Security Analysis of Zipper Hash Against Multicollisions Attacks

In this paper, the existence of multicollisions in Zipper Hash structure, a new Hash structure which was introduced to strengthen the iterated Hash structures, is presented. This study shows that finding multicollisions, i.e. 2kway collision, in this Hash structure is not much harder than finding such multicollisions in ordinary Merkle Damgard (MD) structure. In fact, the complexity of the attacks is approximately n/2 times harder than what has been found for MD structures. Then, these large multicollisions are used as a tool to find D-way preimage for this structure. The complexity of finding 2K-way multicollisions and 2k-way preimages are ( ) ( ) / 2 / 2 1 2 O k n × + × and ( ) / 2 / 2 2 2 2 n n O k n × × + × respectively. Similar to what has been proved by Joux for MD, it is shown in this paper that this structure could not be used to create a Hash function with 2n-bit length by concatenating this structure with any other Hash structure by Hash’s output length of n-bite. It is also shown that time complexity of finding a collision for this concatenated structure is ( ) ( ) 2 / 2 / 2 2 O n × which is much smaller than what was expected from generic-birthday attack which would be ( ) 2 Ω . In addition, it is shown that increasing the number of rounds of this Hash function can not improve its security against this attack significantly and the attacker can find multicollisions on this Hash function which means that this Hash function has a structural flaw. KeywordsZipper Hash Structure; Hash function; multicollision attack; Joux attack; preimage attack; r-way collision


A. Background
In a recent paper by Joux [1], it was shown that there is a k 2 -way collision attack for the classical iterated Hash function based on a compression function, where the attack has a complexity of ( ) . This complexity is much smaller than the complexity for the generalized birthday attack which is ( ) This is the basic idea of Joux's attack.The main strategy of Joux's attack is to first find k successive collisions by performing k successive birthday attacks using a collision finder oracle machine C. The attack works as follows: -Let 0 h be equal to the initial value IV of H.
-For i from 1 to k do: • Call C and find i M and i M ′ such that ( ) ( ) ) -Pad and output the Clearly, the 2 k different messages built as above all reach the same final value.A schematic representation of these 2 k messages together with their common intermediate Hash values is drawn in figure 1.Since birthday attack is a probabilistic attack, there is some positive reason that Joux's attack fails.In following proposition, it is shown that an attacker needs more effort to achieve k-way collision than what has been claimed by Joux.

Proposition 1. The complexity of finding 2 k -way collision in
Joux's attack is ( ) . Proof: Assume that probability of each chain in Joux's attack, shown in figure 1, equals to ε .Hence, the success probability of those messages to lead to collision would be k ε .On the other hand, in ordinary 2 k -way collision birthday attack on an ideal Hash function, for the success probability of 2 1 , the complexity would be . Hence, if one aims to compare the Joux's attack to the ordinary birthday attack, he should improve the Joux's attack in order for the success probability to reach 2 1 . To improve the success probability of Joux's attack the attack may be repeated several times.The success probability for " " repetition of attack, Pr , could be determined as follows: ( ) where for 1 Pr 2 = the value of N should be 2 k-1 .Recall that the complexity of original Joux's attack is ( ) , the total complexity of finding k-way collision following the Joux's attack would be ( ) . Proof has been completed.After introducing this attack, many structure have been proposed to strength iterated structure against this type of attach such Zipper Hash [3], 3C and 3C+ [4,5], SFRH and MFRH [6], WPH and DPH [7], L-pipe [8], etc.Most of these structure have tried to strengthen against multicollision attack.
Among this new Hash structure, in this paper the strength of Zipper Hash [3] against multicollision attack is investigated.

B. Related Work and Contribution
In [9] Lin et.al have presented a multicollision attack for Zipper Hash.However, their attack work when the underling compression functions are weak while there is such assumption on compression function and the adversary has oracle access to compression functions.Hence, this Hash function is analyzed on random oracle model for compression functions and the results are more general in comparison with the results of [9].In addition, it is shown that even if this structure is repaired, the attacker can find multicollision for this Hash function.It means that this Hash function is not suitable for general deployment and it has structural flaw.

