Paper 2006/116

Second Preimages for Iterated Hash Functions Based on a b-Block Bypass

Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen


In this article, we present a second preimage attack on a double block-length hash proposal presented at FSE 2006. If the hash function is instantiated with DESX as underlying block cipher, we are able to construct second preimages deterministically. Nevertheless, this second preimage attack does not render the hash scheme insecure. For the hash scheme, we only show that it should not be instantiated with DESX but AES should rather be used. However, we use the instantiation of this hash scheme with DESX to introduce a new property of iterated hash functions, namely a so-called b-block bypass. We will show that if an iterated hash function possesses a b-block bypass, then this implies that second preimages can be constructed. Additionally, the attacker has more degrees of freedom for constructing the second preimage.

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
iterated hash functionssecond preimagedifferential cryptanalysis
Contact author(s)
Norbert Pramstaller @ iaik tugraz at
2006-09-26: last of 3 revisions
2006-03-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mario Lamberger and Norbert Pramstaller and Vincent Rijmen},
      title = {Second Preimages for Iterated Hash Functions Based on a b-Block Bypass},
      howpublished = {Cryptology ePrint Archive, Paper 2006/116},
      year = {2006},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.