By Topic

Cryptanalysis of an iterated halving-based hash function: CRUSH

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $31
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Bagheri, N. ; Electr. Eng. Dept., Iran Univ. of Sci. & Technol., Tehran, Iran ; Henricksen, M. ; Knudsen, L.R. ; Naderi, M.
more authors

Iterated halving has been suggested as a replacement to the Merkle-Damgard (MD) construction in 2004 anticipating the attacks on the MDx family of hash functions. The CRUSH hash function provides a specific instantiation of the block cipher for iterated halving. The authors identify structural problems with the scheme and show that they can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. In addition, these attacks can be used to differentiate CRUSH from a random oracle in O(1). The authors show that the complexity of finding a preimage in the unpadded CRUSH with the length encoding is negligible and extend this attack on CRUSH with the length encoding in cost O(232). This attack is a multi-preimage attack, since the attacker can produce a large number of messages for a given message digest for the cost of O(232). Hence, this attack can be used as a multi-collision and a multi-second-preimage as well. They show that if the attacker knows the last 64-bits of the message digest in advance, he can do the time-consuming part of the attack off-line. The authors show that even if iterated halving is repaired, the construction has practical issues that means it is not suitable for general deployment.

Published in:

Information Security, IET  (Volume:3 ,  Issue: 4 )