C. Paper organization
In this paper an attack for this previously believed secure Hash structure is presented.For this purpose a brief description of Zipper Hash function is given in section 2. Section 3 contains an explanation of the attack for finding multicollision on this structure, whereas section 4 presents a preimage attack for it.In section 5 it is clarified why Zipper Hash could not be used as a primitive for 2n-bit concatenated Hash function.In section 6 it is shown that even if structure is repaired by employing more functions, the attacker can find multicollision on it, which means that it is not suitable for general deployment.Conclusion will be presented in section 7.

II. ZIPPER HASH STRUCTURE
The Zipper Hash structure can be considered as a general Hash function construction.To build an n-bit Hash function, two independent ( ) bit k m − , compression functions 0 f and 1 f are needed.These functions can be seen as Same as all Hash structures, this one needs a padding function P and an initialization vector IV.For function P(x) for input x, it is guaranteed to return a padded value such that P(x) is a string that can be broken down into m-bit length blocks, and for all ( ) ( ) . Moreover it uses a finalization function → . Given all these pieces, the Zipper Hash function works as follows [3] , and l h h ,..., 2 are computed iteratively as ( ) ( ) Since existence of g function is not affecting the attack, in the rest of the paper, without losing generality, it is assumed that output length of functions 0  The Zipper Hash structure.

III. MULTICOLLISION ATTACK ON ZIPPER HASH
Zipper Hash structure was developed as a strengthen structure against multicolission attack.In this section, we show that constructing multicollisions in Zipper Hash function can be done in a efficient way.In particular, constructing

www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks
blocks of padding are identical, the padding process can be ignored and this is the case study in this paper.Moreover, if the intermediate Hash chaining values collide at some point in the Hash computation of two messages, the following values remain equal as soon as the ends of the messages are identical.Thus, on messages of the same length, collisions without the padding clearly lead to collisions with the padding.
Although this attack could be applied for any length of message block and chaining value, for simplicity of proof, it is assumed that the size of the message blocks is bigger than the size of the chaining values.However, the attack can be easily generalized.It is also assumed that one can access two collision finding machines C and ' C .C is a machine that, given as input a chaining value h , outputs two different blocks M and ' 2 n different messages of length 2 n blocks and h as chining value, finds the multiblocks Ψ and ' Ψ among them such that f as compress function and h' as initial value where illustrated in figure 3.
These collision finding machines may use the generic birthday attack or any specific attack based on a weakness of 0 f and 1 f multicollision attack on ordinary MD.The most relevant property is that C and ' C should work properly for all chaining values.It's clear that most of these assumed conditions for the scenario investigated in this paper is similar to what considered in [1].
Fig. 3.The ( ) We now claim that we can generate Assuming that, l is the number of message blocks and is equal to , the attack works as follows: 1 Let 0 h be equal to the initial value IV of Zipper Hash.( )

HASH
In reference [1] Joux puts forward the attack method called k-way which is applicable for finding the second preimage of an output of a Hash function based on the MD structure.For a given Hash target value , at first the attackers find 2 r collisions on r-block messages . Then, to find the block 1 r M + such that ( ) In this way, the attackers succeed in finding 2 r second preimages with the message M.
Obviously, the time complexity of this attack is ( ) .

www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks
For the Hash function based on the Zipper Hash structure, we show that theadversary can find 2 r -way preimage and second preimage with cost of ( ) ( ) ( ) . For this purpose, as mentioned in [3], it is assumed that g function is a identical function.The attack works as follows: 1. Fixed 1 h with some random value.
2. For i from 2 to a.Call C and find i M and i M ′ in such a way that ( ) ( ) ) Find IV in such a way that ( ) Obviously, all k 2 different messages generated in this way lead to value Y as a Hash result.This procedure can be divided in two parts.Fist part of the attack is finding the Hence, the total complexity of the attack equals to the claimed value.
By applying a similar procedure, the adversary can find a r 2 -way second preimage with identical cost of time complexity which is far from ideal value n r Clearly this kind of attack can not be used for the original version of Zipper Hash structure which use prefixed IV value, but it shows that this structure is far from ideal structure.

