Thomas Peyrin, NIST mailing list 2009-02-03 ---------------------------------------------------- Hi all, We updated again our results on CubeHash (see: http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf ) and we found a differential path for CubeHash2/2 with probability 2^{-196} using five iterations: dM1 = 80 00 dM2 = 00 22 dM3 = 8a 22 dM4 = 80 02 dM5 = 00 20 The rest of the differential path can be found very simply by linearizing the scheme. This first cryptanalysis work on CubeHash described in the paper only used linear differential paths, without any search speed-ups or freedom degrees considerations. Together with Shahram Khazaei and Willi Meier, we are now switching to this approach which seems promising: we computed a collision with only 2^24 computations for Cubehash-3/64 whereas the bulk complexity was originally 2^74 computations. M1 = 91FE735BCFB6DBD6DBA1E4159AB3E9484DECADA4AC445AC798886E6361CC48F2CABC4D997228704DC9546363074CAB543858F9E49D53AB35DB1A983CE6E12EB09D7B490FA3B95D6D0EC0D0150C7C6A44D4632871B6D4A792EE3FCED420FD84BD78CDCD1C872A8995EA59AAF6D5143AAA77621B2E36C2C024028EF8228B7CE0044AAD20D1D7A966C10210B7D825F1829C539DCA8A608AAE6219A784A42364A86D11C83EE871A4A974B5604CDA51CE76A56B412FCBCBDD2DE484B289A87605E90DBEC772C56B781B778A2032DBD2F8D52AFEECCA9C29209530984D7F24618A16205188E5BC0100348B206666F35E3B1D5C28E7F951088E81A0DB01C43D8BDA5DDC00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 M2 = 91FE735BCFB6DBD6DBA1E4159AB3E9484DECADA4AC445AC798886E6361CC48F2CABC4D997228704DC9546363074CAB543858F9E49D53AB35DB1A983CE6E12EB09D7B490FA3B95D6D0EC0D0150C7C6A44D4632871B6D4A792EE3FCED420FD84BD78CDCD1C872A8995EA59AAF6D5143AAA77621B2E36C2C024028EF8228B7CE0044AAD30D1D7A966C10210A7D825F1829C539DCA8A608AAE6219A784A42364A86D11C83EE871A4A974B5604CDA51CE76A56B412FCBCBDD2DE484B289A87605E90DBEC772C56B781B768A2032DBD2F8D52BF6CCEA9C29009530906D5F2461AA1620518AE73C0100368B206464735E3B1F5C28E3E941088E81A0DB05D42D8BDA5DDC00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000000000000040000 HASH = 87A5C34BDC1CE83830E70EEB4122D0B70991C8F42AC092F3D7FD7BC44B86F0BE760DFD26B65A28C3B985FA9B455093033734AF91FAA3E2228A6151D6A5839F19 Cheers, Eric, Shahram, Thomas and Willi