MD2 is not one way (!?)
Mads Rasmussen
mads at opencs.com.br
Wed Sep 8 16:29:27 EDT 2004
Jason Holt wrote:
> Includes one titled "The MD2 Hash Function is Not One-Way". That's the first
> I've heard about MD2; the other breaks were for md4 and md5. Anyone know
> details?
Actually there was a paper analysing the MD2 algorithms back in 1997: N.
Rogier and P Chauvaud, "MD2 is not secure without the Checksum Byte",
Design, codes and Cryptography, 12(3):245-251 - an early version was
presented at SAC 1995
The abstract of the new paper by Frédéric Muller describing a pre-image
attack, more theoretical than practical although very interesting,
"MD2 is an early hash function developed by Ron Rivest for RSA Security,
that produces message digests of 128 bits. In this paper, we show that
MD2 does not reach the ideal security level of 2^128 . We
describe preimage attacks against the underlying compression function,
the best of which has complexity of 2^73 . As a result, the full MD2
hash can be attacked in preimage with complexity of 2^104"
--
Mads Rasmussen
Open Communications Security
+55 11 3345 2525
http://www.opencs.com.br
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list