V. ZIPPER HASH IN 2N-BIT CONCATENATED STRUCTURE
A natural construction to build large Hash values is to concatenate several smaller Hashes.For example, given two Hash functions F and G, it seems reasonable given a message M to form the large Hash value ( ) ( )

( )
F M G M .In this construction, F and G can either be two completely different Hash functions or two slightly different instances of the same Hash function.In [1] Joux has shown that if at least one of these Hash function is a MD iterated Hash function, the complexity of finding a collision for this structure is slightly more than finding collision for one branch and it is equal to ( ) The basic idea in this attack is to find a / 2 2 n -way collision for MD structure and find a collision among this / 2  2 n different messages for the second Hash function.Clearly this collision is applicable to booth branches.A similar attack can be applied to find a collision on the "2n-bit" Hash construction F M G M when one replaces either F or G, namely F, by the Zipper Hash structure.The attack complexity includes the complexity of finding / 2 2 n -way collision on Zipper Hash which is plus the complexity of finding a collision on G which is ( ) . Hence, the total complexity would be ."

VI. INCREASING THE ROUNDS OF THE ZIPPER HASH
Assume that someone tries to protect the Zipper Hash by adding another layer to this structure.Figure 5 has illustrated this modified version of Zipper Hash.In general it is assumed that 2 0 The following theorem shows that this structure is vulnerable to multicollision attack.
To finding multicollision in this new structure we introduce an new oracle machine C′′ which is such a one that given 2 / 2 n different messages of length ( ) 2 n messages of form ( ) ,..., n ψ ψ where j ψ will be one of the two multi blocks j Ψ or j ′ Ψ , and h′ as the chining value, to find the multiblock ϒ and ′ ϒ among them such that ( ) ( ) F h′ ϒ is ordinary compressed value of ϒ by applying 2 f as compress function and h′ as initial value.These collision finding machines may use the generic birthday attack or any specific attack based on a weakness of 2 f .The most relevant property is that C′′ should work properly for nay chaining values.

www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks
We now claim that we can generate 2 k equal collision by only 1 Let 0 h be equal to the initial value IV of Zipper Hash.

VII. CONCLUSION
In this paper, it is shown that multicollisions in Zipper Hash structure are not much harder to find than finding multicollisions in the MD one.It is also shown that finding 2 rway preimages and second preimages on this structure are not really harder to find than ordinary preimages and second preimages.Another important result is the fact that Zipper Hash structure can not be used as a building block for creating 2n-bit concatenated Hash structure because of its strength against collision which is much less than the ideal one.The study shows that although this structure is slightly more secure than iterated Hash function, it is really far from an ideal Hash function.It is shown that modifying the Zipper Hash by an extra round can not make it resistant to this attack.Finally, it is shown that in oracle model of compression function, the extended Zipper Hash to "i" rounds, for
the Zipper Hash construction.
as much as building multicollisions in ordinary MD structure.If collisions between messages of the same length are considered, the × calls to the C oracle machine and ( ) k O calls to C′ oracle machine which is much less than what we expected from birthday paradox
part, described in steps 5 and 6, is related to finding two preimages to guarantee the successes of the attack with cost n 2 2 × .
calls to C′ oracle machine and ( ) O k calls to C′ oracle machine which is much less than what we expected from birthday paradox

(
This approach can be easily extended to Zipper Hash with extra rounds.In similar way, it can be shown that the complexity of finding 2 k -way collision in Zipper Hash with I This means that, in oracle model of compression function, the extended Zipper Hash to "i" rounds, for