Difference between revisions of "MD2"
From The ECRYPT Hash Function Website
(→Preimage Attacks) |
(→Specification) |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== Specification == | == Specification == | ||
| + | |||
| + | * digest size: 128 bits | ||
<!-- | <!-- | ||
| − | |||
* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||
| − | |||
| − | |||
--> | --> | ||
| + | * compression function: 128-bit message block, 7296-bit internal state | ||
| + | * Specification: [http://www.ietf.org/rfc/rfc1319.txt RFC1319] | ||
== Cryptanalysis == | == Cryptanalysis == | ||
| Line 16: | Line 17: | ||
=== Generic Attacks === | === Generic Attacks === | ||
| − | * [[ | + | * MD2 is not a design follwing the Merkle-Damgaard construction principle. [[GenericAttacksHash| Generic Attacks on Hash Functions]] |
---- | ---- | ||
=== Collision Attacks === | === Collision Attacks === | ||
| + | <bibtex> | ||
| + | @inproceedings{fseKnudsenM05, | ||
| + | author = {Lars R. Knudsen and John Erik Mathiassen}, | ||
| + | title = {Preimage and Collision Attacks on MD2}, | ||
| + | pages = {255-267}, | ||
| + | url = {http://dx.doi.org/10.1007/11502760_17}, | ||
| + | editor = {Henri Gilbert and Helena Handschuh}, | ||
| + | booktitle = {FSE}, | ||
| + | publisher = {Springer}, | ||
| + | series = {LNCS}, | ||
| + | volume = {3557}, | ||
| + | year = {2005}, | ||
| + | isbn = {3-540-26541-4}, | ||
| + | abstract = {This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. | ||
| + | At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack | ||
| + | is about 2<sup>104</sup> and the preimages consist always of 128 blocks. We present a preimage attack | ||
| + | of complexity about 2<sup>97</sup> with the further advantage that the preimages are of variable lengths. | ||
| + | Moreover we are always able to find many preimages for one given hash value. Also we introduce many new | ||
| + | collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the | ||
| + | full MD2 (including the checksum), but where the initial values differ. | ||
| + | Finally we present a pseudo preimage attack of complexity 2<sup>95</sup> but where the preimages can have any desired lengths.}, | ||
| + | } | ||
| + | </bibtex> | ||
---- | ---- | ||
Latest revision as of 09:53, 12 March 2008
Contents
1 Specification
- digest size: 128 bits
- compression function: 128-bit message block, 7296-bit internal state
- Specification: RFC1319
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
- MD2 is not a design follwing the Merkle-Damgaard construction principle. Generic Attacks on Hash Functions
2.3 Collision Attacks
Lars R. Knudsen, John Erik Mathiassen - Preimage and Collision Attacks on MD2
- FSE 3557:255-267,2005
- http://dx.doi.org/10.1007/11502760_17
BibtexAuthor : Lars R. Knudsen, John Erik Mathiassen
Title : Preimage and Collision Attacks on MD2
In : FSE -
Address :
Date : 2005
2.4 Second Preimage Attacks
2.5 Preimage Attacks
Fr\'ed\'eric Muller - The MD2 Hash Function Is Not One-Way
- ASIACRYPT 3329:214-229,2004
- http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214
BibtexAuthor : Fr\'ed\'eric Muller
Title : The MD2 Hash Function Is Not One-Way
In : ASIACRYPT -
Address :
Date : 2004
2.6 Others
N. Rogier, Pascal Chauvaud - MD2 Is not Secure without the Checksum Byte
