Structural Attacks on Two SHA-3 Candidates: Blender-n and DCH-n

Authors:
Mario Lamberger;Florian Mendel
Affiliations:
Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010;Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010
Venue:
ISC '09 Proceedings of the 12th International Conference on Information Security
Year:
2009

Citing 12
Cited 1

Hash functions based on block ciphers: a synthetic approach

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Finite fields

Finite fields
A Design Principle for Hash Functions

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
How Easy is Collision Search. New Results and Applications to DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Cryptanalysis of the GOST Hash Function

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Second preimage attacks on dithered hash functions

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Linear-XOR and additive checksums don't protect Damgård-Merkle hashes from generic attacks

CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
A failure-friendly design principle for hash functions

ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Analysis of the Hash Function Design Strategy Called SMASH

IEEE Transactions on Information Theory

Preimage attacks against PKC98-Hash and HAS-V

ICISC'10 Proceedings of the 13th international conference on Information security and cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

The recently started SHA-3 competition in order to find a new secure hash standard and thus a replacement for SHA-1/SHA-2 has attracted a lot of interest in the academic world as well as in industry. There are 51 round one candidates building on sometimes very different principles. In this paper, we show how to attack two of the 51 round one hash functions. The attacks have in common that they exploit structural weaknesses in the design of the hash function and are independent of the underlying compression function. First, we present a preimage attack on the hash function Blender-n . It has a complexity of about n ·2 n /2 and negligible memory requirements. Secondly, we show practical collision and preimage attacks on DCH-n . To be more precise, we can trivially construct a (28 + 2)-block collision for DCH-n and a 1297-block preimage with only 521 compression function evaluations. The attacks on both hash functions work for all output sizes and render the hash functions broken.