Hard and Easy Components of Collision Search in the Zémor-Tillich Hash Function: New Attacks and Reduced Variants with Equivalent Security

Authors:
Christophe Petit;Jean-Jacques Quisquater;Jean-Pierre Tillich;Gilles Zémor
Affiliations:
UCL Crypto Group, Université catholique de Louvain Place du levant 3, Louvain-la-Neuve, Belgium 1348;UCL Crypto Group, Université catholique de Louvain Place du levant 3, Louvain-la-Neuve, Belgium 1348;Equipe SECRET INRIA Rocquencourt, Le Chesnay, France 78153;Institut de Mathématiques de Bordeaux UMR 5251, Université Bordeaux 1, Talence, France 33405
Venue:
CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
Year:
2009

Citing 7
Cited 2

How easy is collision search? Application to DES

EUROCRYPT '89 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Weaknesses in the SL2(IFs2) Hashing Scheme

CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
A Generalized Birthday Problem

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Hashing with SL_2

CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Attacking the SL2 Hashing Scheme

ASIACRYPT '94 Proceedings of the 4th International Conference on the Theory and Applications of Cryptology: Advances in Cryptology
A Note on the Hash Function of Tillich and Zémor

Proceedings of the Third International Workshop on Fast Software Encryption
On the Security of the Hashing Scheme Based on SL2

FSE '98 Proceedings of the 5th International Workshop on Fast Software Encryption

Interpreting hash function security proofs

ProvSec'10 Proceedings of the 4th international conference on Provable security
Preimages for the Tillich-Zémor hash function

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94. We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.