On the (in)security of IDEA in various hashing modes

Authors:
Lei Wei;Thomas Peyrin;Przemysław Sokołowski;San Ling;Josef Pieprzyk;Huaxiong Wang
Affiliations:
Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore;Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore;Macquarie University, Australia;Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore;Macquarie University, Australia;Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore
Venue:
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Year:
2012

Citing 26
Cited 1

How to construct pseudorandom permutations from pseudorandom functions

SIAM Journal on Computing - Special issue on cryptography
A proposal for a new block encryption standard

EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Weak keys for IDEA

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Hash functions based on block ciphers: a synthetic approach

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Collisions for the compression function of MD5

EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Handbook of Applied Cryptography

Handbook of Applied Cryptography
The Design of Rijndael

The Design of Rijndael
New Weak-Key Classes of IDEA

ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Design Principle for Hash Functions

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
On the Security of Tandem-DM

Fast Software Encryption
Hash functions based on block ciphers

EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Improved DST Cryptanalysis of IDEA

SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
Known-key distinguishers for some block ciphers

ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
MJH: a faster alternative to MDC-2

CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
The collision security of tandem-DM in the ideal cipher model

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Combining compression functions and block cipher-based hash functions

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
New cryptanalytic results on IDEA

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Some plausible constructions of double-block-length hash functions

FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Provably secure double-block-length hash functions in a black-box model

ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Cryptanalysis of t-function-based hash functions

ICISC'06 Proceedings of the 9th international conference on Information Security and Cryptology
Narrow-Bicliques: cryptanalysis of full IDEA

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
A new attack on 6-round IDEA

FSE'07 Proceedings of the 14th international conference on Fast Software Encryption

Collisions for the WIDEA-8 compression function

CT-RSA'13 Proceedings of the 13th international conference on Topics in Cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this article, we study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secret-key and known or chosen-key security for block ciphers. Moreover, we also settle the 20-year-old standing open question concerning the security of the Abreast-DM and Tandem-DM double-length compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.