A Second Preimage Attack on the XOR Hash Combiner

Chen, Shiwei; Cui, Ting; Jin, Chenhui; Wang, Congjun

doi:https://doi.org/10.1049/2024/1230891

IET Information Security

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2024 | Article ID 1230891 | https://doi.org/10.1049/2024/1230891

A Second Preimage Attack on the XOR Hash Combiner

Shiwei Chen,¹Ting Cui,¹Chenhui Jin,¹and Congjun Wang¹

Academic Editor: Tom Chen

Received24 Oct 2023

Revised04 Mar 2024

Accepted12 Mar 2024

Published22 Mar 2024

Abstract

The exclusive-or (XOR) hash combiner is a classical hash function combiner, which is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In this work, we analyze the second preimage resistance of the XOR combiner underlying two different narrow-pipe hash functions with weak ideal compression functions. To control simultaneously the behavior of the two different hash functions, we develop a new structure called multicollision-and-double-diamond. Multicollision-and-double-diamond structure is constructed using the idea of meet-in-the-middle technique, combined with Joux’s multicollision and Chen’s inverse-diamond structure. Then based on the multicollision-and-double-diamond structure, we present a second preimage attack on the XOR hash combiner with the time complexity of about ( is the size of the XOR hash combiner and and are respectively the depths of the two inverse-diamond structures), less than the ideal time complexity , and memory of about .

1. Introduction

Hash functions are important cryptographic primitives in modern cryptography, mainly used in many cryptographic protocols, message authentications, etc. A hash function is to transfer a message with arbitrary length into a message digest with fixed length called as a hash value. If the length of the hash value is bits, we call the hash function as -bit hash function. To guarantee the security of the applications, a -bit hash function needs to satisfy the following three basic security principles: Preimage resistance: Given a -bit hash value , it should be difficult to find a message such that . Second preimage resistance: Given a message and the corresponding -bit hash value , it should be difficult to find another message such that . Collision resistance: It should be difficult to find two different messages such that .

For a -bit hash function, if the computational complexity of finding a second preimage or a preimage is less than , then the hash function is considered not to be second preimage resistance or preimage resistance.

Since the devastating attacks of Wang and Yu [1] on the MD family were proposed, to guarantee the security of the hash function a practical countermeasure might be using two different hash functions simultaneously in a combiner. The combined hash function is thought to be at least as security as any one of them. That is to say, it is only broken when both two hash functions were weak. There are two classical hash combiners, that is, concatenation hash combiner and XOR hash combiner . In [2], Joux used the multicollision to prove that finding a collision for the concatenation hash combiner with two narrow-pipe hash functions is not harder than finding a collision on one of the two hash functions. More precisely, though the concatenation hash combiner has bits hash value, it only offers the security close to a -bit hash function. The XOR hash combiner has the same length of hash value as the two hash functions. That is to say, the XOR hash combiner is length preserving, which increases the difficulty of analyzing this combiner. In particular, the designer of TLS [3] used the sum of HMAC-MD5 and HMAC-SHA-1 as the key derivation function and claimed that the combined hash function should guarantee its security if either algorithm remains secure. Moreover, Hoch and Shamir [4] proved that there are no generic attacks with complexity smaller than , which is tight for collision resistance. However, for preimage attack or second preimage attack, there still exists a gap between and the expected bound . In Eurocrypt 2015, Leurent and Wang [5] developed a novel structure to control simultaneously the two independent hash functions with the same input message and thereby presented a generic preimage attack on the XOR combiner with two narrow-pipe hash functions with the complexity of less than the ideal complexity of . Then, Dinur [6] improved the result in [5] and devised a new preimage attack on XOR hash combiner with two Merkle-Damgård (MD) hash functions with the complexity of . These two results reflect that the XOR combiner cannot offer the same security as an -bit hash function. In CRYPTO 2017, Bao et al. [7] proposed an improved preimage attack against the XOR hash combiner based on the functional graph with a complexity of . Then, in 2020 Bao et al. [8] proposed several generic preimage attacks on the XOR hash combiner. Recently, Dong et al. [9] proposed a quantum preimage attack on the XOR hash combiner. However, there is no paper researching on the capability of the XOR hash combiner resisting the second preimage attack.

