0% found this document useful (0 votes)

139 views19 pages

Cryptographic Hash Functions: A Review: Keywords

Paper on...

Uploaded by

Kunal Joshi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

139 views19 pages

Cryptographic Hash Functions: A Review: Keywords

Paper on...

Uploaded by

Kunal Joshi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 19

IJCSI International Journal of Computer Science Issues, Vol.

9, Issue 2, No 2, March 2012

ISSN (Online): 1694-0814
www.IJCSI.org 461

Cryptographic Hash Functions: A Review

Rajeev Sobti1, G.Geetha2
1
School of Computer Science, Lovely Professional University
Phagwara, Punjab 144806, India

2
School of Computer Applications, Lovely Professional University
Phagwara, Punjab 144806, India

Abstract were submitted,. Rompay [3] also gave example of

Cryptographic Hash functions are used to achieve a number opencompetition used by the National Institute of
of security objectives. In this paper, we bring out the Standards and Technology (NIST)in the United States
importance of hash functions, its various structures, design to decide on the block cipher to be used as Advanced
techniques, attacks and the progressive recent development Encryption Standard. This competition had fifteen
in this field.
candidates out of which theRijndael [7] block cipher
Keywords: Cryptography, Hash function, compression
function
finally chosen. On the other hand, for its hash function
standard [6] NIST simply chose the SHA hash
functions, designed bythe NSA without disclosure of
1.Introduction their design strategy or any supporting cryptanalytic
results. However the trend has changed in recent years
Cryptographic techniques mainly encryption & because of the wide range of applications areas of
decryptions have been used for centuries to protect cryptographic hash functions. Cryptographic Hash
military and political secrets and D.Kahn in [1] has Functions are used to achieve a number of Security
given comprehensive study of this history. Throughout Goals like Message Authentication, Message Integrity,
this history of cryptology, confidentiality has taken the and are also used to implement Digital Signatures
primary seat and it was believed that if the secrecy is (Non-repudiation), Entity Authentication and Digital
maintained (using symmetric encryption and secret Steganography. Considerable research has been
key) then the authentication will automatically be undergoing in the field of Cryptographic Hash
achieved. The logic was if decryption of an encrypted Functions. Hash Functions are being generated from
text results in a meaningful message it must have been existing primitives like Block ciphers (e.g. Whirlpool
constructed by someone who knows the secret key. [84], Skein [66] ) as well as being explicitly and
During all this period the field of cryptology was specially constructed from scratch like MDx family [9,
kingdom of selected few i.e. it was studied and 10] and SHA family [4,5,6,8] of hash functions.
practiced by few. The trend changerswereDiffie and
Hellman, who are credited for advent of public key Organization of the paper: This paper will present
cryptography in mid 70s. Their seminal paper New the detailed study of Cryptographic Hash Functions.
Directions in Cryptography [2] introduced a number Organisation of the paper is as follows. In Section 2
of relevant concepts like Digital Signatures and and 3 the basic concepts like definitions, properties and
differentiated Confidentiality from Authentication and applications of Hash functions are detailed.Section 4
to quite an extent initiated the development of discusses the basic as well as currently used iterative
cryptographic schemes for the protection of structures of Hash functions. In Section 5 and 6
authenticity. These schemes use a very important security properties and possible attacks are detailed. In
cryptographic primitive named Cryptographic Hash Section 7 various design techniques of underlying
Functions. However cryptographic hash functions compression functions have been explained. Section 8
have received much less attention from the cryptologic throws light on the current scenario in Hash functions.
community than encryption schemes in the past. Bert
Rompay in his thesis [3] quoted the example of
NESSIE (New European Scheme for Signature 2. Cryptographic Hash Functions
Integrity and Encryption) project to illustrate how
cryptographic hash functions have been ignored in the The term hash function has been used in computer
past. In NESSIE project,seventeen block ciphers and science from quite some time and it refers to a function
six stream cipherswere submitted as candidates (both that compresses a string of arbitrary input to a string of
are categories of encryption schemes), but only one un- fixed length. However if it satisfies some additional
keyed hash function and two keyed hash functions requirements (as detailed further), then it can be used
(also known as MAC Message Authentication Code) for cryptographic applications and then known as
Cryptographic Hash functions.

Copyright (c) 2012 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 2, No 2, March 2012
ISSN (Online): 1694-0814
www.IJCSI.org 462

fifth requirement also known as Second pre-image

Cryptographic Hash functions are one of the most resistanceproperty guarantees that an alternative
important tool in the field of cryptography and are used message hashing to the same code as a given message
to achieve a number of security goals like authenticity, cannot be found.
digital signatures, pseudo number generation, digital
steganography, digital time stamping etc. Gauravram 2.2 Collision Resistant Hash Functions (CRHF)
[16] in his thesis has suggested that the usage of
cryptographic hash functions in several information One of the early definitions of Collision Resistant Hash
processing applications to achieve various security functions was given by Merkle [12]. Based on the
goals is much more widespread than application of same, CRHF may be defined as a Hash function H, that
block ciphers and stream ciphers. satisfies all the requirements of OWHF (I to V as listed
in 2.1) and in addition satisfy the following collision
Rompay [3] has given the following formal definition resistance property:
of hash functions
Given H, it is computationally infeasible to find a pair
(x, y) such that H(x) = H(y)
Definition: A hash function is a function h: D R,
where the domain D = {0,1}* and R = {0,1}n for some 2.3Universal One Way Hash Functions
(UOWHF)
n >= 1 (1)
Cryptographic Hash Functions are broadly of two Mani Naorand Moti Yung [13] presented the idea of
types i.e. Keyed Hash functions; the one which uses a Universal One Way Hash functions and using the
secret key, and Un-keyed Hash Functions; the other same, presented a digital signature scheme that was not
one which does not uses a secret key. The keyed Hash based on trapdoor functions. Rather Mani Naorand
functions are referred to as Message Authentication Moti Yung [13], used 1-1 One way functions to
code. Generallythe term hash functions refer to un- construct UOWHF and in turn implement Digital
keyed hash functions and in this paper we will Signature scheme.The Security property of UOHWF as
concentrate on Un-keyed Hash functions only. Un- described in [13] is reframed as follows:
keyed or simply Hash functions(some time also known
as MDC Manipulation Detection Code)can further Let U contains a finite number of hash functions with
classified into OWHF (One Way Hash Functions), each having the same probability of being used. Let a
CRHF (Collision Resistant Hash Functions) and probabilistic polynomial time algorithm A (A is
UOWHF (Universal One way Hash Functions) collision adversary) operates in two phases.
depending on the additional properties it satisfies. Initially, A receives input k and outputs a value x
known as initial value, then a hash function H is
2.1 One Way Hash Functions (OWHF) chosen from the family U. A then receives H and must
output y such that H(x) = H(y). In other words, after
OWHF as defined by Merkle [11] is a hash function H getting a hash function it tries to find a collision with
that satisfies the following requirements: the initial value. Now U will be called as a family of
I. H can be applied to block of data of any Universal One Way Hash Functions if for all
length. (In practice, any length may be polynomial-time A the probability that A succeeds is
actually be bounded by some huge constant, negligible.
larger than any message we ever would want
to hash.) How to construct UOWHF of higher orders
II. H produces a fixed-length output. efficiently? is still as unsolved problem in
III. Given H and x (any given input), it is easy to cryptography.
computer message digest H(x).
IV. Given H and H(x), it is computationally
infeasible to find x. 3. Security Services of Cryptographic Hash
V. Given H and H(x), it is computationally Functions
infeasible to find x and x such that H(x) =
H(x) 3.1 Achieving Integrity & Authentication

The first three requirements are must for practical Verifying the integrity and authenticity of information
applications of a hash function to message is a prime necessity in computer systems and networks.
authentication and digital signatures. The fourth In particular, two parties communicating over an
requirement also known as pre-image resistance or insecure channel require a method by which
one way property, states that it is easy to generate a information sent by one party can be validated as
message code given a message but hard (virtually authentic (or unmodified) by the other. [17]
impossible) to generate a message given a code. The

Message Integrity & Authentication may be

implemented in multiple ways. Symmetric Encryption Hash functions are used to optimize the digital
based mechanisms may be used but they have their signature schemes. Without the use of Hash, the
own drawbacks. Drawbacks like speed, cost factor, signature will be of same size as message. The
optimization for data sizes etc. have been highlighted fundamental concept here is instead of generating the
by Tsudik [18]. Such methods combine the signature for the whole message which is to be
Confidentiality and Authentication functions. However authenticated; the sender of the message only signs the
there are scenarios where encrypting full message digest of the message using a signature generation
(confidentiality) is not required. For such applications algorithm. The sender then transmits the message and
keeping message secret is not the concern but the signature to the intended receiver. The receiver
authenticating it is important. For example in SNMP verifies the signature of the sender by computing the
(Simple Network Management Protocol), it is usually digest of the message using the same hash function as
important for a managed system to authenticate the sender and comparing it with the output of the
incoming SNMP commands (like changing the signature verification algorithm. It is obvious that this
parameters at the managed system), but concealing the approach saves a lot of computational overhead
SNMP traffic is not required. involved in signing and verifying the messages in the
absence of hash functions [16].
In order to implement message authentication and
integrity, the alternative techniques (other than the 3.3 Authenticate Users of Computer Systems
methods mentioned in last paragraph) are MAC or hash
functions. MACs may be constructed out of block Hash functions may be used to authenticate the users at
ciphers like DES. More recently, however, there has the time of login. The passwords are stored in the form
been a surge of interest in the idea of constructing of message digest to avoid access of the same even to
MACs from cryptographic Hash Functions [17]. In Database Administrators (because of Pre-Image
addition to using Hash Functions for implementing resistance ofHash digest). Whenever user tries to login
MAC, Hash functions can be used to achieve message and enter the password, the message digest of the
authentication and integrity goals without the use of entered password is computed and compared with the
symmetric encryption. Tsudiac [18] has detailed a digest stored in the database. If it matches, then login is
protocol based on the same idea.Rompay [3] has also successful, otherwise user is not authenticated.
detailed the ways of ensuring authentication using hash
functions alone as well as using hash functions with 3.4 Digital Time Stamping
encryption. The usage of Hash Functions for Message
Authentications and ensuring message integrity has Majority of text, audio and video documents are
surged because majority of hash functions are faster available in digital format and a number of simple
than block ciphers in software implementation and techniques and tools are available to change digital
these software implementations are readily and freely documents. So some sort of mechanism is required to
available [17]. certify when such a document was created or last
modified. Digital timestamp solve the purpose and
3.2 Implementing Efficient Digital Signatures provide a temporal authentication Rompay [3] in his
thesis work has suggested the multiple ways like
Digital signature is a security goal of a cryptosystem simple scheme based on trusted third party, scheme
which intends to achieve the goal of authenticity and a that links timestamps into temporal chain and the
security service or property of non-repudiation [16]. otherone that make use of Merkle Tree. Rompay [3]
MAC and Hash Functions alone do not implement the highlighted that Digital time stamp helps in protecting
Security goal of Digital Signatures. It was Diffie and intellectual property rights, ensuring strong auditing
Hellman [2] who first realised the need for a message procedures and implementing true non-repudiation
dependent electronic signature (fingerprint) to avoid services. Before [3], Haber and Stornetta [21] has also
disputes between sender and receiver. RSA [19] was detailed how One way hash functions and digital
the first public key crypto systems with digital signatures can be used to implement the digital time
signature capabilities. However there has been an stamping.
interesting part of this invention. James Ellis, Clifford
Cocks and Malcolm Willaimson from GCHQ 3.5 Hash functions as PRNG
(Government Communication Head Quarters),
Cheltenham, Britain perhaps invented the idea of Hash functions as one way functions can be used to
Public key in 1972. The three Britons had to sit back implement PRNG (Pseudo random number generator).
and watch as their discoveries were rediscovered by A very simple technique can be to start from an initial
Diffie, Hellman, Merkle, Rivest, Shamir and Adleman value (s) known as seed and computer H(s) and then
over the next three years because of the polices of H(s+1), H(s+2) and so on. [22, 23] has given some
GCHQ that all work is top secret and cannot be shared other ways of constructing Pseudo random strings from
with anyone [20]. Hash functions.

