Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.·On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296. ·On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5. Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.

We propose preimage attacks against PKC98-Hash and HAS-V. PKC98-Hash is a 160-bit hash function proposed at PKC 1998, and HAS-V, a hash function proposed at SAC 2000, can produce hash values of 128+32k (k=0,1,...,6) bits. These hash functions adopt the Merkle-Damgård and Davies-Meyer constructions. One unique characteristic of these hash functions is that their step functions are not injective with a fixed message. We utilize this property to mount preimage attacks against these hash functions. Note that these attacks can work for an arbitrary number of steps. The best proposed attacks generate preimages of PKC98-Hash and HAS-V-320 in 264 and 2256 compression function computations with negligible memory, respectively. This is the first preimage attack against the full PKC98-Hash function.

We study the security of AES in the open-key setting by showing an analysis on hash function modes instantiating AES including Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel modes. In particular, we propose preimage attacks on these constructions, while most of previous work focused their attention on collision attacks or distinguishers using non-ideal differential properties. This research is based on the motivation that we should evaluate classical and important security notions for hash functions and avoid complicated attack models that seem to have little relevance in practice. We apply a recently developed meet-in-the-middle preimage approach. As a result, we obtain a preimage attack on 7 rounds of Davies-Meyer AES and a second preimage attack on 7 rounds of Matyas-Meyer-Oseas and Miyaguchi-Preneel AES. Considering that the previous best collision attack only can work up to 6 rounds, the number of attacked rounds reaches the best in terms of the classical security notions. In our attacks, the key is regarded as a known constant, and the attacks thus can work for any key length in common.

We revisit the design of Lesamnta-LW, which is one of the three lightweight hash functions specified in ISO/IEC 29192-5:2016. Firstly, we present some updates on the bounds of the number of active S-boxes for the underlying 64-round block cipher. While the designers showed that the Viterbi algorithm ensured 24 active S-boxes after 24 rounds, our tool based on Mixed Integer Linear Programming (MILP) in the framework of Mouha et al. ensures the same number of active S-boxes only after 18 rounds. The tool completely evaluates the tight bound of the number of active S-boxes, and it shows that the bound is 103 for full (64) rounds. We also analyze security of the Shuffle operation in the round function and resistance against linear cryptanalysis. Secondly, we present a new mode for a pseudorandom function (PRF) based on Lesamnta-LW. It is twice as efficient as the previous PRF modes based on Lesamnta-LW. We prove its security both in the standard model and the ideal cipher model.

At Eurocrypt'05, Wang et al. presented efficient collision attacks on MD5 and MD4 hash functions. They found a collision of MD5 with a complexity of less than 237 MD5 hash operations, and a collision of MD4 with complexity less than 28 MD4 hash operations. In their attack, the procedure to generate a collision is divided into 4 steps. First, they determine the message differential and output differentials of chaining variables in each step, which generates a collision with small complexity. Second, they construct sufficient conditions that guarantee that the desired differential is always calculated. Third, they find a message modification that can satisfy the sufficient conditions with high probability. Finally, they search for a message that satisfies all sufficient conditions. In this paper, we focus on the message modification of MD5 and MD4, and propose a new message modification. Using our message modification, a collision of MD5 can be found with complexity less than 229 MD5 hash operations, and a collision of MD4 can be found with complexity less than 3 MD4 hash operations. To improve the complexity from previous attacks, we mainly use two ideas. The first idea is to use message modification that can satisfy more sufficient conditions in the second round than in previous attacks. The second idea is to use message modification that can enable us to search for a collision starting from an intermediate step.

In this paper, generic attacks are presented against hash functions that are constructed by a hashing mode instantiating a Feistel or generalized Feistel networks with an SP-round function. It is observed that the omission of the network twist in the last round can be a weakness against preimage attacks. The first target is a standard Feistel network with an SP round function. Up to 11 rounds can be attacked in generic if a condition on a key schedule function is satisfied. The second target is a 4-branch type-2 generalized Feistel network with an SP round function. Up to 15 rounds can be attacked in generic. These generic attacks are then applied to hashing modes of ISO standard ciphers Camellia-128 without FL and whitening layers and CLEFIA-128.

The current paper presents an integral cryptanalysis in the single-key setting against light-weight block-cipher LBlock reduced to 22 rounds. Our attack uses the same 15-round integral distinguisher as the previous attacks, but many techniques are taken into consideration in order to achieve comprehensive understanding of the attack; choosing the best balanced-byte position, meet-in-the-middle technique to identify right key candidates, partial-sum technique, relations among subkeys, and combination of the exhaustive search with the integral analysis. Our results indicate that the integral cryptanalysis is particularly useful for LBlock like structures. At the end of this paper, which factor makes the LBlock structure weak against the integral cryptanalysis is discussed. Because designing light-weight cryptographic primitives is an actively discussed topic, we believe that this paper returns some useful feedback to future designs.