In this work, we research on the second preimage resistance of the XOR combiner underlying two different narrow-pipe hash functions with weak ideal compression function. To control simultaneously the behavior of the two different hash functions, we develop a new structure called multicollision-and-double-diamond. Multicollision-and-double-diamond structure is constructed using the idea of meet-in-the-middle technique, combined with Joux’s multicollision and inverse-diamond structure. Then based on the Multicollision-and-two-diamond structure, we present the first second preimage attack on the XOR hash combiner with the time complexity of about is the size of the XOR hash combiner and and is respectively the depth of the two inverse-diamond structures), less than the ideal time complexity , and memory complexity of about .

After setting up some preliminaries in Section 2, we propose our second preimage attack on XOR hash combiner in Section 3 and analyze the complexity of our attack. Section 4 concludes our results and discuss the next work.

2. Preliminaries

2.1. Merkle-Damgård Structure

MD structure proposed by Merkle [10] and Damgård [11] is a typical domain extension for hash functions, used in many hash function standards, such as MD5, SHA-0, SHA-1, and SHA-2. For an input message with arbitrary length, an initial value IV and a compression function , a hash function with MD structure is processed as follows:Step 1:Padding the input message into such that the length of is the multiple of . Then, divide the padded message into -bit message blocks .Step 2:Let . For to , doStep 3:Output as the hash value of the input .

If the length of the original message is padded in the last message block, the MD structure is called the strengthened MD structure, which is collision-resistance preserving.

2.2. Weak Ideal Compression Function

Since the hash function is onewayness, the compression function is not required invertible. However, to analyze the security of domain extension underlying a weak compression function, the weak ideal compression function was defined in [12], which is invertible.

Definition 1. (Weak ideal compression function) [12]. Let be an ideal compression function. If for any input , the adversary can find a random value such that , or for any input , the adversary can find a random value such that , then we call the weak ideal compression function.

2.3. Description of the XOR Hash Combiner

The XOR hash combiner utilizes two different hash functions and , which produces the XOR sum of the hash values of two hash functions as the hash value of the XOR hash combiner (Figure 1). In this paper, we assume the two underlying hash functions are both MD structure hash functions.

For an input message , we firstly pad it into with the length of multiple of and divide it into -blocks . Then, for the two initial chaining values and two compression function ,the XOR hash combiner is processed as follows:

Step 1. In the first pass, for the initial value and the underlying compression function , perform as described in Section 2.1.

Step 2. In the second pass, for the initial value and the underlying compression function , perform as described in Section 2.1.

Step 3. Compute the sum of the results obtained in Step 1 and Step 2 and then output it as the hash value of XOR hash combiner, that is,

In the following paper, we assume that the two compression functions in XOR hash combiner are both weak ideal compression functions.

2.4. Notations

: two different hash functions with strengthened MD structure; : XOR hash combiner based on hash functions ; : two weak ideal compression function used in and , respectively; : two hash functions with MD structure and compression function and , respectively; : initial chaining values of hash functions and , respectively; : input message with arbitrary length; : padded message with the last block including padding; : the -th message block of ; : the -th chaining values produced by and , respectively; : the -bit hash values of .

2.5. Existing Attack Techniques

2.5.1. Birthday Attack

Birthday attack is one of the best-known combinatorial tools in cryptology, and the birthday problem is described as follows.

Definition 2. (Birthday problem) [13]. Given two lists of elements drawn uniformly and independently at random from , find and such that .

If the sizes of lists are favorably chosen, the complexity of the optimal algorithm is about . Hence, whatever the lists are produced by one hash function or two different ones, we could find and such that with the complexity of . That is, assuming are two different hash functions, then we could find two different inputs (chaining values or messages) such that with the time complexity of . Furthermore, for any fixed values , we also could find two different inputs (chaining values or messages) such that with the time complexity of .