3.6 Session Key Derivations At Crypto 89, Ivan Damgard [26] and Ralph Merkle
[12] independently proposed the iterative structure to
Hash functions as one way functions can be used to construct a collision resistant hash function using fixed
generate sequence of session keys that are used for the length input collision resistant compression function.
protection of successive communication sessions. Both independently provided proofs in their papers [12
Starting from a master key K0, the first session key can and 26] that if there exists a fixed length collision
be K1 = H(K0) and second session key can be K2 = resistant compression function: f: {0,1}a X {0,1}b
H(K1) and so on. Matyaset.al.[24] described the key {0,1}c then one can design a variable length input
management scheme based on control vectors which collision resistant hash function H: {0,1}* {0,1}n ,
makes use of hash functions and Encryption functions by iterating that compression function. Originally
for generating session keys. named Merkles Meta Method, this scheme is now
mostly calledthe Merkle-Damgard construction.Lai
3.7 Constructions of Block Ciphers and Massey [27] named such a structure as Iterated
Hash Structure.
Block ciphers can be used to construct a cryptographic
hash function however the inverse is also true and Rompay [3] has given the following formal definition
there has been block ciphers designed using Hash of Compression function, Output transformation and
functions. In [25] Handschuh and Naccache proposed Iterated Hash functions.
to use the compression function of cryptographic hash
function SHA-1 [5] in encryption mode. The name of Definition: A compression function is a function f : D
the cipher was SHACAL. SHACAL-1 (originally R where D = {0,1}a X {0,1}b and R = {0,1}c for
named SHACAL) and SHACAL-2 are block ciphers some a,b,c>=1 and a + b >= c. (2)
based on SHA-1 [5] and SHA-256 [6] respectively.
SHACAL-1 (originally named SHACAL) is 160-bit Definition: An output transformation is a function g :
clock cipher and SHACAL-2 is 256 bit block cipher. D R whereD = {0,1}a and R = {0,1}n for some a, n
Both were selected for the second phase of NESSIE >=1 and a>=n . (3)
project. In 2003 SHACAL-1 was not recommended for
NESSIE portfolio because of concerns about its key Definition:Suppose that a compression function f :
schedule, while SHACAL-2 was finally selected as one {0,1}c X {0,1}b{0,1}c and an output transformation
of the 17 NESSIE finalists.SHACAL-1 used the {0,1}c{0,1}n are given. Then an iterated hash
compression function of SHA-1 and turned it into a function is the hash function h : ({0,1}b)* {0,1}n
block cipher by using the state input as the data block defined by h(X0, X1, .. Xt-1 ) = g (Ht ) where Hi+1 = f (Hi
and using the data input as the key input. In other , X i ) for 0<=i<t. The input block Xi (0<=i<t ) =
words SHACAL-1contemplated the SHA-1 {0,1}b and Initial chaining value H0 = IV {0,1}c (4)
compression function as an 80-round, 160-bit block
cipher with a 512-bit key. Keys shorter than 512 bits As per the definition the block length is b bits and
are supported by padding them with zero up to 512. chaining variable length is c bits long. In case the input
SHACAL-1 was not intended to be used with keys string is not an exact multiple of b bits then some sort
shorter than 128-bit. of padding is used. The padding technique has varied
from one algorithm to another. However the general
3.8 Other Applications convention is to pad the input strings with bit 0
followed by sequence of bit 1 and at the end append
Hash Functions can also be used to index data in hash the length of message such that after all the padding
tables, for fingerprinting, to detect duplicate data or (bit 0, sequence of 1s and the message length), the total
uniquely identify files, and as checksums to detect length of the padded message is exact multiple of b bits
accidental data corruption and for generating random (block length). The length of message is padded to
numbers also. avoid a particular type of attack named as fixed point
attack. The output transformation is required when the
Looking at this wide range of applications, it is not message digest size required is less than the size of
correct to say thatHash Functions belong to one chaining variable i.e. n < c. In case n = c, then output
particular cryptographic sub branch. These transformation can be ignored. Wherever output
cryptographictools deserve a separate status for transformation is required, it can be implemented by
themselves. They are used in almost all placesin just selecting c bits out of n or using some folding
cryptology where efficient information processing is techniques.
required.
Merkle [12] and Damgard [26] suggested that if IV is
not fixed then finding second pre-image or collision is
4. Iterative Structure of Hash Functions trivial and also if length is not padded then attacks
based on fixed points can be used to break iterated
4.1 MerkleDamgard Iterated Hash Design
hash structure. Both independently provided proof that

if IV is fixed as well as length padding is used then {0,1}s{0,1}m, i.e. in HAIFA chaining value Hi is
hash function will be collision resistant if compression computed as
function is collision resistant. The process of fixing IV Hi = f (Hi-1, Mi, #bits, salt)
and adding length padding is known as MD- where#bits is number of bits hashed so far and salt is a
strengthening. salt value.For comparison of HAIFA structure with
Wide pipe design or other designs refer [41].
Majority of Hash Functions launched in recent years
and being used these days follow the iterated hash 4.4 Fast Wide Pipe (FWP) Design
function. MD4 [9], MD5 [10], SHA-1, SHA-224,
SHA-256, SHA-384, and SHA-512 [4, 5, 6,8] all are A further improvement of wide pipe design was
influenced by the Merkle and Damgards iterated hash suggested by Mridul Nandi and Souradyutipaul [40] in
design as explained above. 2010. They proposed that FWP was nearly twice as
fast as the Wide-pipe for a reasonable selection of the
MerkleDamgard construction as explained above has input and output size of the compression function. The
some drawbacks like it suffer from some generic idea was that internal state i.e. widepipe chaining value
attacks (to be discussed in Section 5 and 6) should be divided in two halves. One half is inputted to
JouxMulticollision [37], Herding attacks [38], Length the succeeding compression function but the other half
Extension attacks [39] etc. Because of these structural is combined (XOR) with the output of that succeeding
weaknesses, some other constructions have been compression function i.e. we feed-forward half of the
suggested in literature. Few of these are: previous chaining value to XOR it to the output of the
compression function.
4.2 Wide Pipe Iterated Hash Design
4.5 Sponge Construction
Mainly because of length extensions
&JouxMulticollisions[37], Stefan Lucks [36] proposed G. Bertoniet. al.[42, 43, 44] proposed sponge
an improvement over MerkleDamgard(MD) structure construction to design hash functions that closely map
named Wide Pipe Iterated Hash Design.Wide pipe the random oracle. In the context of cryptographic hash
design is quite similar to MD design, but it has larger functions, sponge functions provide a particular way to
internal state size. Lucks [36] suggested that Joux [37] generalize hash functions to more general functions
and length extension are mainly based on Internal whose output length is arbitrary. G. Bertoniet. al. in
collisions and internal collisions can be avoided if we [42] explained that sponge functions are only
widen the internal pipe from n bits to w >= n bits. If a distinguishable from random oracles by the detection
hash of n bits is desired, then two compression of innercollisions and the probability of inner
functions f1andf2 will be required: collisions can be made arbitrarily small by increasinga
-- f1: {0,1}w X {0,1}m {0,1}w security parameter, called the capacity.
-- f2: {0,1}w {0,1}n
Then wide pipe iterated hash is constructed like follow: As per G. Bertoniet. al. [44] the sponge construction is
-- for i = 1, ., L : Computer Hi = f1 (Hi-1 , Mi ) a simple iterated construction for building a
-- Finally Set H(M) = f2 (HL) function F with variable-length input and arbitrary
Compression function f1takes w bits (generally w = 2n) output length based on a fixed-length transformation
of chaining value and m bits of message (M) and (or permutation) f operating on a fixed number b of
compressed this to an output of w bits and in the last bits. Here b is called the width.
another compression function f2 compresses the last
internal hash value (w bits) to the final hash value (n The sponge construction operates on a state
bits). SHA-224 and SHA-384 are based on the same of b=r+c bits, r is called bitrate and c as capacity.
design and are derived from SHA -256 and SHA-512 Initially all the b bits of state are set to zero and I/P
respectively. In addition to wide pipe, Lucks [36] has message is padded and divided into block of r bits
also proposed double-pipe hash (twined pipe) design. each. Then sponge construction proceeds in two
phases: Absorbing phase and Squeezing Phase
4.3 Hash Iterated Framework (HAIFA)
Biham and Dunklermann [41] in 2006 proposed the
HAIFA structure to overcome many of the pitfalls
observed in MerkleDamgard Construction.The main
ideas behind HAIFA are the introduction of number of
bits that were hashed so far and a salt value intothe
compression functions. Formally, instead of using a
compression functionof the formfMD : {0,1}m X
{0,1}n{0,1}m, Biham and Dunklemann [41]
proposed to use fMD : {0,1}m X {0,1}n X {0,1}b X

hash functions which are one-way but not second-

preimage resistant are quite contrived. In practice,
Fig. 1 The sponge construction for hash functions. pi are input, zi are collision resistance is the strongest property of all
hashed output [44] three, hardest to satisfy and easiest to breach, and
breaking it is the goal of most attacks on hash
In first phase input is "absorbed" into the hash state at a functions [27].
given rate, then an output hash is "squeezed" from it at
the same rate. To absorb r bits of data, the data is Rogaway and Shrimpton [14] extended the notion of
XORed into the leading bits of the state, and the block hash function security and defined seven different
permutation is applied. To squeeze, the first r bits of security notions, three on pre-image resistance, three
the state are produced as output, and the block on second pre-image resistance and one on collision
permutation is applied if additional output is desired. resistance. The work of Rogaway and Shrimpton [14]
Central to the Sponge construction is capacity c of is based on generic concept of a hash function family
hash function and it can be adjusted based on security that is a finite set of hash functions with common
requirements. SHA-3 [45] final round candidate domain and range. The security of hash function and
algorithm Keccak[46] is a hash function based on probability of success of an adversary depends on the
Sponge construction only and it sets a manner in which one chooses a particular hash
conservative c=2n, where n is the size of the output function from the hash function family for example the
hash. hash function can be chosen on random or may be
fixed element. Based on these variations, seven
4.6 Other Constructions different security notations and relation between them
are given in [14].
In addition to the above listed Iterative Hash
constructions, few more like Enveloped 5.2 Avalanche Criterion and Completeness
MerkleDamgard, RMC construction and ROX
construction have been suggested in literature. To From a good hash function it is desired that for two
know more about these structures refer [41, 52, 53, different inputs, the output of hash function should be
54].Cascaded Constructions have also been completely different, regardless of difference in inputs.
discussedin the literature to build large hash values by The same can be formalised with two properties of
concatenating concatenate several smaller hashes. For hash functions i.e. Completeness and Avalanche effect.
example, given two hash functions H1 and H2, the Strong Avalanche effect represents a property when
concatenation H1(M) || H2(M) can be used to generate small change in input result in a significant change in
large hash value for message M. In this construction, message digests. Completenessrepresents a property
H1 and H2 can either be two completely different hash when eachinput bit affects all output bits.Strict
functions or two slightly different instances of the Avalanche Criterion combines both the avalanche
same hash function. But Joux [37] using effect and thecompleteness and represent a property
multicollisions proved that If H1 and H2 are good when a change in one bit of input results in changing
iterated hash functions with no attack better than the every bit of the output (message digest) with a
generic birthday paradox attack, then the large hash probability of . If these criterions are not satisfied
function H1|| H2 obtained by concatenating H1 and H2 then the probability of successful attack on the hash
is not really more secure that H1 or H2 by itself. functionsincreases considerably.

