Abstract
This paper considers the hash function MD2 which was developed by Ron Rivest in 1989. Despite its age, MD2 has withstood cryptanalytic attacks until recently. This paper contains the state-of-the-art cryptanalytic results on MD2, in particular collision and preimage attacks on the full hash function, the latter having complexity 273, which should be compared to a brute-force attack of complexity 2128.
Article PDF
Similar content being viewed by others
References
R.P. Brent, An improved Monte Carlo factorization algorithm. BIT, 20(2), 176–184 (1980)
I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO ’89, Proceedings, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 416–427
R.W. Floyd, Nondeterministic algorithms. J. Assoc. Comput. Mach. 14(4), 636–644 (1967)
A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in Advances in Cryptology—CRYPTO 2004, Proceedings, ed. by M.K. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 306–316
B.S. Kaliski Jr., The MD2 Message-Digest Algorithm, April 1992. Network Working Group, Request for Comments: 1319
L.R. Knudsen, J.E. Mathiassen, Preimage and collision attacks on MD2, in Fast Software Encryption 2005, Proceedings, eds. by H. Gilbert, H. Handschuh. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin, 2005), pp. 255–267
X. Lai, J.L. Massey, Hash functions based on block ciphers, in Advances in Cryptology—EUROCRYPT ’92, Proceedings, ed. by R.A. Rueppel. Lecture Notes in Computer Science, vol. 658 (Springer, Berlin, 1993), pp. 55–70
F. Mendel, V. Rijmen, Weaknesses in the HAS-V compression function, in International Conference on Information Security and Cryptology (ICISC) 2007, Proceedings, ed. by K.-H. Nam, G. Rhee. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 335–345
F. Mendel, N. Pramstaller, C. Rechberger, A (second) preimage attack on the GOST hash function, in Fast Software Encryption 2008, Proceedings, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp. 224–234
F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, J. Szmidt, Cryptanalysis of the GOST hash function, in Advances in Cryptology—CRYPTO 2008, Proceedings, ed. by D. Wagner. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 162–178
R.C. Merkle, One way hash functions and DES, in Advances in Cryptology—CRYPTO ’89, Proceedings, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446
F. Muller, The MD2 hash function is not one-way, in Advances in Cryptology—ASIACRYPT 2004, Proceedings, ed. by P.J. Lee. Lecture Notes in Computer Science, vol. 3329 (Springer, Berlin, 2004), pp. 214–229
National Institute of Standards and Technology. FIPS PUB 180-2, Secure Hash Standard, 1 August 2002
G. Nivasch, Cycle detection using a stack. Inf. Process. Lett. 90(3), 135–140 (2004)
B. Preneel, Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven, January 1993
J.-J. Quisquater, J.-P. Delescaille, How easy is collision search. New results and applications to DES, in Advances in Cryptology—CRYPTO ’89, Proceedings, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 408–413
R.L. Rivest, The MD4 message digest algorithm, in Advances in Cryptology—CRYPTO ’90, Proceedings, eds. by A. Menezes, S.A. Vanstone. Lecture Notes in Computer Science, vol. 537 (Springer, Berlin, 1991), pp. 303–311
R.L. Rivest, The MD5 Message-Digest Algorithm, April 1992. Network Working Group, Request For Comments: 1321
N. Rogier, P. Chauvaud, MD2 is not secure without the checksum byte. Des. Codes Cryptogr. 12(3), 245–251 (1997)
RSA Laboratories, PKCS #1: RSA Cryptography Standard (Version 2.1, June 14, 2002). Available: http://www.rsa.com/rsalabs/node.asp?id=2125 [2009/1/28]
P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)
Verisign, Inc. Status Responder Certificate. Class 3 Public Primary Certification Authority. Serial number: 70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF. Issued 1996/01/29, expires 2028/08/02. http://www.verisign.com/repository/root.html#c3pca [2009/08/17]
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Bart Preneel
Rights and permissions
About this article
Cite this article
Knudsen, L.R., Mathiassen, J.E., Muller, F. et al. Cryptanalysis of MD2. J Cryptol 23, 72–90 (2010). https://doi.org/10.1007/s00145-009-9054-1
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-009-9054-1