2.5.2. Joux’s Multicollision

A -collision attack is to find messages producing the same hash value. That is, for a -bit hash function and -block messages , ifthen we call as -collision with length of -block of the hash function .

From [14], we know that the time complexity of finding a -collision is about for a -bit ideal hash function.

In 2004, Joux [2] proposed a multicollision attack on hash function with MD construction and an ideal compression function . Assume that the initial value is , and set . Then Joux’s multicollision attack is processed as follows to find one -collision (Figure 2).

Step 1. Use the birthday attack to find two one-block messages such that

Step 2. From the chaining value , find two one-block messages such that

Step 3. Repeat the above step, until find the two one-block messages such that

Step 4. For each with , choose or to form messages with the length of -block producing the same hash value .

From the above description of birthday attack, we know that the time complexity of finding a 2-collision is about , so for any with , the time complexity of finding the -th two one-block messages is about . Therefore, the time complexity of the above multicollision attack is about .

2.5.3. Diamond Structure

A -depth diamond structure proposed by Kelsey and Kohno [15] starts from different random values and ends with one point, which is essentially a -multicollision. And the complexity of constructing a -depth diamond multicollision is about where the birthday attack is mainly applied. Since the different starting points in the diamond structure offer greater choose space, it is not only useful for the single-pass hash function, but also for the multi-pass hash function, such as the preimage attack on concatenation and XOR hash combiners [6], the second preimage attack on zipper hash [16], and so on.

2.5.4. Inverse-Diamond Structure

A -depth inverse-diamond structure (Figure 3) proposed in [16] is to produce many ended points from one starting point, and the messages used to produce different chaining values are from the multicollision constructed in another pass, of which the time complexity is about . Chen and Jin [16] presented the first second preimage attack on zipper hash using the inverse-diamond structure, with the time complexity of , less than . The details of constructing an inverse-diamond structure are described as follows.

Step 1. In the second pass, from the starting point , construct a -collision with the length of -block on the weak ideal compression function according to Joux’s method. For any with , denote the two messages produced in -th step as , respectively.

Step 2. In the first pass, from the starting point , compute and , which are denoted as and , respectively.

Step 3. From the point , compute out

Similarly, from the , compute out

Step 4. Repeatedly compute from the points obtained in the last step until the -th step. That is, for any with , from , compute out

Therefore, we obtain points at the end.

From the constructing of the inverse-diamond structure, we know that it could guarantee the messages in two passes identical, which is important for analyzing the two-pass hash combiners.

3. Our Second Preimage Attack on XOR Hash Combiner

The XOR hash combiner is the sum of two different -bit hash functions with the same input message and different initial chaining values, so to find the second preimage of the target hash value, the key problem is how to keep the processing of the second preimage in two passes consistent. To solve this problem, we develop a new technique called multicollision-and-double-diamond structure, and then propose a second preimage attack on the XOR hash combiner with the time complexity of , much less than the ideal time complexity .

3.1. Constructing of the Multicollision-and-Double-Diamond Structure

Based on the inverse-diamond structure, we bring in the idea of meet-in-the-middle technique and thereby propose an extended inverse-diamond structure called multicollision-and-double-diamond structure. The multicollision-and-double-diamond structure is to keep the messages in two passes consistent, mainly including one multicollision structure and two inverse-diamond structures. In the -multicollision-and-double-diamond structure, we firstly construct a multicollision with the length of in one pass using Joux’s method. And then in another pass, to reduce the complexity of finding one second preimage consistent with the one in the first pass, we construct two inverse-diamond structures from two different starting points and utilize the idea of meet-in-the-middle technique to make them collide.

Now, assume that the two hash functions used in the XOR hash combiner are and . The details of constructing a -multicollision-and-double-diamond structure for is described as follows (Figure 4).

Step 1. In the first pass, from the initial chaining value construct a -collision with length using Joux’s method and produce a chaining value .

