Md2 is not Secure Without the Checksum Byte
Designs, Codes and Cryptography - Special issue: selected areas in cryptography I
Handbook of Applied Cryptography
Handbook of Applied Cryptography
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
A (Second) Preimage Attack on the GOST Hash Function
Fast Software Encryption
Fast Software Encryption
Preimage Attacks on Step-Reduced MD5
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Preimage Attack on Hash Function RIPEMD
ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Linear-XOR and additive checksums don't protect Damgård-Merkle hashes from generic attacks
CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
SAC'05 Proceedings of the 12th international conference on Selected Areas in Cryptography
Hi-index | 0.00 |
This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack is about 2104 and the preimages consist always of 128 blocks. We present a preimage attack of complexity about 297 with the further advantage that the preimages are of variable lengths. Moreover we are always able to find many preimages for one given hash value. Also we introduce many new collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the full MD2 (including the checksum), but where the initial values differ. Finally we present a pseudo preimage attack of complexity 295 but where the preimages can have any desired lengths.