. Define { { 1 i M i =, 2 i } if i {x 1,..., x r } {IV } if i / {x 1,..., x r }. Then it is easy to see that C = M 1 M 2 M l is a 2 r -way ulticollision set. To perfor the ith birthday attack, we ake at ost (b i a i + 1) 2 n/2 queries to f. For the coplete attack we need at ost r (b i a i + 1)2 n/2 = s 2 n/2 i=1 queries to f. The expected coplexity of the attack is at ost 2.5s 2 n/2, which is O(s 2 n/2 ). Reark 5.1. Note that the above attack reduces to Joux s attack in the case of the classical iterated hash function. In this case, 1 2 l is a chain and thus we find a collision for each interediate hash value by varying each essage block. This is what Joux s attack does. 11

Reark 5.2. The attack illustrated in Exaple 5.1 is an application of Theore 5.1. In this attack, we have r = 3 and the index set {1,..., 10} is partitioned into the three intervals [1, 3], [4, 7], and [8, 10]. To get a 2 r -way collision on the hash function based on the sequence Φ l (see Exaple 4.3), we can take l = 2r 1; then axchain(φ l ) = r. By Theore 5.1, we have a 2 r -way collision attack with coplexity O(r 2 n/2 ). However, we cannot apply the sae idea to the hash function based on the sequence Ψ (2,l) because axchain(ψ (2,l) ) = 1 (see Exaple 4.2). Here, we have to use a different ulticollision attack. Our attack uses a strategy that is siilar to the preiage attack on cascaded (i.e., concatenated) hash functions that is described in [11, Appendix A]. Exaple 5.2. Suppose r > 1. We present an attack on the hash function based on the sequence Ψ (2,l). Here are the steps in the attack: step 1 Define t = n + 1 ln ln 2r + 2 2 ln 2. and let l = tr. We use Joux s ulticollision attack on the hash function based on the sequence Ψ (1,l) to find l pairs, ( 1 1, 2 1), ( 1 2, 2 2),, ( 1 l, 2 l ), such that 1 i l. Thus we have a 2 l -way collision set f(h i 1, 1 i ) = f(h i 1, 2 i ) = h i, C = { 1 1, 2 1} { 1 2, 2 2} { 1 l, 2 l } for the hash function based on the sequence Ψ (1,l). step 2 Next, to get a 2 r -way ulticollision for the hash function based on the sequence Ψ (2,l), we search for interediate collisions within the set C using a standard birthday attack. Divide the index interval [l + 1, 2l] into r consecutive intervals, each consisting of t eleents, i.e., I 1 = [l + 1, l + t], I 2 = [l + 1 + t, l + 2t],... I r = [l + 1 + (r 1)t, l + rt]. Write h 0 = h l. Then, for each 1 i r, try to find two t-tuples, say M 1 i Mi 2, fro the set C i = { 1 (i 1)t+1, 2 (i 1)t+1 } {1 (i 1)t+2, 2 (i 1)t+2 } {1 it, 2 it} such that h i 1 Mi 1 h i and h Mi 2 i 1 h i for soe h i, 12

say. If this step fails for any i, we have to return to step 1 and find a new 2 l -way collision set C. step 3 Provided that the r birthday attacks in step 2 all succeed, it is easy to observe that C = {M 1 1, M 2 1 } {M 1 2, M 2 2 } {M 1 r, M 2 r } is a ulticollision set (of size 2 r ) for our hash function 2. We need to copute the success probability of this attack. Applying Theore 2.1, each birthday attack in step 2 succeeds with probability 1 e (2t ) 2 /2 n+1 ln ln 2r = 1 e 22t (n+1) 2 ln 2 = 1 e The probability that all r birthday attacks in step 2 succeed is ( 1 1 ) r > 1 2r 2. = 1 1 2r. Now we can estiate the coplexity of the entire attack. The expected coplexity of step 1 is 2.5tr 2 n/2. The coplexity of any given birthday attack in step 2 is analyzed as follows: We need two queries to f for the two values of the first essage block in an interval. Then we need four queries for the two values of the next essage block, eight queries for the next essage block, etc. In the worst case, where a collision is found in the last essage block in the given interval, the coplexity is 2 + 4 + 8 + + 2 t = 2(2 t 1). Overall, the coplexity of the r birthday attacks in step 2 (assuing they all succeed) is at ost 2r(2 t 1). Since step 2 succeeds with probability 1/2, the overall expected coplexity is upper-bounded by 2 (2.5tr 2 n/2 + 2r(2 t 1)). Using the fact that t is Θ(n + ln ln r) and 2 t is Θ(2 n/2 ln r), the overall expected coplexity is O(r(n + ln ln r)2 n/2 + r ln r 2 n/2 ), which is O(r(n + ln r)2 n/2 ). Reark 5.3. In order carry out the above-described attack, we need essages with a sufficient nuber of essage blocks. This is because the value of l, as defined in step 1, depends on both n and r. We can see fro the forulas in step 1 that l is slightly bigger than n. If n = 160, (e.g., as in SHA-1) then we construct a ulticollision set consisting of essages having at least 160 512-bit essage blocks. Siilar coents apply to the general attack described in Theore 5.4, which we present a bit later. Now, we prove a theore which is a generalization of the attack given in Exaple 5.2. Theore 5.2. Suppose r > 1 and suppose that α is a sequence of length s on sybols {1,..., l} such that 1. freq(α) 2, and 2 This is a slight abuse of notation. Each eleent in this cartesian product is an r-tuple of t-tuples, whereas what we really want is the corresponding rt-tuple. 13