Step 2. In the second pass, from the initial chaining value construct an inverse-diamond structure of hash function with the depth of producing points noted set . And then from another given point , construct an inverse-diamond structure of hash function with the depth of producing points noted set , in which there is at least one point equal to one of the points in since the size of the chaining value is -bit and the probability is about .

From the above description, we know that the multicollision-and-double-diamond structure could be constructed only if the values of two starting points in two passes and one of ending point are known in advance and the compression functions are invertible.

3.2. Our Second Preimage Attack on XOR Hash Combiner

To guarantee that the values of two starting points in two passes and one of ending point are known in advance, we firstly construct two muticollisons with length of in two passes respectively. Then using the multicollision-and-double-diamond structure twice with different starting points, we present a first second preimage attack on the XOR hash combiner, of which the time complexity is about and memory complexity is about .

For a given hash value and a padded messagewhere is -bit message block and , we obtain a second preimage of the XOR hash combiner using the following procedure (Figure 5).

Step 1. Using the birthday attack to find two different chaining values and such thatwhere is the target hash value and is the last message block.

Step 2. Constructing a -multicollision-and-double-diamond structure for and -multicollision-and-double-diamond structure for simultaneously:

Step 2.1. In the first pass, from initial value construct a -collision with length for hash function using Joux’s multicollision method and produce a chaining value .

Step 2.2. In the second pass, from the chaining value , construct a -collision with length for the hash function using Joux’s multicollision method and the end point is noted .

Step 2.3. In the first pass, from the chaining value , construct an inverse-diamond construction with depth for the hash function and the set of points is noted of which the size is .

Step 2.4. Find a message with length of from the -collision constructed in the first pass such that equals to one of the points in set , which leads a message with length of -block in the inverse-diamond producing the chaining value .

Step 2.5. In the second pass, from the initial chaining value , construct an inverse-diamond with depth of using the -collision in the first pass and the set of end points is noted . Find a message with length from the -collision constructed in the first pass such that equals to one of the value in set and the corresponding message is noted as satisfying

Step 3. Output the messageas the second preimage of the given hash value .

3.3. Complexity of Our Second Preimage Attack

In this section, we analyze the time complexity and memory of our attack.

In Step 1, we find and using the birthday attack and since the hash size is -bit, the time complexity is about . According to Joux’s multicollision method, the time complexity of Step 2.1 and Step 2.2 are both about . In Step 2.3, the time complexity of constructing an inverse-diamond structure with depth is about , and we need to store the values of set . In Step 2.4, we compute messages with length of to collide with one of the values in set , hence the time complexity is about . And similarly, the time complexity of Step 2.5 is about and the memory is about . In a word, the time complexity of our attack is aboutand the memory is about .

Specially, if , then the time complexity is about and the memory is about .

4. Conclusion

In this work, we analyze the second preimage resistance of the XOR hash combiner underlying two different narrow-pipe hash functions with weak ideal compression function. To control simultaneously the behavior of the two different hash functions, we develop a new structure called multicollision-and-double-diamond, based on which we present a first second preimage attack on the XOR hash combiner with the time complexity of about ( is the size of the XOR hash combiner and and are respectively the depths of the two inverse-diamond structures), less than the ideal time complexity , and memory complexity of about . Specially, if the depths of the two inverse-diamond structures are equal, then the time complexity is about and the memory is about . In the future work, we would like to analyze the security of the XOR hash combiner resisting other attacks.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

We are grateful to the anonymous referees for their valuable comments. The work in this paper is supported by the National Natural Science Foundation of China (Grant No: 62372463) and the Natural Science Foundation of Henan Province (Grant No: 222300420100).