5.3 Certificational Properties and weaknesses

5.Security Properties of Hash Functions
In addition to basic properties some certificational
5.1 Basic Security Properties properties have been defined in literature from time to
time. For exampleIlyaMironov [28] and Gauravram
Basic notion of security of Hash functions revolves [16] suggested near collision resistance, partial pre-
around preimage resistance, second-preimage image resistance, free start collision resistance, pseudo
resistanceand collision resistanceas defined in Section collision resistance, semi Free start collision as
2.In literature Collision resistance property is referred certificational properties for hash functions and / or
to as collision freeness or strong collision resistance, underlying compression functions. Lack of resistance
second pre-image resistance is called as weak collision of these properties is termed as certificational
resistance and preimage resistance is referred to as weaknesses. Certificational properties for hash
one-wayness [16]. It is easy to see that collision functions and compression functions intuitively appear
resistance implies second-preimage resistance i.e. if a desirable but cannot be shown as necessary properties
hash function his collision resistant then his also of hash functions. Certificational weaknesses does not
second pre-image resistant. However second-preimage result in breaking a hash function directly but is
resistance and one-wayness are incomparable (the enough to cast doubt on its design principles and may
properties do not follow/imply one another), although lead to full collision under certain circumstances.

CertificationalProperties or weaknesses may be Type -1 Collision: Type-I collision resistance is not a

defined w.r.t. hash function as a whole or for certificational property but it is discussed here as it
underlying compression function only. These related to other certificational properties based on
certificational properties, weaknesses and possible initial value. Type-I collision refers the collision in a
attacks on these properties are briefly touched upon in compression function using an IV (initial value)
this section: specified in the specification of the hash functions for
two distinct messaged. Corresponding property may be
5.3.1 Certificational Properties of Hash functions defined as: it is hard to find two messages X and X for
compression function f: {0,1}n X {0,1}m {0,1}n such
Near Collision Resistance: A hash function is said to that f(H,X) = f (H, X) , where H represents the initial
be Near Collision resistant if it is hard to find two value (IV) specified in the specification of hash
messages x and x such that the hamming distance function. Type-1 collision is also referred to as strong
between h(x) and h(x) is small (typically a few collision.
bits).Near collision may also be termed as almost
collision and can be defined for underlying Type 2 Collision: Type 2 collision resistanceis
compression function also. With respect to underlying also termed as Random IV Collision resistance [3] or
compression function, almost / near collision means Semi Free Start collision resistance [16]. Type-2
that two message blocks are found for which the collisions are the collisions using the same random (or
difference between the outputs has a low Hamming arbitrary) initial values for two distinct message inputs.
weight.Gauravram [16] quoted the example of how Corresponding property may be defined as: it is hard to
near collisions in case of hash functions with truncated find two messaged X and X for the compression
outputs can lead to full collision. If we have a function f: {0,1}n X {0,1}m {0,1}n such that f(H,X)
truncated hash function that makes use of leftmost 224 = f (H, X) , where computation starts from an arbitrary
bit of output after chopping rightmost 32 bits then if (random) value H for the input chaining variable.
near collision is found such that message digests only
in the rightmost 32 bits then such a near collisions are Type 3 Collision: Type - 3 collision resistance is
practically full collisions only. also termed as Pseudo collision resistance [16] or Free
start collision resistance [48]. Type-3 collisions are the
Partial Pre-image resistance: A hash function is said collisions of compression function using two different
to be partial pre-image resistant if difficult in finding a initial values for two distinct message inputs.
partial pre-image is same as finding pre-image from a Corresponding property may be defined as : it is hard
given digest. Also it is hard to find the input if part of to find two pairs (H, X) and (H, X) for compression
the input is known along with digest. function f: {0,1}n X {0,1}m {0,1}n such than f(H,X)
= f (H,X) such that (H , X) (H, X). Here H/H
5.3.2 Certificational Properties on the Compression represent initial / intermediate chaining value and X/X
Function represent message block.

Certificational properties or weaknesses on the Special Type 3 Collision: Special Type 3 collision
compression functions used in the MerkleDamgard are the collisions of the compression function using
structure or similar other iterative structures are two different initial values on the same message block.
classified based on the IV / H0 (Initial value) used. Corresponding property may be defined as: it is hard
These classifications and nomenclature has varied from to find two pairs (H, X) and (H, X) for compression
author to author. For example Pseudo collision function f: {0,1}n X {0,1}m {0,1}n such than f(H,X)
resistanceas defined in [47] is termed as Special = f (H,X) such that X X. Here H represent initial /
pseudo (type-3) collision resistancein [16]. intermediate chaining value and X/X represent
Similarlyfor an attack, Rompay in [3]has used the message block. Note that [3] and [47] uses pseudo
nomenclature as Random IV collision and for the same collision resistance to represent the same property.
attack Gauravram in [16] has used the nomenclature as However Gauravram [16] categorised it as a special
Semi free start collision. Furthermore Mironovin [28] category of Pseudo collision resistance and named it as
defined Pseudo Collision resistance and Free Start Special pseudo collision resistance.
collision resistance as two separate properties on the
other side Gauravrama [16] and Knudsen [48] termed Inner (almost) Collisions: As defined by Rompay [3],
pseudo collisionresistance and free start these are collisions or almost-collisions for the
collisionresistance as one and the same thing. In this temporary values of the chaining variable (for two
sub section we use the terminology and classification distinct message blocks), at some stage of the
done by Gauravram in [16] as it has been found most compression function (for example after s1 step
exhaustive and clear but at the same time we also list operations where s1 < s). This may be helpful for an
the alternative nomenclature used by different authors. attacker who tries to generate a collision in the output
of the compression function.

The collision attacks on compression functions as

described above are also applicable on their hash
function iterative modes. Type-1 collision attacks are
practical one and can be used to attack applications
that in turn make use of Type-1 susceptible hash
functions. Paper [49] represents such an example.
Type-2 or Type -3 attacks are not practical but create
doubts on the hash functions. Attacks in paper [47] and
[50] are examples of Type-2 or Type-3 attacks. In [47]
B. den Boer and A. Bosselaers gave an early, although
limited, result of finding a "pseudo-collision" (Type- 3)
of the MD5 compression function; that is, two different
initialization vectors which produce an identical digest.
In [50] H. Dobbertin published an attack (Type-2),
without details, that found a collision in MD5 with an
IV (Initial value) chosen by him that was different
from the one actually used in MD5 . While this was not
an attack on the full MD5 hash function, it was close
enough for cryptographers to recommend switching to
a replacement, such as SHA-1. However attacks in [31]
and [32] are Type-1 attacks.

Fig. 2 Classification of attacks on Hash Functions

6. Methods of attack on Hash Functions
6.1 Brute Force Attack
Attacking a hash function means breaking one of the
security properties (basic, extended or certificational Brute force attacks work on all hash functions
property) of hash functions. For example breaking pre- independent of their structure andany other working
image resistance means adversary is able to break the details. They are similar to exhaustive search or brute-
pre-image property i.e. an adversary is able to create a forcekey recovery attacks on the encryption schemes to
message that hashes to a specific hash. Breaking extract the secret key of the encryption scheme. The
certificational properties may not yield a practical security of any hash function lies in its output bit size.
attack but are an important warning to reflect weakness For a hash code of length n, the level of effort required
in the hash / compression function. Gauravram [16] to resist different brute force classical attacks on hash
recommended switching to a strong hash function functions is as follow:
when an attack on certificational properties is
observed. In an iterated hash function, if a pre-image Pre-image attack: Effort required for brute force
or collision (Type-1 collision only) can be found for attack = 2n. In this attack, for a given n-bit digest h
compression function (f), the same can be extended ofthe hash function H( ), the attacker evaluates H( )
and an attack on hash function can be derived. So with every possible inputmessage M until the attacker
attacks may focus on structure of hash function or on obtains the value h.
algorithm of compression function.In this sub section
we will review different types of attacks on hash 2nd Pre-image attack: Effort required for brute force
functions.Attacks on Hash functions can be classified attack = 2n.In this attack, for a given message M
into two broad categories - Brute Force Attacks and andthe hash function H( ), the attacker tries H( ) with
CryptanalyticalAttack. every possible input messageM' M until the attacker
obtains the value H(M).

Collision attack: Effort required for brute force attack

= 2n/2. In this attack, for a given hash function H,the
attacker tries to find two messages M and M' such that
M M' andH(M) = H(M'). On average the opponent
would have to try 2n / 2 (= 2n-1) messages to find one
that matches the hash code of the intercepted message
However a chosen plain text attack (based on Birthday
Paradox) is possible and in that case the effort required
for collision in a Hash function is 2n/2 in place of 2n-1
[29]. It is also referred as Birthday attack.

In addition to the above discussed classical attacks, the attacks on the Merkle-Damgard construction that
following natural extensions have also been studied by workon all hash functions designed using
different authors. MerkleDamgard construction are the generic
K-Way Collision attack for K >=2: FindK different attacks.Generic attacks are applicable even if we
messages Misuch thatH(M1) = = H(MK). [36] replace the underlying compression function by some
K-Way (2nd) pre-image attack for K>=1: GivenY (or abstract oracle. Length extension attacks,
M with H(M) = Y), find K different messages Mi, with Jouxmulticollisionattacks [37], Generic 2ndpreimage
H(Mi) = Y and Mi M.[36] attacks like the one based on Fixed points, correcting
block attack, Herding Attacks and Meet in the Middle
6.2 CryptanalyticalAttack attacks are example of Generic cryptanalysis attacks.

Cryptanalysis of Hash functions focuses on the a) Length Extension Attacks:Length extension also
underlying structure of hash function and/or on the known as message extension or padding attack is
algorithm of Compression Function. Due to fixed size well known weakness of MerkleDamgard construction.
of the hash values compared to much larger size of Given h = H(M), it is straightforward to compute M
themessages, collisions must exist in hash functions. and h, such thath = H(M||M) (even for unknown M
However, for the security of thehash function, they (but for known length |M|). The attack is based on
must be computationally infeasible to find. using H(M) as an internal hash for computing
Collisionsin hash functions are much easier to find H(M||M).Gauravram [16] classified it further in two
than pre-images or 2nd pre-images. types i.e. Type A extension attack and Type- B
extension attack. The categorization is based on
Informally, a hash function is said to be "broken" whether the original message contains the length
when a reduced number ofevaluations of the hash padding or not.Using the length extension attack it is
function compared to the brute force attack possible, from only hash of a message and its length, to
complexitiesand the strengths estimated by the compute hash of longer messages that start with the
designer of the hash function are used toviolate at least initial message and include the padding required for
one of its properties immaterial of the computational the initial message to reach multiple of block size [56].
feasibilityof that effort. For example, assume that it Length extension attack has been studied way back in
requires 290 evaluations of the hashfunction to find a 1992 by Tsudic [18] and even these days certain
collision for a 256-bit hash function. Though it is vulnerabilities based on this simple attack are being
impracticalto generate this amount of computational observed. Thai Duong and Juliano Rizzo [55] in 2009
power today, the hash function is saidto be broken as showed a vulnerability in the Flickr (one of the best
this factor is less than the 2128 evaluations of the hash online photo management and sharing application in
functionrequired by the Birthday attack. It should be the world) signing process for making use of Flickr
noted that hash functions are easier to attack authentication API and this vulnerability allows an
practically thanencryption schemes because the attacker to generate valid signatures without knowing
attacker does not need to assume any secrets andthe the shared secret. By exploiting this vulnerability, an
maximum computational effort required to attack the attacker can send valid arbitrary requests on behalf of
hash function is onlyupper bounded by the attacker's any application using Flickr's API. When combined
resources not users gullibility. This is not thecase with with other vulnerabilities and attacks, an attacker can
block ciphers where the maximum practical count of gain access to accounts of users who have authorized
executions of theblock algorithm is limited by how any third party application.
much computational effort the attacker can getthe user
to do [16]. b) JouxMulticollisionAttacks:Joux in [37] studied the
generic multicollision attack on iterated hash functions.
Collision finding algorithm and attacks may be Joux showed that finding multicollisions, i.e. r-tuples
classified as single block attacks or multi block attacks of messages that all hash to the same value, is not
depending on whether that attack uses single block much harder than finding ordinary collisions, i.e. pairs
(i.e. one compression function) or more than one block of messages, even for extremely large values of r.
(i.e more than one iteration of compression function) More precisely, the ratio of the complexities of the
for finding collision or pre-images. attacks is approximately equal to the logarithm of r i.e.
constructing 2d collisions cost d times as much effort
Gauravaram [16] in his Ph.D. thesis has further as building ordinary 2-collisions. In this attack, it is
classified Cryptanalyticalattacks on hash function in assumed that collision finding algorithm exists and the
two categories i.e. Generic and Specific attacks. algorithm finds collision for the compression function
fwith every call to it. To start with the attacker calls
6.2.1 Generic Attacks this collision finding algorithm to the compression
function with the initial state H0 and algorithm return
Theattacks that work on a general hash function two messages M1 and N1 such that fH0(M1) f H0(N1)
construction are called genericattacks. For example, = H1. Then the attacker calls this algorithm with state

