Difference between revisions of "MD2"

From The ECRYPT Hash Function Website
(Preimage Attacks)
(Specification)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Specification ==
 
== Specification ==
  
 +
 +
* digest size: 128 bits
 
<!--  
 
<!--  
* digest size: 160 bits
 
 
* max. message length: < 2<sup>64</sup> bits
 
* max. message length: < 2<sup>64</sup> bits
* compression function: 512-bit message block, 160-bit chaining variable
 
* Specification:
 
 
-->
 
-->
 +
* compression function: 128-bit message block, 7296-bit internal state
 +
* Specification: [http://www.ietf.org/rfc/rfc1319.txt RFC1319]
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 16: Line 17:
  
 
=== Generic Attacks ===
 
=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]
+
* MD2 is not a design follwing the Merkle-Damgaard construction principle. [[GenericAttacksHash| Generic Attacks on Hash Functions]]
  
 
----
 
----
  
 
=== Collision Attacks ===
 
=== Collision Attacks ===
 +
<bibtex>
 +
@inproceedings{fseKnudsenM05,
 +
  author    = {Lars R. Knudsen and John Erik Mathiassen},
 +
  title    = {Preimage and Collision Attacks on MD2},
 +
  pages    = {255-267},
 +
  url        = {http://dx.doi.org/10.1007/11502760_17},
 +
  editor    = {Henri Gilbert and Helena Handschuh},
 +
  booktitle = {FSE},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3557},
 +
  year      = {2005},
 +
  isbn      = {3-540-26541-4},
 +
  abstract  = {This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits.
 +
At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack
 +
is about 2<sup>104</sup> and the preimages consist always of 128 blocks. We present a preimage attack
 +
of complexity about 2<sup>97</sup> with the further advantage that the preimages are of variable lengths.
 +
Moreover we are always able to find many preimages for one given hash value. Also we introduce many new
 +
collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the
 +
full MD2 (including the checksum), but where the initial values differ.
 +
Finally we present a pseudo preimage attack of complexity 2<sup>95</sup> but where the preimages can have any desired lengths.},
 +
}
 +
</bibtex>
  
 
----
 
----

Latest revision as of 09:53, 12 March 2008

1 Specification

  • digest size: 128 bits
  • compression function: 128-bit message block, 7296-bit internal state
  • Specification: RFC1319

2 Cryptanalysis

2.1 Best Known Results


2.2 Generic Attacks


2.3 Collision Attacks

Lars R. Knudsen, John Erik Mathiassen - Preimage and Collision Attacks on MD2

FSE 3557:255-267,2005
http://dx.doi.org/10.1007/11502760_17
Bibtex
Author : Lars R. Knudsen, John Erik Mathiassen
Title : Preimage and Collision Attacks on MD2
In : FSE -
Address :
Date : 2005

2.4 Second Preimage Attacks


2.5 Preimage Attacks

Fr\'ed\'eric Muller - The MD2 Hash Function Is Not One-Way

ASIACRYPT 3329:214-229,2004
http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214
Bibtex
Author : Fr\'ed\'eric Muller
Title : The MD2 Hash Function Is Not One-Way
In : ASIACRYPT -
Address :
Date : 2004

2.6 Others

N. Rogier, Pascal Chauvaud - MD2 Is not Secure without the Checksum Byte

Des. Codes Cryptography 12(3):245-251,1997
http://dx.doi.org/10.1023/A:1008220711840
Bibtex
Author : N. Rogier, Pascal Chauvaud
Title : MD2 Is not Secure without the Checksum Byte
In : Des. Codes Cryptography -
Address :
Date : 1997