2009 Reports : Cryptology ePrint Archive Forum

**Re: 2009/033**

**Re: 2009/033**

Discussion forum for Cryptology ePrint Archive reports posted in 2009.
Please put the report number in the subject.

2009/033

Posted by: **Orr** (IP Logged)

Date: 23 January 2009 16:52

The MSBs are treated in a linear manner.

Thus, a collision attack and a second preimage attack on the hash function are easily done.

Thus, a collision attack and a second preimage attack on the hash function are easily done.

Posted by: **yesmaeili** (IP Logged)

Date: 30 April 2009 09:10

I got from the point claimed by Orr that collision attack or/and a second preimage attack can be easily done. I would be appreciate Orr if he explains more.

Is your points related to the weaknesses properties of T-Functions?

Is your points related to the weaknesses properties of T-Functions?

Posted by: **Orr** (IP Logged)

Date: 13 May 2009 20:36

A difference in the MSB, affects only other MSBs.

(in other words - the MSBs do not affect any other bit but the MSBs).

And for a given message (just fix the 31 LSBs of each message word and the entire chaining value), the MSBs of the eight output chaining value are a linear combination of the 16 message MSBs.

Because this is the case, it is easy to find collisions (just solve the required linear equations), second preimages (given a specific input to the compression function, flip the correct MSBs to obtain the same output).

Also, using the De Canniere and Rechberger attack from Crypto 2006, it is possible to find preimages of the compression function in time complexity of about 32*2^8.

(some of these observations were verified by Tor).

(in other words - the MSBs do not affect any other bit but the MSBs).

And for a given message (just fix the 31 LSBs of each message word and the entire chaining value), the MSBs of the eight output chaining value are a linear combination of the 16 message MSBs.

Because this is the case, it is easy to find collisions (just solve the required linear equations), second preimages (given a specific input to the compression function, flip the correct MSBs to obtain the same output).

Also, using the De Canniere and Rechberger attack from Crypto 2006, it is possible to find preimages of the compression function in time complexity of about 32*2^8.

(some of these observations were verified by Tor).

Please log in for posting a message. Only registered users may post in this forum.