Dithered hash functions were proposed by Rivest as a method to mitigate second preimage attacks on Merkle-Damgard hash functions. Despite that, second preimage attacks against dithered hash functions were proposed by Andreeva et al. One issue with these second preimage attacks is their huge memory requirement in the precomputation and the online phases. In this paper, we present new second preimage attacks on the dithered Merkle-Damgard construction. These attacks consume significantly less memory in the online phase (with a negligible increase in the online time complexity) than previous attacks. For example, in the case of MD5 with the Keranen sequence, we reduce the memory complexity from about 2^51 blocks to about 2^26.7 blocks (about 545 MB). We also present an essentially memoryless variant of Andreeva et al. attack. In case of MD5-Keranen or SHA1-Keranen, the offline and online memory complexity is 2^15.2 message blocks (about 188–235 KB), at the expense of increasing the offline time complexity.

Annual ACM Symposium on Applied Computing

Barham, M., Dunkelman, O., Lucks, S., & Stevens, M. (2016). New Second Preimage Attacks on Dithered Hash Functions with Low Memory Complexity. In Lecture Notes in Computer Science (pp. 247–263). doi:10.1007/978-3-319-69453-5_14