Abstract
This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack is about 2104 and the preimages consist always of 128 blocks. We present a preimage attack of complexity about 297 with the further advantage that the preimages are of variable lengths. Moreover we are always able to find many preimages for one given hash value. Also we introduce many new collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the full MD2 (including the checksum), but where the initial values differ. Finally we present a pseudo preimage attack of complexity 295 but where the preimages can have any desired lengths.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)
Kaliski, B.: The MD2 message-digest algorithm. Request for Comments (RFC) 1319, Internet Activities Board, Internet Privacy Task Force (April 1992), Available from http://www.faqs.org/rfcs/rfc1319.html
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)
Muller, F.: The MD2 hash function is not one-way. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 214–229. Springer, Heidelberg (2004)
Rogier, N., Chauvaud, P.: MD2 is not secure without the checksum byte. Designs, Codes and Cryptography 12, 245–251 (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Knudsen, L.R., Mathiassen, J.E. (2005). Preimage and Collision Attacks on MD2. In: Gilbert, H., Handschuh, H. (eds) Fast Software Encryption. FSE 2005. Lecture Notes in Computer Science, vol 3557. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11502760_17
Download citation
DOI: https://doi.org/10.1007/11502760_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26541-2
Online ISBN: 978-3-540-31669-5
eBook Packages: Computer ScienceComputer Science (R0)