In Davies–Meyer hash construction scheme each block is xor'ed with the previous block cipher text. Why? The only obvious flaw I see in a scheme without this xor is the possibility to reconstruct a hash for a head of a message if the tail is known. Is it the only flaw or it also prevents other attacks?
Asked
Active
Viewed 444 times
1
-
1It enables a meet-in-the-middle attack, reducing pre-image resistance. Keccak suffers from this attack, which is why its preimage resistance is only half the capacity. – CodesInChaos Dec 19 '14 at 09:24
-
It cant be used for a meet in the middle attack if the key length of a block cipher is big enough. – ZAB Dec 21 '14 at 18:05
-
I don't get your point. The cost of the MitM depends on the size of the chaining value (block size of the cipher) and works if the message consists of two blocks (where the block size of the hash function is the key size of the underlying blockcipher). To avoid the attack you need to have a chaining value which is at least twice the size of the desired pre-image resistance. – CodesInChaos Dec 21 '14 at 18:08
-
It works for 2DES for example because DES key is small. If the key length is N bit long then you will need to have 2^N memory to make an association in a middle between forward and backward steps. I can't see how you can accomplish a preimage attack if you are using AES as a building block in Davies–Meyer scheme without the xor. – ZAB Dec 21 '14 at 18:14
-
The key size does not affect the cost of the MitM attack against a Davies-Meyer without Feed-Forward hash. It's the block size that determines the attack. A naive MitM against AES-256 in DM without FF would cost 2^64 memory and 2^64 AES invocations (parallelizable). But I believe the standard memory reduction techniques (distinguished points, cycle finding,...) apply, so the memory use should be much lower – CodesInChaos Dec 21 '14 at 18:21
-
How so? If you are using DM over AES256 and have a message 256 bit long you will need to have only one step and yet without the xor you will not be able to accomplish an attack because of AES resistance to plain text attack. How is mitm helpful here? – ZAB Dec 21 '14 at 18:25
-
- The MitM attack only works if the message consists of at least two blocks. You start with the initial state and call the encrypt function with 2^64 messages and you start with the desired hash and apply the decrypt function about 2^64 times. Once you got the same value out of both directions, you met in the middle and have completed your preimage attack. 2) Using DM with AES is a bad idea since it allows attacker controlled keys, something AES does not handle well.
– CodesInChaos Dec 21 '14 at 18:29 -
Are you familiar with DM? Do we talk about the same thing? In DM the block cipher is fed with a known constant and the message is used as a key. Basically DM will be like AES256_message(0) ^ 0. How is your mitm attack would look like? – ZAB Dec 21 '14 at 18:33
-
I'm talking about a DM compression function in an iterated hash like the Merkle-Damgard construction. If the message is limited to a single block, then the MitM does not apply. And DM in MD doesn't xor with a constant, it xors with the chaining state. The chaining state is only a constant for the first block. – CodesInChaos Dec 21 '14 at 18:35
-
I given you an example. We have a small message and we are using DM over AES256. If your attack fail even on this small message it will not work for a longer one. – ZAB Dec 21 '14 at 18:38