H1 and algorithm returns two message block M2 and and b > c, then the number of block Xi satisfying the
N2 such that fH1(M2) f H1(N2) = H2. H2 is then used property f (Hi, Xi) = f (Hi, Xi) is approximately 2b / 2c
as state and call to algorithm returns message blocks i.e. 2b-c. Challenge is such blocks are a small subset of
M3 and N3 such that fH2(M3) f H2(N3) = H3. Similarly all possible blocks, and for an ideal hash function
successive calls to algorithm can be made. If only thee about 2c operations are needed to find one[3]. One
calls are made, then we have obtained 23 = 8 different round of MD5 has been detected for this attack. In
messages that maps to digest H3. If we assume MD5, the attacker takes a message block X (consisting
collision finding algorithm was based on brute force of 16 words), fixes the 11 words of X, modifies one
attack and every call takes time 2n/2 then it took O (3 x word and calculate the remaining 4 words to generate a
2n/2) time to find 8-collisions. In general it can be message block X which maps to the same digest.
demonstrated that this technique required O (d x 2n/2) Correcting block attack is possible if the preimages for
time for finding 2d-collisions instead ofa compression compression function can be obtained with the
function f using a brute force collision finding computation starting from pre-specified chaining
algorithm. The brute force mechanism for finding 2d- values. Fixing the value of IV helps in thwarting the
collisions would have required 1( 2n.k) where k = (2d- attack thus MD strengthening in case of
1)/2d and n is the message digest size. MerkleDamgard construction avoids this attack from
working on complete hash functions [16].
c) Multi (2nd) preimage Attacks based on Joux
Technique: Thenotionmulti (2nd) preimage represents Fixed Point Attacks: In thisattack adversary looks for
multiple preimages as well as multiple 2ndpreimages. a fixed point in the compression functionf. A fixed
The technique presented by Joux [37] can be extended point is chaining variable Hi such that f (Hi, Xi ) = Hi .
and multi (2nd) pre-images can be found at a cost less Few authors refer the pair (Hi, Xi ) as fixed point.
than the brute force complexity of finding multiple Whenever fixed point exists, the presence of message
(2nd) preimages. Gauravram [16] exemplified this block Xi does not affect the message digest. To
technique and presented that total cost of 2d generate preimages of message X, one may insert
preimages or 2d 2nd preimages for n-bit message arbitrary number of blocks with value Xi to the
digest is O (d x 2t/2 + 2t ) instead of (2d x 2n ). message X where chaining variable takes the value Hi.
Fixed point attack can be avoided by inserting the
d) Generic 2nd preimage Attacks:In generic 2nd message length at the end of message. As MD
preimage attack on hash function of length n bits, the strengthening pad the message length at the end of
attacker tries to find a second pre-image X for a target original message MD strengthening thwarts fixed point
message X such that X X and H (X ) = H (X) with attacks from affecting complete hash functions.
an effort less than 2n . A number of techniques have However if fixed points are occur at more than one
been suggested to produce generic 2ndpre-image iteration of compression function, then attack may
attacks. Correcting Block attacks as defined in [3] can become practical. In such a case the attacker can insert
be used to generate generic 2nd pre-image attacks. R D message block Xi at stage i such that f (Hi, Xi ) = Hi
Dean [51] used Fixed Point attacks to generate generic andcan remove Xj from X at some later stage j, such
2ndPreimages and Kelsey and Sheiner [57] made use of that f (Hj, Xj ) = Hj. Even in this case attack is only
jouxmulticollisionsfor generating 2nd pre-image possible if the initial value is not fixed (the attacker
attacks. In this subsection we provide brief overview of chooses IV = Hi), or if fixed points can be found for a
these attacks: significant fraction of all chaining values.

Correcting block attack: In thisopponent used a pre- R D Dean in [51] presents different techniques that
existing (message, digest) pair and tries to change one make use of fixed points to produce attack on complete
or more message blocks such that the resulting digest hash functions even in the presence of MerkleDamgard
remains same. To generatea second preimage Xfor a strengthening. One very simple technique proposed by
target message X, the adversary chooses one of the R D Dean in [51] for MD4 and MD5 hash functions is
input blocks Xi and replaces it with an alternative to repeat the fixed point block 255 times, which adds 264
block Xi so that f (Hi, Xi) = f (Hi, Xi). If all other bits to the input. Since the message length in MD4 and
blocks of the alternative message X are equal to the MD5 is computed modulo 264, this effectively adds 0
corresponding blocks of target message X, then the to the length field, and the proper hash value comes
same hash result will be obtained and a second pre- out. Kelsey and Sheiner [57] have also improved the
image has been found. If the size of the internal state generic correcting block attack using the notion of
i.e. chaining variable is c bits and block size is b bits expandable messages such that it bypasses the defense
provided by MD strengthening. For details of
expandable messages and various techniques to find
1
Formally the symbol O is used for the expected generic 2ndpreimage attacks refer [51, 57].
running time and is asymptotically at most and is
used for the expected running time and is e) Herding Attacks: Kesley and Kohno in [38]
asymptotically not less than presented a new attack on hash functions based on

MerkleDamgard structure, called the Herding attack. produce the message that yields the hash after
In Herding attack, an attacker who can find many the events predicted have occurred.
collisions on the hash functions by brute force can first ii. The attacker waits for the events to unfold, just
provide the hash of a message, and later herd any as the victim does.
given starting point of a message to that hash value by iii. The attacker herds a description of the events as
the choice of an appropriate suffix. With this attack they did unfold into her hash output, and
Kesley and Kohno identified an essential security provides the resulting message to the victim,
property for hash functions called Chosen Target thus proving her prior knowledge.
Forced Prefix (CFTP) preimage resistance. CFTP
preimage resistance as defined by Kesley and Kohno in f) Meet in the Middle Attack: This attack is a
[38] is reproduced here: variation of birthday attack and is applicable to hash
function that make use of compression function f
In the first phase of the attack, adversary performs invertible to the chaining variable Hi or the message
some pre-computation and then outputs an n-bit hash block Xi .It allows theattacker to construct messages
value H: H is his Chosen Target. The challenger that corresponds to certain digest. To apply this attack
then selects some prefix P (picks uniformly at random adversary generates r1 samples for the first and r2
from large but finite set of strings) and supplies it to samples for the last part of the bogus message.
adversary; P is the Forced Prefix. In the second Adversary then moves forward from initial value and
phase of attack, adversary computes and outputs some goes backward from the hash value. The probability
String S. Adversary is said to compromise the CFTP that two intermediate values are same is given by, P
preimage resistance if it takes less than 2n evaluations 1 e - k, wherek = (r1*r2) / 2n ; n = length of initial
of the hash function to find S such that hash(P||S) = H. value or chaining value or message digest.If meeting
point is found then then the concatenation of the
Kesley and Kohno in [38] presented that for hash message parts form a bogus message that results in the
functions based on MerkleDamgard construction, given hash value. [58]
CTFP preimage resistance can always be violated by
repeated application of brute-force collision-finding 6.2.2 Specific Attacks
attacks. An attack that violates this property effectively
(less than 2n computations) herds a given prefix to The attacks that work on specific hash function or the
the desired hash value; and such an attack is called as algorithm of its compression function are called
Herding attack.As per Kesley and Kohno [38] the specificattacks. For example, collision attacks on the
following steps are used for applying herding attack: specific hash functions MD4 [30],MD5 [31,32], SHA-
i. In the first phase of a herding attack, the 0 [33,34] and SHA-1 [33,35]. Attacks using
attacker repeatedly applies a collision-finding differential cryptanalysis, linear cryptanalysis,
against a hash function to build a diamond rotational cryptanalysis &attack on the underlying
structure2. encryption algorithms are type of specific
ii. In the second phase of the attack, attacker cryptanalysis attacks. The most successful of these are
exhaustively searches for a string S such that P the attacks based on differential cryptanalysis.
|| S collides with one of the diamond structures
intermediate states. Differential Cryptanalysis: Differentialcryptanalysis
iii. Having found such a string S, attacker can was introduced by Biham and Shamir [59] and the
construct a sequence of message blocks Q from technique was mainly devised to analyse block
the diamond structure, and thus build a suffix S ciphers. In differential cryptanalysis the correlation
= S || Q such that hash (P||S) = H. between the difference in input and output is studied.
Kesley and Kohno [38] also described the various If X and X are two inputs then the difference between
contexts in which herding attack can be used. them is defined as X = X op X. If H and H are two
Nostradamus attack, Stealing credits for inventions, corresponding message digests then the difference
Tweaking a signed document and Random number between them is defined as H = H op H. The
fixing are examples of such contexts explained in [38]. difference operation op canbe XOR operation or
At very general level, the methodology of these attacks integer subtraction or any other operation. For
as explained in [38] is as follow: differential cryptanalysis attack, the attacker searches
i. The attacker presents the victim with a hash H, for specific difference in inputs (X )that result in
along with a claim about the kind of specific difference in output (H) with high
information this represents. She promises to probability. In case of hash function, the difference in
output should be zero to result in collisions. Examples
of specific attacks using differential cryptanalysis are
2
Diamond structure is a data structure reminiscent to a [30, 31, 32,33, 34, 35, 60, 61].
binary tree. Diamond structure is a structure of
messages constructed to produce large multicollisions. Linear Cryptanalysis: Linear cryptanalysis was
For details refer [38] proposed by Matsui [62]. S. Bakhtiariet. al. in [58]

quoted that for Block ciphers like DES, better results implementations in hardware or software can be
have been obtained with Linear Cryptanalysis reused. Secondly some existing block ciphers like DES
compared to Differential Cryptanalysis. Hash [67] or AES [7] have received a lot of scrutiny, and
functions based on the Encryption algorithm can be thus there is a lot of trust in their security properties
susceptible to linear cryptanalysis, but till date not [3]. At the same time a number of drawbacks of block
much successful attack on Hash functions using linear cipher based hash functions have also been observed.
cryptanalysis has been reported. One of the arguments is that the block ciphers do not
possess the properties of randomizing functions. For
Rotational Cryptanalysis: The example they are invertible. This lack of randomness
termRotationalcryptanalysis was coined by in February may lead to weakness that may be exploited [85].
2010 by Dmitry Khovartovich and IvicaNikolic in Secondly the differential cryptanalysis is easier against
[64]. The attack may also be classified as generic block operations in hash functions than against block
attack because as per [64] it may be applied on all the operations used for encryption; because the key is
algorithms that are based on three operations modular known so several techniques can be applied. [68, 69]
addition, rotation and XOR (ARX for short). However suggest the various techniques of using differential
we have placed it under the category of specific attacks cryptanalysis for attacking hash functions based on
as this attack has been demonstrated by Khovartovich clock ciphers. Thirdly it has been suggested that block
and Nikolic against reduced round Threefish cipher cipher based on hash functions are significantly slower
part of Skein hash function [66], a SHA3 competition than hash functions based on compression function
[45] candidate only. Secondly as per our classification, specially designed for hash functions. It is also felt that
the generic attacks are applicable to all the hash use of a block cipher for a purpose for which it was not
functions falling under a particular structure like designed may reveal some other weaknesses which
MerkleDamgard, so it is better to consider rotational may not be relevant in case of encryption. However
cryptanalysis as a specific attack. In October 2010, a with the adoption of AES, there has been renewed
followup attack that combines rotational cryptanalysis interest in developing a secure hash function based on
with the rebound attackwas presented by the same strong bock cipher and exhibiting good performance
authors along with Christian Rechberger in [65]. [85]. Hash functions based on Block ciphers can be
further classified as follows:
Attacks on underlying Encryption Algorithm: Ifthe
underlying compression function of hash function is 7.1.1 Single block length construction
implemented using the Encryption algorithm, then the
weakness in encryption algorithm can be exploited to These are the schemesin which size of hash code
attack hash functions. Encryption function may have equals the block size of underlying block cipher. A
complementation property or weak keys or may have number of proposals have been made and the basic
fixed points and the same may be used to attack concept to construct compression function ffromblock
complete hash function based on encryption algorithm. cipher as described in [15] is as follow:
Miyaguchiet. al. in[63] analyzed the hash functions
from the standpoint of the complementation property
and weak keys of the block ciphers used in them and
notified their weaknesses.

