Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg˚ard from 1989 states that a collision on the hash function cannot be found without finding a collision on the compression function at the same time. This is however not the case for another basic requirement, namely second preimage resistance. In fact, on many popular hash functions it is possible to find a second preimage on the iteration without breaking the compression function. This paper studies the resistance of two practical modes of operations of hash functions against such attacks. We prove that the known generic second preimage attacks against the Merkle-Damg˚ard construction are optimal, and that there is no generic second preimage attack faster than exhaustive search on Haifa, a recent proposal by Biham and Dunkelman. Keywords: hash functions, modes of operation, second preimage attacks, provable security 1
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.