Generalized iterated hash fuctions revisited: New complexity bounds for multicollision attacks

Abstract

We study the complexity of multicollision attacks on generalized iterated hash functions. In 2004 A. Joux showed that the size of a multicollision on any iterated hash function can be increased exponentially while the amount of work (or, equivalently, the length of the collision messages) grows only linearly. In Joux's considerations it was essential that each message block was used only once when computing the hash value. In 2005 M. Nandi and D. Stinson generalized Joux's method to iterated hash functions where each message block could be employed at most twice and in an arbitrary order. In the following year J. Hoch and A. Shamir further extended Joux's ideas, this time to so called ICE hash functions that scan the input message any fixed number of times in an arbitrary order. It was proved that by increasing the work polynomially, exponentially large multicollision sets could be created. The informal attack algorithm of Hoch and Shamir was more rigorously described in [8] where also the amount of work of the attack algorithm (and, as well, the length of the multicollision messages) was more precisely evaluated. In [10] new combinatorial results were proved which allowed a considerably more efficient collision set construction. In this paper we introduce a new set of tools for the combinatorial analysis of long words in which the number of occurrences of any symbol is restricted by a fixed constant. By applying these tools we are able to further shorten the length of the collison messages in an any fixed size collision set leading to a good deal smaller attack complexity. Finally, we study the structure of efficient rules for compression in bounded generalized iterated hash functions (called ICE hash functions in [4]). © Springer-Verlag 2012.