References

X. Wang and H. Yu, “How to break MD5 and other hash functions,” in Advances in Cryptology—EUROCRYPT 2005. EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 19–35, Springer, Berlin, Heidelberg, 2005.
View at: Publisher Site | Google Scholar
A. Joux, “Multicollisions in iterated hash functions application to cascaded constructions,” in Advances in Cryptology–CRYPTO 2004. CRYPTO 2004. Lecture Notes in Computer Science, vol. 3152, pp. 306–316, Springer, Berlin, Heidelberg, 2004.
View at: Publisher Site | Google Scholar
T. Dierks and C. Allen, RFC2246: The TLS Protocol Version 1.0, RFC Editor, United States, 1999.
View at: Publisher Site
J. J. Hoch and A. Shamir, “On the strength of the concatenated hash combiner when all the hash functions are weak,” in Automata, Languages and Programming. ICALP 2008. Lecture Notes in Computer Science, vol. 5126, pp. 616–630, Springer, Berlin, Heidelberg, 2008.
View at: Publisher Site | Google Scholar
G. Leurent and L. Wang, “The sum can be weaker than each part,” in Advances in Cryptology—EUROCRYPT 2015. EUROCRYPT 2015. Lecture Notes in Computer Science, vol. 9056, pp. 345–367, Springer, Berlin, Heidelberg, 2015.
View at: Publisher Site | Google Scholar
I. Dinur, “New attacks on the concatenation and XOR hash combiners,” in Proceedings, Part I, of the 35th Annual International Conference on Advances in Cryptology—EUROCRYPT 2016–Volume 9665, pp. 484–508, Springer-Verlag, Berlin, Heidelberg, May 2016.
View at: Google Scholar
Z. Bao, L. Wang, J. Guo, and D. Gu, “Functional graph revisited: updates on (second) preimage attacks on hash combiners,” in Advances in Cryptology–CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science, J. Katz and H. Shacham, Eds., vol. 10402, pp. 404–427, Springer, Cham, 2017.
View at: Publisher Site | Google Scholar
Z. Bao, I. Dinur, J. Guo, G. Leurent, and L. Wang, “Generic attacks on hash combiners,” Journal of Cryptology, vol. 33, pp. 742–823, 2020.
View at: Publisher Site | Google Scholar
X. Dong, S. Li, P. Pham, and G. Zhang, “Quantum attacks on hash constructions with low quantum random access memory,” in Advances in Cryptology—ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol. 14440, pp. 3–33, Springer, Singapore, 2023.
View at: Publisher Site | Google Scholar
R. C. Merkle, “A certified digital signature,” in Advances in Cryptology—CRYPTO’ 89 Proceedings. CRYPTO 1989. Lecture Notes in Computer Science, vol. 435, pp. 218–238, Springer, New York, NY, 1990.
View at: Publisher Site | Google Scholar
I. B. Damgård, “A design principle for hash functions,” in Advances in Cryptology—CRYPTO’ 89 Proceedings. CRYPTO 1989. Lecture Notes in Computer Science, vol. 435, pp. 416–427, Springer New York, New York, NY, 1990.
View at: Publisher Site | Google Scholar
M. Liskov, “Constructing an ideal hash function from weak ideal compression functions,” in Selected Areas in Cryptography. SAC 2006. Lecture Notes in Computer Science, vol. 4356, pp. 358–375, Springer, Berlin, Heidelberg, 2006.
View at: Publisher Site | Google Scholar
D. Wagner, “A generalized birthday problem,” in Advances in Cryptology—CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–304, Springer, Berlin, Heidelberg, 2002.
View at: Publisher Site | Google Scholar
M. Nandi and D. R. Stinson, “Multicollision attacks on some generalized sequential hash functions,” IEEE Transactions on Information Theory, vol. 53, no. 2, pp. 759–767, 2007.
View at: Publisher Site | Google Scholar
J. Kelsey and T. Kohno, “Herding hash functions and the nostradamus attack,” in Advances in Cryptology–EUROCRYPT 2006. EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004, pp. 183–200, Springer, Berlin, Heidelberg, 2006.
View at: Publisher Site | Google Scholar
S. Chen and C. Jin, “A second preimage attack on zipper hash,” Security and Communication Networks, vol. 8, no. 16, pp. 2860–2866, 2015.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2024 Shiwei Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

68

Downloads

58

Citations