We study collision-finding against Merkle-Damgård hashing in the random-oracle model by adversaries with an arbitrary S-bit auxiliary advice input about the random oracle and T queries. Recent work showed that such adversaries can find collisions (with respect to a random IV) with advantage Ω (ST2/2n), where n is the output length, beating the birthday bound by a factor of S. These attacks were shown to be optimal. We observe that the collisions produced are very long, on the order of T blocks, which would limit their practical relevance. We prove several results related to improving these attacks to find shorter collisions. We first exhibit a simple attack for finding B-block-long collisions achieving advantage Ω(STB/2n). We then study if this attack is optimal. We show that the prior technique based on the bit-fixing model (used for the ST2/2n bound) provably cannot reach this bound, and towards a general result we prove there are qualitative jumps in the optimal attacks for finding length 1, length 2, and unbounded-length collisions. Namely, the optimal attacks achieve (up to logarithmic factors) on the order of (S+T)/2n, ST/2n and ST2/2n advantage. We also give an upper bound on the advantage of a restricted class of short-collision finding attacks via a new analysis on the growth of trees in random functional graphs that may be of independent interest.
CITATION STYLE
Akshima, Cash, D., Drucker, A., & Wee, H. (2020). Time-space tradeoffs and short collisions in merkle-damgård hash functions. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 12170 LNCS, pp. 157–186). Springer. https://doi.org/10.1007/978-3-030-56784-2_6
Mendeley helps you to discover research relevant for your work.