7.Type of Hash functions based on design

of underlying Compression Function
From the discussion in section 4, it is evident that for
processing arbitrary length of input the iterative
structure of hash function (may be MerkleDamgard or Fig. 3 Compression function based on block cipher
any other) is desired and the crucial part of this
iterative structure is Compression function and thus E is the clock cipher that takes two inputs A and B and
designer can view of all these approaches have been produces an output that is XOR with variable C.
given in this section. Variable A, B and C can be either Mi, Hi-1, ( MiHi-1)
or a constant K (K may be assumed to be zero also).
7.1 Hash Functions based on Block Cipher as Message M is divided in to blocks and padding is done
Compression functions as illustrated in Section 4 and in each round one block
Mi is processed in the compression function fas per
One of the possible approaches that have been studied follow:
by the authors is to design a compression function
from an existing cryptographic primitive like block H0 = Initial value
ciphers. The advantage is that the existing

Hi = EA(B) C block cipher. This means, DES will result in a 128-bit

hash function, and AES in a 256-bit hash function.The
The three different variables A, B and C can take on best known scheme in this class as suggested by
one of four possible values, so there are 64 total Rompay [3] is MDC2 and MDC4 designed by B.
schemes of this type. Prennelet. al.[72] studied them Brachtlet. al. [76, 77].MDC-2 is sometime called as
all and showed that 12 of them (as given in the Table Meyer-Schilling scheme. The compression function of
1) are secure. MDC2 makes uses of two parallel computations
ofMatyas-Meyer-Oases scheme [70]. Explanation of
Table 1: Secure Hash Functions as per [72] based on Block Cipher MDC-2 as given in [3] is reproduced here using the
Secure Schemesbased Other Common Name for terminology used in previous subsection.
on Block cipher to the scheme as per the Let CL and CR denote the left and right halves of b-bit
generate Compression Literature block length of underlying block cipher. Then the
function
compression function of MDC-2 can be described by
Hi = EHi-1 (Mi ) Mi Matyas-Meyer-Oases
Hi || Hi = f (Hi || Hi , Mi) , which depends on the
Scheme [70] following computations:
Hi = EHi-1 (Mi Hi-1) --
Ci = EHi-1(Mi )Mi
Ci = EHi-1(Mi )Mi
Mi Hi-1
Hi = CLi|| CRi
Hi = EHi-1 (Mi) Hi-1 Miyaguchi Preneel Hi = CLi|| CRi
Mi Scheme
Independently proposed The compression function of MDC-4 consists of two
by Miyaguchi[71] sequential executions of MDC-2 compression function.
and Preneel[73] For the second MDC-2 compression, the keys are
Hi = EHi-1 (Mi Hi-1)Mi -- derived from the outputs (Chaining variables) of the
first MDC-2 compression, and the plaintext inputs are
Hi = EMi(Hi-1) Hi-1 Davies-Meyer Scheme [70, the outputs (Chaining variables) from the opposite
74] sides of the previous MDC-4 compression.
Hi = EMi(MiHi- -- For details of few of the other double length
1)MiHi-1 construction schemes studied in literature like
Hi = EMi(Hi-1)MiHi-1 Quisquarter-Girault, LOKI Double Block, Parallel
-- Davies Meyer, Tandem and Abreast Davies Meyer
Hi = EMi(MiHi-1)Hi-1 -- schemes, refer [15, 78, 79, 80, 81]

Hi = EMiHi-1(Mi)Mi -- Few of the famous hash functions based on block

ciphers are listed below:
Hi = EMiHi-1(Hi-1) Hi-1 --
GOST Hash Function This hash function comes
Hi = EMiHi-1(Mi)Hi-1 -- from Russia, and is specified in the GOST R.34.11-94.
It uses the GOST block encryption algorithm. For
Hi = EMiHi-1(Hi-1)Mi -- details refer [82]

AR Hash Function: AR Hash function was developed

For formal proof of the security of these 12 schemes by Algorithmic Research, Ltd. and has been distributed
refer to [75] and for various other schemes proposed in by the ISO for information purposes only. Its basic
literature that have been shown to be insecure refer structure is a variant of underlying block cipher (DES
[15, 72]. in the reference) in Cipher Block Chaining mode. For
7.1.2 Double block length construction details refer [83]

A Hash function generating digest of 64 bits (or 128 Whirlpool Hash Function: Whirlpool is one of the
bits) is insecure as brute force collision will require only two hah functions endorsed by NESSIE (New
232(or 264 ) operations only. Using the Single block European Scheme for Signatures, Integrity and
length construction schemes as mentioned in previous Encryption). Unlike virtually all other proposals for a
sub-section, we will get a 64 bit digest with DES as block-cipher based hash function, Whirlpool uses a
underlying block or 128 bit digest with AES as block cipher that is specifically designed for use in the
underlying block cipher. To increase the digest size of hash functions and that is unlikely ever to be used as a
hash function and to make it more secure double length standalone encryption function. For details refer [84]
block constructions is suggested. It is schemesin which
size of hash code doubles the block size of underlying

Skein Hash Function: Skein hash function is one out milestone in the development of Hash. It was a widely-
of five finalists in the NIST hash function competition used well-known 128-bit iterated hash function, used
[45] to design SHA-3 standard that will replace SHA-1 in various applications including SSL/TLS, IPsec, and
and SHA-2 [4, 5, 6, 8]. The algorithm is based on many other cryptographic protocols. It was also
Threefishtweakable Block Cipher. For details refer commonly-used in implementations of time stamping
[66] mechanisms, commitment schemes, and integrity-
checking applications for online software and random-
Grstl Hash Function: JustLikeSkein, Grstl also is a number generation. Type-2 (Semi free start collision)
SHA-3 final round candidate algorithm. Its and Type-3 (Pseudo collision) attacks on MD5 were
compression functions is not exactly uses existing reported in [47, 50]. Strong collisions (Type-1
block cipher but Grstl uses the same S-Boxes as AES. collisions) on MD4 and MD5 have been reported by
Its compression function f is based on a pair of Wang et. al. in [30, 31, 32] and these attacks make the
permutation functions P and Q and these permutation further usage of these hash functions questionable.
functions are heavily based on AES [7] block cipher.
SHA family of Hash Functions:Secure Hash
6.2 Hash functions based on Modular Arithmetic Algorithm (SHA) developed by the National Institute
of Standards and Technology (NIST) was also
Compression function can also be designed using designed on the same principle as MD4 and was
modular arithmetic. This allows the reuse of existing published as Federal Information Processing Standard
implementations of modular arithmetic such as in (FIPS 180)in 1993 [4]. A revised version was issued as
asymmetric cryptosystems. The idea of cryptosystems FIPS180-1 in 1995 and is generally referred to as
based on modular arithmetic is to reduce the security SHA-1 [5]. When revised version of SHA-1 was
of a system to the difficulty of solving the problems in published no details of the weaknesses found in SHA-0
number theory. Two important hard problems in (originally SHA) were provided [33]. SHA-1 produces
number theory which can act as a base for generating a hash value of 160 bit. In 2002, NIST produced a
cryptosystems are factorisation and Discrete logarithm. revised version of the standard known as FIPS180-2
Rompay in [3] has referred to design of two variants of [6] and defined three new versions of SHA with digest
MASH hash functions based on modular arithmetic. lengths of 256, 384 and 512 and known as SHA-256,
The advantage of such hash functions is that the level SHA-384, and SHA-512 respectively. So total SHA
of security can be easily enhanced by choosing versions becomes four including SHA-1 (160 bit). In
Modulus M of appropriate length but hash functions October 2008, FIPS 180-2 has been replaced by FIPS
based on modular arithmetic are very slow, even 180-3 [8] and in new standard SHA-224 has been
slower than block cipher based hash functions. Also added which is same as other SHA algorithm
many such constructions have been broken in the past. producing 224 bits of message difest. All these SHA
versions are based on the same principle of MD4 and
6.3Dedicated Hash Functions hash length has changed and certain other
improvements have been carried from one version to
Dedicated hash functions are the one which are next. Attacks on SHA-0 and SHA-1 have been
designed for the explicit purpose of hashing. reported in [33, 34, 35]. Till date no practical attack
Compression functions of dedicated Hash functions are has been reported on SHA-2.
not based on the existing cryptographic primitives like
block ciphers and are not constrained to reuse existing RIPEMD family of Hash Functions: RIPEMD
components such as block ciphers or modular family of hash functions consists of RIPE MD,
arithmetic. This means that they can be designed with RIPEMD-128, RIPEMD-160, RIPEMD-256,
optimised performance in mind. A number of such RIPEMD-320. RIPE MD, a 128 bit hash function,
hash functions have been designed. Few of the famous based on MD4 algorithm, was developed in the
dedicated hash functions and the status of attacks on framework of the EU (European Union) project RIPE
these hash functions are as follows: (RACE Integrity Primitives Evaluation) by Hans
Dobbertin, AntoonBosselaers, Bart Preneel.. RIPEMD-
MDx Familyof hash functions: MD2, MD4 and MD5 160 [87] was an improved version of RIPE MD. The
are three hash functions from MDx family. Compared 128 bit version was intended only as a drop-in
to other two, MD2 is slower and has not obtained replacement for the original RIPEMD, which had been
much success. Dedicated hash functions which have found to have questionable security. The 256 and 320
received the most attention in practice are those based bit versions diminish chance of accidental collision,
on the MD4 algorithm [3]. MD4 is a hash function and dont have higher level of security compared to
proposed by R. Rivest in 1990 [9]. It was designed RIPEMD-160. A collision on RIPEMD was reported
specifically towards software implementation on 32-bit in [30] but that does not affect RIPEMD-160. Till date
platforms. Because of security concerns, Rivest in no practical attack has been observed on RIPEMD-
1991 came up with a conservative version namedMD5 160.
[10] to replace the earlier Hash MD4. MD5 became a

HAVAL Hash functionsYuliangZeng, et. al invented Keccakand Blake are among the five finalists in the
HAVAL hash function in 1992 [86]. To certain extent NIST hash function competition [45] to design SHA-3
it takes the motivation from MD4 hash function only. standard. JH hash function makes use of S-boxes and is
However HAVAL can produce hashes of different well suited for bit slicing. Keccak on the hand make
length i.e. 128, 160, 192,224 or 256 bits. In addition, use of sponge construction as detailed in Section 4.
HAVAL has a parameter that controls thenumber of Blake does not fit exactly into the category of
passes a message block (of 1024 bits) is processed. A dedicated hash functions because it is based on
messageblock can be processed in 3, 4 or 5 passes. By ChaCha Stream Cipher.
combining output lengthwith pass, authors provided
fifteen (15) choices for practical applicationswhere 6.4 Few Other approaches
dierent levels of security are required. Algorithm was
designed for 32-bit computers Experiments showed There has been few hash functions that have not been
that HAVAL is 60%faster than MD5 when 3 passes based on existing cryptographic primitives like block
are required, 15% faster than MD5 when4 passes are ciphers or modular arithmetic but rather are based on
required, and as fast as MD5 when full 5 passes are some hard problems like knapsack problem, cellular
required. Research has uncovered weaknesses which automata or Discrete Fourier transformations.Hash
make further use of HAVAL (at least the variant with function based on knapsack was proposed by Ivan
128 bits and 3 passes) questionable. The strong Damgard in [26] but the same was shown to be broken
collision attack on HAVAL was reported by Wang et. in [94, 95]. Cellular automata based hash function was
al. in [31]. proposed in [96] by Wolram and in [97] by
Daemanet.al.Claus Schorr[98, 99, 100] has proposed
All the above dedicated hash functions are somehow hash functions based on discrete Fourier
designed with motivation from MD4 algorithm only transformations called FFT- hash. Three modifications
and thus are sometime collectively known as MDx of FFT-Hash have been proposed. First two
type hash functions. modifications, FFT-Hash I and FFT Hash II, was
broken few weeks after the proposal [101, 102]. Third
modification is quite slower. As a whole, all these
approaches (based on knapsack or cellular automata or
FFT) have not found much success and are not
generally used these days.