2. there exists an initial interval [1, w] of the index set for which α[1, w] contains tr sybols having frequency 1, where t = (n + 1)/2 + (ln ln 2r)/(2 ln 2). Then there is a 2 r -way collision attack on the hash function based on the sequence α having coplexity O(s ln r 2 n/2 ). Proof. Let x 1,..., x tr be sybols having frequency 1 in α[1, w]. Let {y 1,..., y σ } {x 1,..., x tr } coprise all the sybols in {x 1,..., x tr } that occur in α[w + 1, s]. Of course we have that σ rt. The proof will use the sae ideas as Exaple 5.2. However, there are two additional factors we now need to address: 1. Soe sybols in {x 1,..., x tr } ay have frequency 1 in α (i.e., it ight be the case that σ < tr), and 2. the sybols in {y 1,..., y σ } ay occur in a different order in α[w + 1, s] than they did in α[1, w]. Here are the ain steps in the attack. step 1 If i / {x 1,..., x tr }, then we will define i = IV, as we did in other attacks. Then we use Theore 5.1 to construct a 2 tr -ulticollision set C for the hash function based on the sequence α[1, w]. The set C has the following for: C = M 1 M l, where M i = { 1 i, 2 i } if i {x 1,..., x tr } and M i = {IV } if i / {x 1,..., x tr } (note that we define M i = {IV } even if the sybol i does not occur in α[1, w]). The output of this hash function is the value h w. step 2 For 1 i σ, suppose that y i occurs in position b i in α, where w + 1 b 1 < b 2 < < b σ s. Write σ = Qt + R, where 0 R t 1. We will partition the interval [w + 1, s] into Q + 1 intervals. The first Q intervals each contain t of the y i s and the last interval contains the reaining R of the y i s. ore precisely, we define I 1 = [w + 1, b t ] = [c 1, d 1 ], say I 2 = [b t + 1, b 2t ] = [c 2, d 2 ], say... I Q = [b (Q 1)t+1, b Qt ] = [c Q, d Q ], say I Q+1 = [b Qt+1, s] = [c Q+1, d Q+1 ], say. Now we perfor a series of Q additional birthday attacks within the intervals [c 1, d 1 ],..., [c Q, d Q ]. Suppose 1 j Q. Within any interval [c j, d j ], the values of all the essage blocks αcj,,..., αcj +1 α dj are fixed except for y(j 1)t+1,..., yjt. Given a value for h cj 1, we can use a standard birthday attack to find two t-tuples M 1 j, M 2 j M y(j 1)t+1 M yjt which yield the sae value for h dj. Finally, let M Q+1 be any R-tuple in M yqt+1 M yσ. 14

