**An Automata-Theoretic Interpretation of Iterated Hash Functions - Application to Multicollisions**

*Kimmo Halunen and Juha Kortelainen and Tuomas Kortelainen*

**Abstract: **In this paper we present a new method of constructing multicollision
sets for iterated hash functions. Multicollisions have been studied
quite actively since Joux published an attack against iterated hash
functions, which works in $O(k2^{\frac{n}{2}} )$ complexity for $2^k$
-multicollisions. Recently Kelsey \& Schneier and Aumasson have
published even faster multicollision attacks, which are based on fixed
points of the compression function and some assumptions on the
attacker's capabilities. Our method has complexity $O(2^{\frac{n}{2}}
)$ for arbitrarily large multicollision sets and does not have any
additional assumptions on the compression function or attacker's
capabilities. The drawback of our method is the extremely long
messages generated by the algorithm in the worst case. Our method is based on automata
theory and, given a compression function $f$, we construct a finite
state transducer, which realizes the iterated hash function based on
$f$. The method for generating multicollision sets is based on well
known pumping properties of these automata.

**Category / Keywords: **foundations / hash function, multicollision, automata theory

**Date: **received 16 Sep 2009, withdrawn 19 Oct 2009

**Contact author: **khalunen at ee oulu fi

**Available format(s): **(-- withdrawn --)

**Version: **20091019:061423 (All versions of this report)

**Short URL: **ia.cr/2009/456

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]