Difference between revisions of "MD2"

From The ECRYPT Hash Function Website
(Others)
(Specification)
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Specification ==
 
== Specification ==
  
 +
 +
* digest size: 128 bits
 
<!--  
 
<!--  
* digest size: 160 bits
 
 
* max. message length: < 2<sup>64</sup> bits
 
* max. message length: < 2<sup>64</sup> bits
* compression function: 512-bit message block, 160-bit chaining variable
 
* Specification:
 
 
-->
 
-->
 +
* compression function: 128-bit message block, 7296-bit internal state
 +
* Specification: [http://www.ietf.org/rfc/rfc1319.txt RFC1319]
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 16: Line 17:
  
 
=== Generic Attacks ===
 
=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]
+
* MD2 is not a design follwing the Merkle-Damgaard construction principle. [[GenericAttacksHash| Generic Attacks on Hash Functions]]
  
 
----
 
----
  
 
=== Collision Attacks ===
 
=== Collision Attacks ===
 +
<bibtex>
 +
@inproceedings{fseKnudsenM05,
 +
  author    = {Lars R. Knudsen and John Erik Mathiassen},
 +
  title    = {Preimage and Collision Attacks on MD2},
 +
  pages    = {255-267},
 +
  url        = {http://dx.doi.org/10.1007/11502760_17},
 +
  editor    = {Henri Gilbert and Helena Handschuh},
 +
  booktitle = {FSE},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3557},
 +
  year      = {2005},
 +
  isbn      = {3-540-26541-4},
 +
  abstract  = {This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits.
 +
At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack
 +
is about 2<sup>104</sup> and the preimages consist always of 128 blocks. We present a preimage attack
 +
of complexity about 2<sup>97</sup> with the further advantage that the preimages are of variable lengths.
 +
Moreover we are always able to find many preimages for one given hash value. Also we introduce many new
 +
collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the
 +
full MD2 (including the checksum), but where the initial values differ.
 +
Finally we present a pseudo preimage attack of complexity 2<sup>95</sup> but where the preimages can have any desired lengths.},
 +
}
 +
</bibtex>
  
 
----
 
----
Line 30: Line 54:
 
=== Preimage Attacks ===
 
=== Preimage Attacks ===
  
 +
<bibtex>
 +
@inproceedings{asiacryptMuller04,
 +
  author    = {Fr{\'e}d{\'e}ric Muller},
 +
  title    = {The MD2 Hash Function Is Not One-Way},
 +
  pages    = {214-229},
 +
  url        = {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214},
 +
  editor    = {Pil Joong Lee},
 +
  booktitle = {ASIACRYPT},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3329},
 +
  year      = {2004},
 +
  isbn      = {3-540-23975-8},
 +
  abstract  = {MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of $2^128$. We describe preimage attacks against the underlying compression function, the best of which has complexity of $2^73$. As a result, the full MD2 hash can be attacked in preimage with complexity of $2^104$.},
 +
}
 +
</bibtex>
  
 
----
 
----
Line 38: Line 78:
 
@article{dccRogierC97,
 
@article{dccRogierC97,
 
   author    = {N. Rogier and Pascal Chauvaud},
 
   author    = {N. Rogier and Pascal Chauvaud},
   title    = {{MD2 Is not Secure without the Checksum Byte}},
+
   title    = {MD2 Is not Secure without the Checksum Byte},
 
   journal  = {Des. Codes Cryptography},
 
   journal  = {Des. Codes Cryptography},
 
   volume    = {12},
 
   volume    = {12},

Latest revision as of 09:53, 12 March 2008

1 Specification

  • digest size: 128 bits
  • compression function: 128-bit message block, 7296-bit internal state
  • Specification: RFC1319

2 Cryptanalysis

2.1 Best Known Results

2.2 Generic Attacks

2.3 Collision Attacks

Lars R. Knudsen, John Erik Mathiassen - Preimage and Collision Attacks on MD2

FSE 3557:255-267,2005
http://dx.doi.org/10.1007/11502760_17
Bibtex
Author : Lars R. Knudsen, John Erik Mathiassen
Title : Preimage and Collision Attacks on MD2
In : FSE -
Address :
Date : 2005

2.4 Second Preimage Attacks

2.5 Preimage Attacks

Fr\'ed\'eric Muller - The MD2 Hash Function Is Not One-Way

ASIACRYPT 3329:214-229,2004
http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214
Bibtex
Author : Fr\'ed\'eric Muller
Title : The MD2 Hash Function Is Not One-Way
In : ASIACRYPT -
Address :
Date : 2004

2.6 Others

N. Rogier, Pascal Chauvaud - MD2 Is not Secure without the Checksum Byte

Des. Codes Cryptography 12(3):245-251,1997
http://dx.doi.org/10.1023/A:1008220711840
Bibtex
Author : N. Rogier, Pascal Chauvaud
Title : MD2 Is not Secure without the Checksum Byte
In : Des. Codes Cryptography -
Address :
Date : 1997
Retrieved from "https://ehash.iaik.tugraz.at/index.php?title=MD2&oldid=1935"