7. Current Scenario: Progressing to SHA-3

The current Secure Hash Standard as developed by
NIST (National institute of Standards and Technology)
is FIPS 180-3 [8]. This standard suggests five hash
functions SHA-1, SHA -224, SHA-256 SHA-384, and
SHA-512. All these are dedicated hash functions as
explained in Section 6 and to certain extent are based
Fig. 4MDx-type hash function history [106]. Vertical line refer year on MDx family. The practical attack on MDx family,
when hash function was invented and functions Crossed with red followed by attack on SHA-0 and SHA-1 has been
lines have been attacked
discussed in section 6.3. Majority of these attacks have
been carried out in year 2004 and 2005 by a team of
Fewotherfamousdedicated hash functions reported in researchers from the Shandong University in Jinan
literature are SNEFRU [88], Tiger [89], JH [90], China, led by Xiaoyun Wang. The same team also
Keccak[46], Blake 91]. Snefru; designed by Ralph broke HAVAL-128 and RIPEMD. Looking at the
Merkle in 1990, like Khufu and Khafre block ciphers variety of hash functions attacked by this team, it
was an Egyptian Pharaoh. Snefrus initial design as seemed likely that their approach may prove effective
well as modified design has been shown to to be against all cryptographic hashes in the MD family,
insecure against differential cryptanalysis [93]. Tiger including all variants of SHA [103].
hash function was designed by Anderson and Biham in
1995mainly for 64-bit platforms. It is quite efficient on Burr from US National Institute of Standards and
Software but because of its inherent use of large S- Technology [104] in his paper reviewed the scenarios
Boxes, implementation in hardware or small of Cryptographic Hash Functions. Burr pointed out that
microcontrollers is difficult. Tiger hash function is with SHA-1 and SHA-2 in its cryptographic toolkit,
frequently used in Merkle Hash tree form, where it is NIST had hoped to be done with hash functions for a
referred to Tiger Tree hash (TTH). TTH is used by long time. Aside from a near break of MD5 by
many clients on Direct Connect and Gnutella file Dobbertin [26] in 1996, researchers made little
sharing networks. The last two in the list i.e. JH, progress in hash function analysis until mid-2004.

Since then, Wang, AntonineJoux, and Eli Biham have advance to the first round on December 10, 2008,
attacked nearly all the early hash functions, including and fourteen advanced to the second round on July
SHA-1. Given that SHA-2 functions are in the same 24, 2009. A year was allocated for the public review of
family as the earlier broken functions, these attacks the fourteen second-round candidates. NIST received
shook cryptographers long term confidence in nearly significant feedback from the cryptographic
all hash functions designed to date. Cryptographers community. Based on the public feedback and internal
have learned much about hash functions and how to reviews of the second-round candidates, NIST selected
attack them in the past couple of years, and yet five SHA-3 finalists BLAKE [91], Grstl [92], JH
cryptanalysts generally agreed that practical attacks on [90], Keccak [46], and Skein [66] to advance to the
the SHA-2 hash functions are unlikely in the next third (and final) round of the competition on
decade. However, attacks and research results could December 9, 2010, which ended the second round of
reduce their strength well below theoretical work the competition. A one-year public comment period is
levels (2112, 2128, 2192, and 2256 operations for SHA-224, planned for the finalists. NIST also plans to host a final
SHA-256, SHA-384, and SHA-512, respectively) SHA-3 Candidate Conference in the spring of 2012 to
[104]. discuss the public feedback on these candidates, and
select the SHA-3 winner later in 2012 [45].
Hoch and Shamir in year 2006 [105], studied the
multi collisions on Iterated Concatenated Expanded
(ICE) Hash Functions. Hoch and Shamir extended the 8. Conclusion
idea presented by Joux [37]. Joux in 2004 [37]showed
that in any iterated hash function it is relatively easy to In this paper, we have shown how cryptographic hash
find exponential sized multicollisions, and thus the functions slowly gained its importance in the field of
concatenation of several hash functions does not cryptology. We have made all attempts to give a
increase their security. But Joux [31] Attack does not complete picture of cryptographic hashes, its design
work on ICE i.e. when in addition to Iterated and techniques and vulnerabilities. This paper would really
Concatenated Hash Function technique message help budding researchers who would take up research
Expansion is also added i.e. each iterated function in this particular field.
process message block more than once. Hoch et
al.[105]considered the general case (ICE) and proved References
that even if we allow each iterated hash function to [1]D. Kahn,TheCodebreakers: The Comprehensive History
scan the input multiple times in an arbitrary expanded of Secret Communication from Ancient Times to the
order, their concatenation is not stronger than a single Internet, Scribner, 1996.
function. Finally, authors extended their result to tree- [2] W. Diffie, and M. Hellman, New Directions in
based hash functions with arbitrary tree structures. Cryptography,IEEE Transactions on Information Theory,
Hoch et al. showed that a large class of natural hash vol. 22, No. 6, 1976, pp. 644-654.
[3] B. V. Rompay, Analysis and Design of Cryptographic
functions (ICE and its generalization TCE) is Hash functions, MAC algorithms and Block Ciphers, Ph.D.
vulnerable to a multicollision attack, and hoped that thesis, Electrical Engineering Department,
the techniques developed here will help in creating KatholiekeUniversiteit, Leuven, Belgium, 2004.
multicollision attacks against even more complicated [4] FIPS 180, Secure Hash Standard (SHS), National
types of hash functions. Such a conclusion was Institute of Standardsand Technology, US Department of
perhaps hinting to probable attack on SHA 2 family Commerce, WashingtonD. C., 1993.
of hash functions. [5] FIPS 180-1, Secure Hash Standard (SHS), National
Looking at the current scenarios, In Nov 2007 NIST Institute of Standards and Technology, US Department of
(National Institute of Standards and Technology) Commerce, WashingtonD. C.,1995.
[6] FIPS 180-2, Secure Hash Standard (SHS), National
announced a public competition [45] to develop a new Institute of Standards and Technology, US Department of
cryptographic hash algorithm to replace the older Commerce, WashingtonD. C.,2002.
SHA-1 and SHA-2. The competition was NIST's [7] FIPS 197, Advanced Encryption Standard, National
response to advances in the cryptanalysis of hash Institute of Standards and Technology, US Department of
algorithms. The winning algorithm will be named Commerce, WashingtonD. C.,2001.
"SHA-3", and will augment the hash algorithms [8] FIPS180-3, Secure Hash Standard (SHS), National
currently specified in the Federal Information Institute of Standards and Technology, US Department of
Processing Standard (FIPS) 180-3, Secure Hash Commerce, Washington D. C., 2008.
Standard [8]. As per NIST website NIST is initiating [9] R. Rivest, The MD4 Message Digest Algorithm, IETF
RFC 1320, 1992.
an effort to develop one or more additional hash [10] R. Rivest, The MD5 Message Digest Algorithm,
algorithms through a public competition, similar to the IETF RFC 1321, 1992.
development process for the Advanced Encryption [11] R. C. Merkle, Secrecy, Authentication and Public Key
Standard (AES)." [45] Systems, Ph.D. thesis, Department of Electrical
Engineering, Stanford University, Stanford, USA, 1979.
By October 31, 2008, NIST received sixty-four [12] R.C. Merkle, "One Way Hash Functions and DES", in
entries; and selected fifty-one candidate algorithms to CRYPTO, 1989, pp.428-446.

