Difference between revisions of "MD2"
From The ECRYPT Hash Function Website
(→Specification) |
|||
(8 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
== Specification == | == Specification == | ||
+ | |||
+ | * digest size: 128 bits | ||
<!-- | <!-- | ||
− | |||
* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||
− | |||
− | |||
--> | --> | ||
+ | * compression function: 128-bit message block, 7296-bit internal state | ||
+ | * Specification: [http://www.ietf.org/rfc/rfc1319.txt RFC1319] | ||
== Cryptanalysis == | == Cryptanalysis == | ||
Line 16: | Line 17: | ||
=== Generic Attacks === | === Generic Attacks === | ||
− | * [[ | + | * MD2 is not a design follwing the Merkle-Damgaard construction principle. [[GenericAttacksHash| Generic Attacks on Hash Functions]] |
---- | ---- | ||
=== Collision Attacks === | === Collision Attacks === | ||
+ | <bibtex> | ||
+ | @inproceedings{fseKnudsenM05, | ||
+ | author = {Lars R. Knudsen and John Erik Mathiassen}, | ||
+ | title = {Preimage and Collision Attacks on MD2}, | ||
+ | pages = {255-267}, | ||
+ | url = {http://dx.doi.org/10.1007/11502760_17}, | ||
+ | editor = {Henri Gilbert and Helena Handschuh}, | ||
+ | booktitle = {FSE}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {3557}, | ||
+ | year = {2005}, | ||
+ | isbn = {3-540-26541-4}, | ||
+ | abstract = {This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. | ||
+ | At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack | ||
+ | is about 2<sup>104</sup> and the preimages consist always of 128 blocks. We present a preimage attack | ||
+ | of complexity about 2<sup>97</sup> with the further advantage that the preimages are of variable lengths. | ||
+ | Moreover we are always able to find many preimages for one given hash value. Also we introduce many new | ||
+ | collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the | ||
+ | full MD2 (including the checksum), but where the initial values differ. | ||
+ | Finally we present a pseudo preimage attack of complexity 2<sup>95</sup> but where the preimages can have any desired lengths.}, | ||
+ | } | ||
+ | </bibtex> | ||
---- | ---- | ||
Line 30: | Line 54: | ||
=== Preimage Attacks === | === Preimage Attacks === | ||
+ | <bibtex> | ||
+ | @inproceedings{asiacryptMuller04, | ||
+ | author = {Fr{\'e}d{\'e}ric Muller}, | ||
+ | title = {The MD2 Hash Function Is Not One-Way}, | ||
+ | pages = {214-229}, | ||
+ | url = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214}, | ||
+ | editor = {Pil Joong Lee}, | ||
+ | booktitle = {ASIACRYPT}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {3329}, | ||
+ | year = {2004}, | ||
+ | isbn = {3-540-23975-8}, | ||
+ | abstract = {MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of $2^128$. We describe preimage attacks against the underlying compression function, the best of which has complexity of $2^73$. As a result, the full MD2 hash can be attacked in preimage with complexity of $2^104$.}, | ||
+ | } | ||
+ | </bibtex> | ||
---- | ---- | ||
=== Others === | === Others === | ||
+ | |||
+ | <bibtex> | ||
+ | @article{dccRogierC97, | ||
+ | author = {N. Rogier and Pascal Chauvaud}, | ||
+ | title = {MD2 Is not Secure without the Checksum Byte}, | ||
+ | journal = {Des. Codes Cryptography}, | ||
+ | volume = {12}, | ||
+ | number = {3}, | ||
+ | year = {1997}, | ||
+ | pages = {245-251}, | ||
+ | url = {http://dx.doi.org/10.1023/A:1008220711840}, | ||
+ | abstract = {In 1989, Ron Rivest introduced the MD2 Message Digest Algorithm which takes as input a message of arbitrary length and produces as output a 128-bit message digest, by appending some redundancy to the message and then iteratively applying a 32 bytes to 16 bytes compression function. MD2 Message Digest Algorithm is one of the most frequently used hashing function with MD4, MD5, SHA, SHA-1. Some attacks against MD4 and MD5 have been presented by Dobbertin. Up to now, no attack against MD2 has been presented. This function has been updated in 1993 in the RFC 1423 document. It was conjectured that the number of operations needed to get two messages having the same message digest is on the order of 2^64 (using the birthday paradox), and that the complexity of inverting the hash function is on the order of 2^128 operations. No attack against this function has been published so far. In this paper, we propose a low complexity method to find collisions for the compression function of MD2. The easiness to find these collisions could imply that the first conjecture is false if these collisions can be used to make global collisions for MD2.}, | ||
+ | } | ||
+ | </bibtex> |
Latest revision as of 09:53, 12 March 2008
Contents
1 Specification
- digest size: 128 bits
- compression function: 128-bit message block, 7296-bit internal state
- Specification: RFC1319
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
- MD2 is not a design follwing the Merkle-Damgaard construction principle. Generic Attacks on Hash Functions
2.3 Collision Attacks
Lars R. Knudsen, John Erik Mathiassen - Preimage and Collision Attacks on MD2
- FSE 3557:255-267,2005
- http://dx.doi.org/10.1007/11502760_17
BibtexAuthor : Lars R. Knudsen, John Erik Mathiassen
Title : Preimage and Collision Attacks on MD2
In : FSE -
Address :
Date : 2005
2.4 Second Preimage Attacks
2.5 Preimage Attacks
Fr\'ed\'eric Muller - The MD2 Hash Function Is Not One-Way
- ASIACRYPT 3329:214-229,2004
- http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214
BibtexAuthor : Fr\'ed\'eric Muller
Title : The MD2 Hash Function Is Not One-Way
In : ASIACRYPT -
Address :
Date : 2004
2.6 Others
N. Rogier, Pascal Chauvaud - MD2 Is not Secure without the Checksum Byte