Preimage and collision attacks on MD2

Authors:
Lars R. Knudsen;John E. Mathiassen
Affiliations:
Department of Mathematics, Technical University of Denmark;Department of Informatics, University of Bergen, Norway
Venue:
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Year:
2005

Citing 4
Cited 8

Md2 is not Secure Without the Checksum Byte

Designs, Codes and Cryptography - Special issue: selected areas in cryptography I
Handbook of Applied Cryptography

Handbook of Applied Cryptography
A Design Principle for Hash Functions

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology

A (Second) Preimage Attack on the GOST Hash Function

Fast Software Encryption
MD4 is Not One-Way

Fast Software Encryption
Preimage Attacks on Step-Reduced MD5

ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Faster Multicollisions

INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Preimage Attack on Hash Function RIPEMD

ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Linear-XOR and additive checksums don't protect Damgård-Merkle hashes from generic attacks

CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Second preimages for SMASH

CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Analysis of a SHA-256 variant

SAC'05 Proceedings of the 12th international conference on Selected Areas in Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack is about 2104 and the preimages consist always of 128 blocks. We present a preimage attack of complexity about 297 with the further advantage that the preimages are of variable lengths. Moreover we are always able to find many preimages for one given hash value. Also we introduce many new collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the full MD2 (including the checksum), but where the initial values differ. Finally we present a pseudo preimage attack of complexity 295 but where the preimages can have any desired lengths.