Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security

Christophe Petit; Jean Jacques Quisquater; Jean Pierre Tillich; Gilles Źemor

doi:10.1007/978-3-642-00862-7_12

Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security

Christophe Petit^*, Jean Jacques Quisquater, Jean Pierre Tillich, Gilles Źemor

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94.We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.

Original language	English
Title of host publication	Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings
Publisher	Springer Verlag
Pages	182-194
Number of pages	13
ISBN (Print)	9783642008610
DOIs	https://doi.org/10.1007/978-3-642-00862-7_12
Publication status	Published - 2009
Event	Cryptographers' Track at the RSA Conference, CT-RSA 2009 - San Francisco, CA, United States Duration: 20 Apr 2009 → 24 Apr 2009

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5473
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Cryptographers' Track at the RSA Conference, CT-RSA 2009
Country/Territory	United States
City	San Francisco, CA
Period	20/04/09 → 24/04/09

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-00862-7_12

Cite this

Petit, C., Quisquater, J. J., Tillich, J. P., & Źemor, G. (2009). Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security. In Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings (pp. 182-194). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5473). Springer Verlag. https://doi.org/10.1007/978-3-642-00862-7_12

Petit, Christophe ; Quisquater, Jean Jacques ; Tillich, Jean Pierre et al. / Hard and easy components of collision search in the Źemor-tillich hash function : New attacks and reduced variants with equivalent security. Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings. Springer Verlag, 2009. pp. 182-194 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b73e11e6097448de94ebd4eb3c1032d0,

title = "Hard and easy components of collision search in the {\'Z}emor-tillich hash function: New attacks and reduced variants with equivalent security",

abstract = "The Z{\'e}mor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94.We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Z{\'e}mor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Z{\'e}mor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.",

author = "Christophe Petit and Quisquater, {Jean Jacques} and Tillich, {Jean Pierre} and Gilles {\'Z}emor",

year = "2009",

doi = "10.1007/978-3-642-00862-7_12",

language = "English",

isbn = "9783642008610",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "182--194",

booktitle = "Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings",

note = "Cryptographers' Track at the RSA Conference, CT-RSA 2009 ; Conference date: 20-04-2009 Through 24-04-2009",

}

Petit, C, Quisquater, JJ, Tillich, JP & Źemor, G 2009, Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security. in Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5473, Springer Verlag, pp. 182-194, Cryptographers' Track at the RSA Conference, CT-RSA 2009, San Francisco, CA, United States, 20/04/09. https://doi.org/10.1007/978-3-642-00862-7_12

Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security. / Petit, Christophe; Quisquater, Jean Jacques; Tillich, Jean Pierre et al.
Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings. Springer Verlag, 2009. p. 182-194 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5473).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Hard and easy components of collision search in the Źemor-tillich hash function

T2 - Cryptographers' Track at the RSA Conference, CT-RSA 2009

AU - Petit, Christophe

AU - Quisquater, Jean Jacques

AU - Tillich, Jean Pierre

AU - Źemor, Gilles

PY - 2009

Y1 - 2009

N2 - The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94.We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.

AB - The Zémor-Tillich hash function has remained unbroken since its introduction at CRYPTO'94.We present the first generic collision and preimage attacks against this function, in the sense that the attacks work for any parameters of the function. Their complexity is the cubic root of the birthday bound; for the parameters initially suggested by Tillich and Zémor they are very close to being practical. Our attacks exploit a separation of the collision problem into an easy and a hard component. We subsequently present two variants of the Zémor-Tillich hash function with essentially the same collision resistance but reduced outputs of 2n and n bits instead of the original 3n bits. Our second variant keeps only the hard component of the collision problem; for well-chosen parameters the best collision attack on it is the birthday attack.

UR - http://www.scopus.com/inward/record.url?scp=67650168932&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-00862-7_12

DO - 10.1007/978-3-642-00862-7_12

M3 - Conference contribution

AN - SCOPUS:67650168932

SN - 9783642008610

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 182

EP - 194

BT - Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings

PB - Springer Verlag

Y2 - 20 April 2009 through 24 April 2009

ER -

Petit C, Quisquater JJ, Tillich JP, Źemor G. Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security. In Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings. Springer Verlag. 2009. p. 182-194. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-00862-7_12

Hard and easy components of collision search in the Źemor-tillich hash function: New attacks and reduced variants with equivalent security

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this