Difference between revisions of "MD2"

From The ECRYPT Hash Function Website
(Collision Attacks)
(Specification)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Specification ==
 
== Specification ==
  
 +
 +
* digest size: 128 bits
 
<!--  
 
<!--  
* digest size: 160 bits
 
 
* max. message length: < 2<sup>64</sup> bits
 
* max. message length: < 2<sup>64</sup> bits
* compression function: 512-bit message block, 160-bit chaining variable
 
* Specification:
 
 
-->
 
-->
 +
* compression function: 128-bit message block, 7296-bit internal state
 +
* Specification: [http://www.ietf.org/rfc/rfc1319.txt RFC1319]
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 16: Line 17:
  
 
=== Generic Attacks ===
 
=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]
+
* MD2 is not a design follwing the Merkle-Damgaard construction principle. [[GenericAttacksHash| Generic Attacks on Hash Functions]]
  
 
----
 
----
Line 34: Line 35:
 
   year      = {2005},
 
   year      = {2005},
 
   isbn      = {3-540-26541-4},
 
   isbn      = {3-540-26541-4},
   abstract  = {This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack is about 2^104 and the preimages consist always of 128 blocks. We present a preimage attack of complexity about 2^97 with the further advantage that the preimages are of variable lengths. Moreover we are always able to find many preimages for one given hash value. Also we introduce many new collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the full MD2 (including the checksum), but where the initial values differ. Finally we present a pseudo preimage attack of complexity 2^95 but where the preimages can have any desired lengths.},
+
   abstract  = {This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits.  
 +
At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack  
 +
is about 2<sup>104</sup> and the preimages consist always of 128 blocks. We present a preimage attack  
 +
of complexity about 2<sup>97</sup> with the further advantage that the preimages are of variable lengths.  
 +
Moreover we are always able to find many preimages for one given hash value. Also we introduce many new  
 +
collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the  
 +
full MD2 (including the checksum), but where the initial values differ.  
 +
Finally we present a pseudo preimage attack of complexity 2<sup>95</sup> but where the preimages can have any desired lengths.},
 
}
 
}
 
</bibtex>
 
</bibtex>

Latest revision as of 09:53, 12 March 2008

1 Specification

  • digest size: 128 bits
  • compression function: 128-bit message block, 7296-bit internal state
  • Specification: RFC1319

2 Cryptanalysis

2.1 Best Known Results


2.2 Generic Attacks


2.3 Collision Attacks

Lars R. Knudsen, John Erik Mathiassen - Preimage and Collision Attacks on MD2

FSE 3557:255-267,2005
http://dx.doi.org/10.1007/11502760_17
Bibtex
Author : Lars R. Knudsen, John Erik Mathiassen
Title : Preimage and Collision Attacks on MD2
In : FSE -
Address :
Date : 2005

2.4 Second Preimage Attacks


2.5 Preimage Attacks

Fr\'ed\'eric Muller - The MD2 Hash Function Is Not One-Way

ASIACRYPT 3329:214-229,2004
http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=3329{\&}spage=214
Bibtex
Author : Fr\'ed\'eric Muller
Title : The MD2 Hash Function Is Not One-Way
In : ASIACRYPT -
Address :
Date : 2004

2.6 Others

N. Rogier, Pascal Chauvaud - MD2 Is not Secure without the Checksum Byte

Des. Codes Cryptography 12(3):245-251,1997
http://dx.doi.org/10.1023/A:1008220711840
Bibtex
Author : N. Rogier, Pascal Chauvaud
Title : MD2 Is not Secure without the Checksum Byte
In : Des. Codes Cryptography -
Address :
Date : 1997