Is there a feasible preimage attack for any hash function (no matter how deprecated) today?

Question

Has there ever been a hash function that was actually used in the field, no matter how long ago, for which there is now a feasible preimage attack?

All hashes that are nowadays considered 'broken' (such as MD5 and MD4 and older, and to some extent also SHA-1) are only susceptible to collision attacks, i.e. generating two arbitrary chunks of data with the same hash.

I'm wondering if a successful preimage attack has ever been found for any hash algorithm? And I mean either kind of preimage attack:

• Regular, i.e. given a hash output H, being able to generate some data X so hash(X) = H
• Secondary, i.e. given data X, being able to generate some other data Y so hash(X)=hash(Y)

And with 'feasible' I mean it can be done on a reasonably powerful cluster of fast computers (with fast GPUs) within reasonable time (e.g. 6 months).

Answer 1

Any hash function? Yes, certainly. In fact, most hash functions are not even designed to be resistant to preimage attacks. This includes CRCs and standard checksums like Fletcher. Creating preimages with them is trivial. The oldest popular hash algorithm is MD2 which has a preimage attack with a complexity of 2⁷³ and a memory requirement of 2⁷³ memory blocks. The complexity is low enough that modern technology could achieve the preimage, but memory requirements make it impractical.

There have certainly been older hashes that have not gained traction which were intended to be cryptographically secure but which ended up exhibiting preimage attacks. For example, there is a 2³³ operation second preimage attack on the very old 3-pass Snefru hash function.

If you want a more specific answer, you'll need to narrow down what kinds of hash functions you are talking about. I could give you a dozen old or experimental hashes that were either dropped or underwent tweaks which were vulnerable to practical preimage attacks. I could also list every non-cryptographic hash I know of, but I have a feeling you aren't asking for a list of standard checksums.

Answer 2

TEA was used in the XBox and was so weak, that it allowed the XBox hackers to alter the code and still get the same hash:

https://web.archive.org/web/20090416175601/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System

If you flip both bit 16 and 31 of a 32 bit word, the hash will be the same. We could easily patch a jump in the second bootloader so that it would not be recognized. This modified jump lead us directly into flash memory.