On Free-Start Collisions and Collisions for TIB3

Authors:
Florian Mendel;Martin Schläffer
Affiliations:
Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010;Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010
Venue:
ISC '09 Proceedings of the 12th International Conference on Information Security
Year:
2009

Citing 6
Cited 3

Collisions for the compression function of MD5

EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
A Design Principle for Hash Functions

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
How Easy is Collision Search. New Results and Applications to DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Optimal covering codes for finding near-collisions

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Memoryless near-collisions via coding theory

Designs, Codes and Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present free-start collisions for the TIB3 hash functions with a complexity of about 232 compression function evaluations. By using message modification techniques the complexity can be further reduced to 224. Furthermore, we show how to construct collisions for TIB3 slightly faster than brute force search using the fact that we can construct several (different) free-start collisions for the compression function. The complexity to construct collisions is about 2122.5 for TIB3-256 and 2242 for TIB3-512 with memory requirements of 253 and 2100 respectively. The attack shows that compression function attacks have been underestimated in the design of TIB3. Although the practicality of the proposed attacks might be debatable, they nevertheless exhibit non-random properties that are not present in the SHA-2 family.