step 3 Now construct a collision set C, consisting of all essages M M 1 M l such that the following conditions are satisfied: 1. M y (j 1)t+1,..., y jt {Mj 1, M j 2 }, for j = 1,..., Q, 2. M y Qt+1,..., y σ = M Q+1, 3. i M i for all i / {y 1,..., y σ }, where M = 1,..., l. It is clear that C is a collision set. We deterine the cardinality of C as follows. Fro ite 1, we see that there are 2 Q ways to choose tuples fro {Mj 1, M j 2 }, j = 1,..., Q. As well, in ite 3, there are 2 rt σ ways to choose the rt σ values i when i {x 1,..., x tr }\{y 1,..., y σ }. Therefore C = 2 Q+rt σ. Now, C is a 2 r -ulticollision set provided that Q + rt σ r. We show that this holds by considering two cases. If σ = rt, then Q = r and Q + rt σ = r. On the other hand, if σ < rt, then we use the fact that R t 1, and we have Q + rt σ = σ R + rt σ t σ(t 1) = rt R t t rt(t 1) > rt 1 t = r 1. Since Q + rt σ > r 1 is an integer, we have Q + rt σ r, as desired. Finally, we need to deterine the coplexity of this attack. The analysis is siilar to Exaple 5, so we oit several details. First, step 1 can be done in tie O(w 2 n/2 ). Step 2 takes tie O((s w)2 t ), which is O((s w) ln r 2 n/2 ) (we note that a ore precise estiate is possible, but it does not lead to iproved asyptotic coplexity). The total expected coplexity is therefore O(s ln r 2 n/2 ). So far, we have provided a ulticollision attack if the underlying sequence α satisfies certain conditions. Now we show that appropriate conditions hold for any sequence α (having a sufficient nuber of eleents) provided that freq(α) 2. Theore 5.3. Let α be a sequence of eleents fro sybol set S = {1,..., l} such that 1 freq(x, α) 2 for all x S. Suppose that l uv. Then one of the following holds: 1. axchain(α) u, or 2. there exists an initial interval [1, w] of the index set such such that α[1, w] contains at least v sybols each having frequency 1. Proof. Let axchain(α) = u 0. If u 0 u, then we re done, so suppose that u 0 < u. Let v 0 denote the axiu nuber of utually incoparable sybols in S. By Dilworth s theore, there exists a decoposition of S into v 0 chains. Every chain contains at ost u 0 sybols, so S = l u 0 v 0 < uv 0. Hence, v 0 > l/u v. 15

Now, let x i1,..., x iv be v utually incoparable eleents. Let the first occurrence of x ij be at position a j of α, for j = 1,..., v, where a 1 < < a v. Recall that every sybol occurs at ost twice in α. It then follows that the second occurrence (if any) of any x ij ust be after position a v of α (if not, then x ij x iv, a contradiction). Therefore x i1,..., x iv all occur exactly once in the subsequence α[1, a v ]. Now we state and prove our ain theore, which deonstrates a ulticollision attack for any generalized sequential hash function with frequency at ost two. Theore 5.4. Let H be a generalized sequential hash function based on the sequences α 1, α 2,, where freq(α l ) 2 for every l 1. Then, for any r > 1, we have a 2 r -way collision attack on H having coplexity O(r 2 ln r (n + ln ln r)2 n/2 ). Proof. Let t = (n + 1)/2 + (ln ln 2r)/(2 ln 2) and define l = r 2 t. Applying Theore 5.3, we have that one of the following holds: 1. axchain(α l ) r, or 2. there exists an initial interval [1, w] of the index set such such that α[1, w] contains at least rt sybols each having frequency 1. In the first case, Theore 5.1 provides a 2 r -way collision attack having coplexity O(s 2 n/2 ), where s = α l. But s 2l, so s is O(r 2 (n + ln ln r)) and the attack has coplexity O(r 2 (n + ln ln r)2 n/2 ). In the second case, we apply Theore 5.2. Here, the attack has coplexity O(s ln r 2 n/2 ), which is O(r 2 ln r (n + ln ln r)2 n/2 ). This coplexity exceeds the coplexity of case 1, and the result follows. 6 Conclusion In this paper, we have defined a natural class of hash functions and we studied their security with respect to ulticollision attacks. We have found efficient ulticollision attacks on the generalized sequential hash functions when the essage blocks are processed at ost twice. Hoch and Shair [10] recently have found attacks even if the essage blocks are used ore than twice. It is an interesting open question to search for hash functions, within the general class we defined in Section 3, which are secure against ulticollision attacks. Acknowledgeents Research of the second author is supported by NSERC grant RGPIN 203114-06. References [1] E. Brickell, D. Pointcheval, S. Vaudenay and M. Yung. Design validations for discrete logarith based signature schees. Lecture Notes in Coputer Science 1751 (2000), 276 292, Public Key Cryptography, Springer. [2] D. Coppersith. Another birthday attack. Lecture Notes in Coputer Science 218 (1996), 14 17, Advances in Cryptology CRYPTO 85, Springer. 16

