Paper 2009/456

An Automata-Theoretic Interpretation of Iterated Hash Functions - Application to Multicollisions

Kimmo Halunen, Juha Kortelainen, and Tuomas Kortelainen

Abstract

In this paper we present a new method of constructing multicollision sets for iterated hash functions. Multicollisions have been studied quite actively since Joux published an attack against iterated hash functions, which works in $O(k2^{\frac{n}{2}} )$ complexity for $2^k$ -multicollisions. Recently Kelsey \& Schneier and Aumasson have published even faster multicollision attacks, which are based on fixed points of the compression function and some assumptions on the attacker's capabilities. Our method has complexity $O(2^{\frac{n}{2}} )$ for arbitrarily large multicollision sets and does not have any additional assumptions on the compression function or attacker's capabilities. The drawback of our method is the extremely long messages generated by the algorithm in the worst case. Our method is based on automata theory and, given a compression function $f$, we construct a finite state transducer, which realizes the iterated hash function based on $f$. The method for generating multicollision sets is based on well known pumping properties of these automata.