[13] M. Naor, and M. Yung, "Universal One-Way Hash [36] S. Lucks, Design Principled for Iterated Hash
Functions and their Cryptographic Applications", in STOC, Functions, in IACR Cryptology ePrint Archive, 2004, pp.
1989, pp.33-43. 253.
[14] P. Rogaway, and T. Shrimpton, Cryptographic Hash- [37]A. Joux, "Multicollisions in Iterated Hash Functions.
Function Basics: Definitions, implications and separations Application to Cascaded Constructions", inCRYPTO, 2004,
for preimage resistance, second preimage resistance, and pp.306-316.
collision resistance, inFSE, 2004, pp.371-388. [38] J. Kelsey, and T. Kohno, Herding Hash Functions and
[15] B. Schneier,Applied Cryptography, John Wiley & Sons, the Nostradamus Attack, in EUROCRYPT, 2006, pp. 183
1996. 200.
[16] P. Gauravram, Cryptographic Hash Functions: [39] Y. Dodis, T. Ristenpart, and T. Shrimpton, "Salvaging
Cryptanalysis, design and Applications, Ph.D. thesis, Merkle-Damgrd for Practical Applications", in
Faculty of Information Technology, Queensland University EUROCRYPT, 2009, pp.371-388.
of Technology, Brisbane, Australia, 2003 [40] M. Nandi, and S. Paul, "Speeding Up TheWidepipe:
[17] M. Bellare, R. Canetti, and H. Krawczyk, Keying Hash Secure and Fast Hashing", IACR Cryptology ePrint Archive,
Functions for Message Authentication, in CRYPTO96, 2010, pp.193.
1996, pp.1-15. [41] E. Biham, and O. Dunkelman, "A Framework for
[18] G. Tsudik, "Message Authentication with One-Way Iterative Hash Functions - HAIFA", IACR Cryptology
Hash Functions", inINFOCOM, 1992, pp. 2055-2059. ePrint Archive, 2007, pp.278.
[19] R.L. Rivest, A. Shamir, and L.M. Adleman, "A Method [42] G. Bertoni, J. Daemen, M. Peeters, and G. Van
for Obtaining Digital Signatures and Public-Key Assche, Sponge Functions,in ECRYPT Hash Workshop,
Cryptosystems", inCommun. ACM, 1978, pp.120-126 2007.
[20] S. Singh, The Code Book: The Evolution of Secrecy [43] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche,
fromMary, Queen of Scots to Quantum Cryptography, "On the Indifferentiability of the Sponge Construction", in
Doubleday Books, 1999. EUROCRYPT, 2008, pp.181-197
[21] S. Haber, and W. Stornetta, How to Time-stamp a [44] G. Bertoni, J.Daemen, M. Peeters, and G. Van Assche,
Digital Document, Journal of Cryptology, Vol. 3, No. 2, pp. Cryptographic Sponges, [online]
99-111, 1991. http://sponge.noekeon.org/.
[22] M. Bellare, R. Canetti, and H. Krawczyk, [45] National Institute of Standard and Technology (NIST):
"Pseudorandom Functions Revisited: The Cascade Cryptographic Hash Algorithm Competition. [online]
Construction and Its Concrete Security", in FOCS, 1996, http://csrc.nist.gov/groups/ST/hash/sha-3/
pp.514-523. [46]G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche,
[23] I. Haitner, D. Harnik, and O. Reingold, "Efficient The Keccak Reference, Submission to NIST (Round
Pseudorandom Generators from Exponentially Hard One- 3),2011.[online] http://csrc.nist.gov/groups/ST/
Way Functions", in ICALP (2), 2006, pp.228-239. hash/sha-3/Round3/submissions_rnd3.html.
[24] S.M. Matyas, A.V. Le, and D.G. Abraham, "A Key- [47] B.den Boer, and A. Bosselaers, Collisions for the
Management Scheme Based on Control Vectors", IBM compression function of MD5, in EUROCRYPT, 1993, pp.
Systems Journal, No. 2, 1991, pp.175-191. 293-304.
[25] H. Handschuh, and D. Naccache, SHACAL (- [48] L. Knudsen. Block Ciphers: Analysis, Design and
Submissions to NESSIE -), in First Open NESSIE Applications, Ph.D.thesis, Aarhus University, Aarhus,
Workshop, 2000. Denmark, 1994
[26] I. Damgrd, "A Design Principle for Hash Functions", [49] O. Mikle, "Practical Attacks on Digital Signatures
inCRYPTO, 1989, pp.416-427. Using MD5 Message Digest", IACR Cryptology ePrint
[27] X. Lai and J. L. Massey, "Hash Function Based on Archive, 2004, pp.356.
Block Ciphers", in EUROCRYPT, 1992, pp.55-70. [50] H. Dobbertin, Cryptanalysis of MD5 compress,
[28]I. Mironov, Hash Functions: Theory, Attacks, and inEUROCRYPT, 1996
Applications, Microsoft Research, Silicon Valley Campus, [51]R. D. Dean, Formal Aspects of Mobile Code Security,
2005. Ph.D. thesis, Department of Computer Science, Princeton
[29] M. Bellare, and T. Kohno, "Hash Function Balance and University, Princeton, USA, 1999.
Its Impact on Birthday Attacks", in EUROCRYPT, 2004, [52] E. Andreeva, G. Neven, B. Preneel, and T. Shrimpton,
pp.401-418. Seven-Properties-Preserving Iterated Hashing: The RMC
[30] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, Construction, ECRYPT document STVL4-KUL15-RMC-
"Cryptanalysis of the Hash Functions MD4 and RIPEMD", 1.0, private communications, 2006.
inEUROCRYPT, 2005, pp.1-18. [53] E. Andreeva, G. Neven, B. Preneel, and T. Shrimpton,
[31] X.Wang, D. Feng, X. Lai, and H. Yu, Collisions for "Seven-Property-Preserving Iterated Hashing: ROX", IACR
Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", Cryptology ePrint Archive, 2007, pp.176.
IACR Cryptology ePrint Archive, 2004, pp. 199. [54] M. Bellare, and T. Ristenpart, "Multi-Property-
[32] X. Wang, and H. Yu, "How to Break MD5 and Preserving Hash Domain Extension and the EMD
Other Hash Functions", inEUROCRYPT, 2005, pp. Transform", in ASIACRYPT, 2006, pp.299-314 .
19-35. [55] T. Duong, and J. Rizzo, Flickr's API Signature Forgery
[33] E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, Vulnerability, 2009 [online]
and W. Jalby, "Collisions of SHA-0 and Reduced SHA-1", http://netifera.com/research/flickr_api_signature_forgery.pdf
inEUROCRYPT, 2005, pp.36-57. [56] B. Kaliski, and M. Robshaw. Message Authentication
[34] X. Wang, H. Yu, and Y. L. Yin, "Efficient Collision with MD5. RSA Labs' CryptoBytes, Vol. 1, No. 1, Spring
Search Attacks on SHA-0", inCRYPTO, 2005, pp.1-16. 1995.
[35] X. Wang, Y. L. Yin, and H. Yu, "Finding Collisions in
the Full SHA-1", inCRYPTO, 2005, pp.17-36.

[57] J. Kelsey, and B.Shneier, Second preimages on n-bit [78] J. J. Quisquarter and M. Girault, 2n-bit Hash functions
Hash Functions for much less than 2n Work,in using n-bit Symmetric block Cipher Algorithms, in
EUROCRYPT, 2005, pp. 474-490. EUROCRYPT , 1990, pp 102-109.
[58] S. Bakhtiari, R. Safavi-Naini, and J Pieprzy. [79] W. Hohl, X. Lai, T. Meier and C. Waldvogel, Security
Cryptographic Hash Functions: A Survey, Technical of Iterated Hash Functions based on Block Ciphers, in
Report 95-09, Department of Computer Science, University CRYPTO, 1994, pp. 379 390.
of Wollongong, 1995 [80] X. Lai, "On the Design and Security of Block Ciphers,"
[59]E.Biham, and A. Shamir, Differential Cryptanalysis of ETH Series in Information Processing, vol.1, Konstanz:
DES-like Cryptosystems, Journal of Cryptology, Vol. 4, No. Hartung-GeorreVerlag, 1992.
1, 1991, pp. 3-72. [81] X. Lai and J. Massey, Hash functions based on Block
[60] E.Biham, and A. Shamir, Differential Cryptanalysis of Ciphers, in EUROCRYPT , 1992, pp. 55-70.
FEAL and N-Hash, in EUROCRYPT, 1991, pp. 1-16. [82] GOST R 34.11- 94, Gosudarstvennyi Standard of
[61] E. Biham, and A. Shamir, Differential Cryptanalysis of Russian Federation, Information technology. Cryptographic
Snefru, Khafre, REDOC-II, LOKI and Lucifer, in Data Security Hashing function. Government Committee of
CRYPTO, 1991, pp. 156-171. the Russia for Standards, 1994 RFC 5831
[62] M. Matsui, Linear Cryptanalysis methods for DES [83] ISO. ISO N179 AR Fingerprint Function. Working
Cipher, in EUROCRYPT, 1993, pp. 386-397. document, ISOIEC/JTC1/SC27 WG2, International
[63] S. Miyaguchi, K. Ohta, and M. Iwata, Confirmation Organization for Standardization, 1992.
that some Hash Functions are not Collisions Free in [84] P. S. L. M. Barreto and V. Rijmen, The Whirlpool
EUROCRYPT, 1990, pp. 326 343. hashing function. Primitive submitted to NESSIE,
[64] D. Khovratovich, and I. Nikolic, "Rotational September 2000, revised on May 2003.
Cryptanalysis of ARX", inFSE, 2010, pp.333-346. [85] W. Stallings, Cryptography and Network Security,
[65] D. Khovratovich, I. Nikolic, and C. Rechberger, Pearson Prentice Hall,USA, 2009.
"Rotational Rebound Attacks on Reduced Skein", IACR [86] Y. Zheng, J. Pieprzyk and J. Seberry, HAVAL A
Cryptology ePrint Archive, 2010, pp.538. One-Way Hashing Algorithm with Variable Length of
[66] B. Schneier, N. Ferguson, S. Lucks, D. Whiting, M. Output, in AUSCRYPT, 1993, pp. 83-104.
Bellare, T. Kohno, J. Walker, and J. Callas, The Skein Hash [87] H. Dobbertin, A. Bosselaersand B. Preneel, RIPEMD-
Function Family, Submission to NIST (Round 3),2011. 160: A Strengthened Version of RIPEMD,in Fast Software
[online]http://csrc.nist.gov/groups/ST/hash/sha- Encryption, 1996, pp. 71-82.
3/Round3/submissions_rnd3.html. [88] R. C. Merkle, A fast software one-way hash function,
[67] FIPS 46-3, Data Encryption Standard, National Journal of Cryptology, Vol. 3, No. 1, 1990, pp. 43-58.
Institute of Standards and Technology, US Department of [89] R. Anderson and E. Biham, Tiger A Fast New
Commerce, WashingtonD. C., 1999. Hash Function , in Fast Software Encryption, 1996, pp. 89-
[68] B. Preneel, Differential Cryptanalysis of Hash 97.
functions based on Block Ciphers, ACM Conference on [90] H. Wu: The Hash Function JH, Submission to NIST
Computer and Communications Security, 1993, pp.183-188. (Round 3), 2011. [online] http://csrc.nist.gov/groups/ST/
[69] V. Rijmen and B. Preneel, Improved characteristics for hash/sha-3/Round3/submissions_rnd3.html
Differential Cryptanalysis of hash functions based on Block [91] J. P. Aumasson, L. Henzen, and W. Meier, "SHA-3
Ciphers, in FSE, 1995, Vol. 1008, pp. 242-248. proposal BLAKE," Submission to NIST (Round 3), 2011.
[70] S. M. Matyas, C. H. Meyer, and J. Oseas, Generating [online] http://csrc.nist.gov/groups/ST/
strong one-way functions with cryptographic algorithm", hash/sha-3/Round3/submissions_rnd3.html
IBM Technical Disclosure Bulletin, Vol. 27, No. 10A, 1985, [92]P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F.
pp. 5658-5659. Mendel, C. Rechberger, M. Schlffer, and S. S. Thomsen,
[71] S. Miyaguchi. K. Ohtaand M. Iwata, New 128-bit "Grstl- A SHA-3 Candidate", Submission to NIST (Round
Hash functions, in 4th International Joint Workshop on 3), 2011. [online] http://csrc.nist.gov/groups/ST/
Computer Communications, 1989, pp. 279 - 288. hash/sha-3/Round3/submissions_rnd3.html
[72] B. Preneel, R. Govaertsand J. Vandewalle, Hash [93] E. Biham, New techniques for Cryptanalysis of hash
Functions Based on Block Ciphers: A Synthetic Approach", functions and improved attacks on Snefru in FSE, 2008, pp.
in CRYPTO, 1993, pp. 368- 378. 444-461.
[73] B. Preneel and R. Govaerts, J. Vandewalle, [94] P. Camion and J. Patarin, The knapsack hash function
Cryptographically Secure Hash Functions: An Overview", proposed at Crypto89 can be broken, in EUROCRYPT,
ESAT Internal Report, K. U. Leuven, 1989. 1991, pp. 39-53.
[74] D. W. Davies and W. L. Price, Digital Signature An [95] A. Joux and L. Granboulan, A Practical Attack against
Update in International Conference on Computer Knapsack based hash functions, in EUROCRYPT ,1995, pp.
Communications, 1984, pp. 843-847. 58-66.
[75] J. Black, P. Rogaway and T. Shrimpton,Black-box [96] S. Wolfram, Cryptology with Cellular Automata, in
analysis of the block-cipher-based hash function CRYPTO, 1986, pp. 429-432.
constructions from PGV."in CRYPTO, 2002, pp. 320-335. [97] J. Daeman, R. Govaerts and J. Vandewalle, A
[76] B.O. Brachtl, D. Coppersmith, M.M. Hyden, S.M. framework for the design of One-way hash functions
Matyas, C.H. Meyer, J. Oseas, S. Pilpel and M. Schilling, including cryptanalysis of Damgards One way function
Data Authentication Using Modification Detection Codes based on Cellular Automata, in ASIACRYPT, 1993, pp. 82-
Based on a Public One Way Encryption Function,1990, 96.
U.S. Patent Number 4,908,861. [98] C. P. Schnorr, An efficient Cryptographic Hash
[77] C. H. Meyer and M. Schilling, Secure program load Functions in CRYPTO, 1991.
with manipulation detection code." in Securicon, 1988 pp. [99] C. P. Schnorr, FFT Hash II, Efficient Cryptographic
111-130. Hasing, in EUROCRYPT , 1993 pp. 45-54.

