Collisions for the compression function of MD5
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
How Easy is Collision Search. New Results and Applications to DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Optimal covering codes for finding near-collisions
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Memoryless near-collisions via coding theory
Designs, Codes and Cryptography
Hi-index | 0.00 |
In this paper, we present free-start collisions for the TIB3 hash functions with a complexity of about 232 compression function evaluations. By using message modification techniques the complexity can be further reduced to 224. Furthermore, we show how to construct collisions for TIB3 slightly faster than brute force search using the fact that we can construct several (different) free-start collisions for the compression function. The complexity to construct collisions is about 2122.5 for TIB3-256 and 2242 for TIB3-512 with memory requirements of 253 and 2100 respectively. The attack shows that compression function attacks have been underestimated in the design of TIB3. Although the practicality of the proposed attacks might be debatable, they nevertheless exhibit non-random properties that are not present in the SHA-2 family.