[3] I. B. Dagård. A design principle for hash functions. Lecture Notes in Coputer Science 435 (1990), 416 427, Advances in Cryptology CRYPTO 89, Springer. [4] D. W. Davies and W. L. Price. The application of digital signatures based on public key cryptosystes. In Proceedings of the Fifth International Coputer Counications Conference, 1980, pp. 525 530. [5] P. Diaconis and F. Mosteller. Methods for studying coincidences. Journal of the Aerican Statistical Association 84 (1989), 853 861. [6] M. Girault, R. Cohen and M. Capana. A generalized birthday attack. Lecture Notes in Coputer Science 330 (1988), 129 157, Advances in Cryptology EUROCRYPT 88, Springer. [7] M. Girault and J. Stern. On the length of cryptographic hash-values used in identification schees. Lecture Notes in Coputer Science 839 (1994), 202 215, Advances in Cryptology CRYPTO 94, Springer. [8] M. Hattori, S. Hirose and S. Yoshida. Analysis of double block length hash functions. Lecture Notes in Coputer Science 2898 (2003), 290 302, Cryptography and Coding, 2003, Springer. [9] S. Hirose. Provably secure double-block-length hash functions in a black-box odel. Lecture Notes in Coputer Science 3506 (2003), 330 342, Inforation Security and Cryptology ICISC 2004, Springer, 2005. [10] J. J. Hoch and A. Shair. Breaking the ICE Finding ulticollisions in iterated concatenated and expanded (ICE) hash functions. To appear in Lecture Notes in Coputer Science, Fast Software Encryption 2006, Springer. [11] A. Joux. Multicollisions in iterated hash functions. Application to cascaded constructions. Lecture Notes in Coputer Science 3152 (2004), 306 316, Advances in Cryptology CRYPTO 2004, Springer. [12] J. Kelsey and B. Schneier. Second preiages on n-bit hash functions for uch less than 2 n work. Lecture Notes in Coputer Science 3494 (2005), 474 490, Advances in Cryptology EUROCRYPT 2005, Springer. [13] L. Knudsen, X. Lai and B. Preneel. Attacks on fast double block length hash functions. Journal of Cryptology 11 (1998), 59 72. [14] L. Knudsen and B. Preneel. Construction of secure and fast hash functions using nonbinary error-correcting codes. IEEE Transactions on Inforation Theory 48 (2002), 2524 2539. [15] S. Lucks. Design principles for iterated hash functions. IACR Cryptology eprint Archive, Report 2004/253, http://eprint.iacr.org/2004/253. [16] A. J. Menezes, P. van Oorschot and S. A. Vanstone. Handbook of Applied Cryptography, CRC Press, 1996. 17

[17] R. Merkle. One way hash functions and DES. Lecture Notes in Coputer Science 435 (1990), 428 446, Advances in Cryptology CRYPTO 89, Springer. [18] M. Nandi. Design of Iteration on Hash Functions and its Cryptanalysis. PhD thesis, Indian Statistical Institute, 2005. [19] M. Nandi and D. R. Stinson. Multicollision attacks on generalized hash functions. IACR Cryptology eprint Archive, report 2004/330, http://eprint.iacr.org/2004/330. [20] B. Preneel. Analysis and Design of Cryptographic Hash Functions. Doctoral Dissertation, Katholieke Universiteit Leuven, 1993. [21] R. Rivest and A. Shair. PayWord and MicroMint. CryptoBytes 2(1) (1996), 7 11. [22] P. Sarkar. Doain extender for collision resistant hash functions: iproving upon Merkle-Dagård iteration. IACR Cryptology eprint Archive, Report 2003/173, http://eprint.iacr.org/2003/173. [23] T. Satoh, M. Haga and K. Kurosawa. Towards secure and fast hash functions. IEICE Trans. Fundaentals, E82-A, no. 1, January, 1999. [24] D. R. Stinson. Cryptography: Theory and Practice, Second Edition, CRC Press, 2002. [25] D. R. Stinson. Soe observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography 38 (2006), 259 277. 18