[100] C. P. Schnorr and S. Vaudenay, Parallel FFT

Hashing, in Fast Software Encryption, 1994, pp. 149 156.
[101] J. Daeman, R. Govaerts and J. Vandewalle,
Collisions for Schnorrs hash function FFT-Hash in
CRYPTO, 1991 pp. 477-480.
[102] S. Vaudenay, FFT-Hash II is not yet Collision Free,
in CRYPTO, 1992, pp. 587 593.
[103] J. Black, M. Cochran and T. Highland, "A Study of the
MD5 Attacks: Insights and Improvements", in FSE,
2006,Vol. 4047, pp. 262-277.
[104] W. E. Burr, Cryptographic Hash Standards: Where Do
We Go from Here, IEEE Security & Privacy, Vol. 4, No. 2,
2006, pp. 88-91.
[105] J. J. Hoch and A. Shamir, Breaking the ICE - Finding
Multicollisions in Iterated Concatenated and Expanded (ICE)
Hash Functions, in FSE, 2006, Vol. 4047, pp.179-194.

Authors

Rajeev Sobti is heading School of Computer Science, Lovely

Professional University, India. He has over 13 years of
experience in industry, teaching and research. His research
interest includes Cryptography and Computer System
Architecture. He is also member, Consultant Board and
Manuscript reviewer for Books on Discrete Mathematics,
Operating System from Pearson Education (Singapore) PTE
LTD.

Prof.G.Geetha is heading School of Computer Science and

Applications, Lovely Professional University, India. She has
nearly two decades of experience in industry, teaching and
research. Her research interest includes Cryptography,
Information security and Image Processing. She has
published more than 50 research papers in refereed Journals
and Conferences. She serves as Editorial Board member and
reviewer in various Journals and Conferences. She is
presently the President of Advanced Computing Research
Society. She is an active member of various professional
organizations like ISCA, ISTE, CRSI etc.

Cryptographic Hash Function
100% (1)
Cryptographic Hash Function
15 pages
Cryptographic Hash Functions A Review
No ratings yet
Cryptographic Hash Functions A Review
20 pages
A Review Paper On Cryptographic Hash Function
No ratings yet
A Review Paper On Cryptographic Hash Function
11 pages
Cryptographic Hash Guide
No ratings yet
Cryptographic Hash Guide
10 pages
Cryptographic Hash Guide
No ratings yet
Cryptographic Hash Guide
10 pages
CNS Unit 3
No ratings yet
CNS Unit 3
38 pages
Case Study On Hash Functions
No ratings yet
Case Study On Hash Functions
23 pages
CH 11
No ratings yet
CH 11
22 pages
Cryptographic Hash Functions
No ratings yet
Cryptographic Hash Functions
40 pages
Hashfuncs 6up
No ratings yet
Hashfuncs 6up
4 pages
Basic Concepts of Message Digest and Hash Function Draft
No ratings yet
Basic Concepts of Message Digest and Hash Function Draft
14 pages
Cryptographic Hash Functions Guide
No ratings yet
Cryptographic Hash Functions Guide
35 pages
Hash Functions Cryptography Powerpoint Presentation Notes Security
No ratings yet
Hash Functions Cryptography Powerpoint Presentation Notes Security
31 pages
Chapter 11 Cryptographic Hash Functions
No ratings yet
Chapter 11 Cryptographic Hash Functions
38 pages
Cryptographic Hash Functions
No ratings yet
Cryptographic Hash Functions
40 pages
Psi Lect Hashes 2 PPT
No ratings yet
Psi Lect Hashes 2 PPT
25 pages
Cns Chapter 5
No ratings yet
Cns Chapter 5
24 pages
L11 - Cryptographic Hash Functions
No ratings yet
L11 - Cryptographic Hash Functions
71 pages
Hash Functions in Blockchain Tech
No ratings yet
Hash Functions in Blockchain Tech
15 pages
19-Security of Hash Functions-14!02!2025
No ratings yet
19-Security of Hash Functions-14!02!2025
25 pages
Unit 4
No ratings yet
Unit 4
74 pages
Hash Functions Technical Report
No ratings yet
Hash Functions Technical Report
3 pages
Intro To Cyber-Security:: Crypto-Hashing Schemes
No ratings yet
Intro To Cyber-Security:: Crypto-Hashing Schemes
45 pages
Wk4 1 Hash
No ratings yet
Wk4 1 Hash
8 pages
Cryptography and Network Security: Fifth Edition by William Stallings
No ratings yet
Cryptography and Network Security: Fifth Edition by William Stallings
23 pages
01204427-Hash Crypto
No ratings yet
01204427-Hash Crypto
47 pages
Unit 3 Cryptographic Hash Functions
No ratings yet
Unit 3 Cryptographic Hash Functions
13 pages
L18hash Function
No ratings yet
L18hash Function
63 pages
Cryptographic Hash Function Guide
No ratings yet
Cryptographic Hash Function Guide
18 pages
Cryptography - Hash Functions
No ratings yet
Cryptography - Hash Functions
10 pages
‎⁨نسخة ch2-Hash - Function (1) ⁩
No ratings yet
‎⁨نسخة ch2-Hash - Function (1) ⁩
24 pages
Hash
No ratings yet
Hash
9 pages
Lec 5
No ratings yet
Lec 5
23 pages
Hash Funcation
No ratings yet
Hash Funcation
7 pages
Cryptographic Hash Functions Guide
No ratings yet
Cryptographic Hash Functions Guide
60 pages
Hash Function
No ratings yet
Hash Function
42 pages
Hash Function: Message Digest or Simply Hash Values
No ratings yet
Hash Function: Message Digest or Simply Hash Values
20 pages
Hash Functions and Their Uses
No ratings yet
Hash Functions and Their Uses
9 pages
Cryptographic Hash Functions Guide
No ratings yet
Cryptographic Hash Functions Guide
43 pages
CryptoHashRevised Handout 0325
No ratings yet
CryptoHashRevised Handout 0325
28 pages
Updated Hash Function
No ratings yet
Updated Hash Function
6 pages
12.hash and MAC Algorithms
No ratings yet
12.hash and MAC Algorithms
39 pages
Cryptographic Hash Functions Guide
No ratings yet
Cryptographic Hash Functions Guide
54 pages
CNS unit-3-II
No ratings yet
CNS unit-3-II
14 pages
Cryptographic Hash Functions Presentation
No ratings yet
Cryptographic Hash Functions Presentation
12 pages
Chap 3 Hash Functions
No ratings yet
Chap 3 Hash Functions
26 pages
HashFunctions Ok
No ratings yet
HashFunctions Ok
22 pages
CSE446 Lecture 2
No ratings yet
CSE446 Lecture 2
27 pages
Unit - 4
No ratings yet
Unit - 4
27 pages
Module-IV Message Authentication & Integrity
No ratings yet
Module-IV Message Authentication & Integrity
84 pages
17-Requirements For Hash Functions-14!02!2025
No ratings yet
17-Requirements For Hash Functions-14!02!2025
40 pages
Cryptography Hash Functions Guide
No ratings yet
Cryptography Hash Functions Guide
31 pages
7 Hash Functions
No ratings yet
7 Hash Functions
138 pages
Cryptographic Hash Functions Guide
No ratings yet
Cryptographic Hash Functions Guide
25 pages
Cryptographic HashFunctions
No ratings yet
Cryptographic HashFunctions
42 pages
Cryptographic Hash Functions
No ratings yet
Cryptographic Hash Functions
55 pages
Advanced Security TTT Workbook - V - 12.1.F
No ratings yet
Advanced Security TTT Workbook - V - 12.1.F
80 pages
Certification Checkpoint Exam #5 (Chapter 12 - 13) Answers
No ratings yet
Certification Checkpoint Exam #5 (Chapter 12 - 13) Answers
6 pages
Advantages and Disadvantages of Computer
100% (3)
Advantages and Disadvantages of Computer
2 pages
Baguio Notarial Register 2016
No ratings yet
Baguio Notarial Register 2016
6 pages
Exploit Win32 PDFJSC Ex
No ratings yet
Exploit Win32 PDFJSC Ex
2 pages
Zscaler Tools For Network Security
No ratings yet
Zscaler Tools For Network Security
3 pages
Technology Now Your Companion To Sam Computer Concepts 1st Edition Corinne Hoisington Test Bank
100% (38)
Technology Now Your Companion To Sam Computer Concepts 1st Edition Corinne Hoisington Test Bank
7 pages
Cybersecurity Career Roadmap
No ratings yet
Cybersecurity Career Roadmap
21 pages
PKI and Digital Signatures Explained
No ratings yet
PKI and Digital Signatures Explained
4 pages
Biometric ATM
No ratings yet
Biometric ATM
21 pages
IT Teams' Guide to SMS 2FA Setup
No ratings yet
IT Teams' Guide to SMS 2FA Setup
3 pages
Web3.js Developer Guide
No ratings yet
Web3.js Developer Guide
229 pages
Advanced Linux Security Training
No ratings yet
Advanced Linux Security Training
2 pages
Cyberwar - The Battle of A New Frontier - Edward Forde - B
No ratings yet
Cyberwar - The Battle of A New Frontier - Edward Forde - B
28 pages
Unit1 Biometrics (Part-1)
No ratings yet
Unit1 Biometrics (Part-1)
115 pages
3KB04 FahrianAnggaPratama T2
No ratings yet
3KB04 FahrianAnggaPratama T2
68 pages
Evaluation of Anti Cryptojacking Tools and Utilization
No ratings yet
Evaluation of Anti Cryptojacking Tools and Utilization
10 pages
Sy0-701 - 9 2
No ratings yet
Sy0-701 - 9 2
20 pages
Cns Solutions Set2
No ratings yet
Cns Solutions Set2
35 pages
Makalah Bahasa Inggris
No ratings yet
Makalah Bahasa Inggris
14 pages
Manual SQL Injection
No ratings yet
Manual SQL Injection
14 pages
Ibmid Documentation
No ratings yet
Ibmid Documentation
26 pages
E Aadhar Basheer
No ratings yet
E Aadhar Basheer
1 page
Data Integrity & Security Quiz
No ratings yet
Data Integrity & Security Quiz
3 pages
Secure Medical Data Sharing
No ratings yet
Secure Medical Data Sharing
4 pages
Cehv13 Certified Ethical Hacker Ceh v13
No ratings yet
Cehv13 Certified Ethical Hacker Ceh v13
4 pages
AKU-EB SSC-II Computer Science Hacking and Computer Security
No ratings yet
AKU-EB SSC-II Computer Science Hacking and Computer Security
7 pages
Introduction To WebAuthn API and Passkey
No ratings yet
Introduction To WebAuthn API and Passkey
38 pages
Operations Security Essentials
No ratings yet
Operations Security Essentials
43 pages
Connectguard Optical Solution Brief
No ratings yet
Connectguard Optical Solution Brief
2 pages

Cryptographic Hash Functions: A Review: Keywords

Uploaded by

Cryptographic Hash Functions: A Review: Keywords

Uploaded by

IJCSI International Journal of Computer Science Issues, Vol.

9, Issue 2, No 2, March 2012

Cryptographic Hash Functions: A Review

Abstract were submitted,. Rompay [3] also gave example of

fifth requirement also known as Second pre-image

Message Integrity & Authentication may be

hash functions which are one-way but not second-

5.3 Certificational Properties and weaknesses

CertificationalProperties or weaknesses may be Type -1 Collision: Type-I collision resistance is not a

The collision attacks on compression functions as

Fig. 2 Classification of attacks on Hash Functions

Collision attack: Effort required for brute force attack

7.Type of Hash functions based on design

Hi = EA(B) C block cipher. This means, DES will result in a 128-bit

Hi = EMiHi-1(Mi)Mi -- Few of the famous hash functions based on block

AR Hash Function: AR Hash function was developed

7. Current Scenario: Progressing to SHA-3

[100] C. P. Schnorr and S. Vaudenay, Parallel FFT

Rajeev Sobti is heading School of Computer Science, Lovely

Prof.G.Geetha is heading School of Computer Science and

You might also like