Jean-Philippe Aumasson, NIST mailing list 2008-12-04 ---------------------------------------------------- [ This is NOT a break of CubeHash as submitted to NIST ] The following 2880-bit messages collide through CubeHash2/120-512: First message: 43CACBA20E63FF78D505D9F9850EE62C9B45B188AE22E9FEC4FEE220E5C3A9AE6F06868CD0A1122AE38B386F1358C0FBC3746E574BEB5D6E09399B4084D4D787E6C820BFE6615F68C8EA490686609E2A65833582C4806EB0C21B78F45F76346A689B52D3D1F6CF5311DE4ED0B365DDB1576907DC0326A2EB2737D5297D036CF400AE27132751CFBF88DDFECF810CEB4AAD133BDBD21D7334CE9C9FC977CA46B5AE61BFF61618B1ED193268667B0ADDD220AFDE2A416090293996BAB0E62CEAC10B60B87AAC0E088B9199D029288D878180034668C6BB9DE64CA89DCE4C284AD41BF38414D3E4D27A5DF41A428842CCDEF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132B33435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667 Second message: 43CACBA20E63FF78D505D9F9850EE62C9B45B188AE22E9FEC4FEE220E5C3A9AE6F06868CD0A1122AE38B386F1358C0FBC3746E574BEB5D6E09399B4084D4D787E6C820BFE6615F68C8EA490686609E2A65833582C4806EB0C21B78F45F76346A689B52D3D1F6CF5311DE4ED0B365DDB1576907DC0326A2EB2737D7597D036CF400AE27132751CFBF88DDFECFC10CEB4A2D133BDB921D7334CA9C9FC877CA46B5AA61BFF61618B1ED193268667B0ADDD2208FDE2A416090293990B8E0E62CEAC10B60B87AAC0E088B9199D029E88D87810003466806BB9DE64CA89DCE30284AD41BF38414D7E4D27A5DF41A428862CCDEF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667 The common digest is: C48C99A0D37E1EB2AC7C42EDF4EDEC7AB73B7689506856CA458770096FC4A38B19016DCA3834F1F5805B3E47F3C38C705B4A25F5C2801D41A15CDF9E3603C61A This collision was found using simple differential techniques, similar to those presented in http://www.131002.net/data/papers/AMNP08.pdf No particular computation effort was necessary. In comparison the standard collision attack costs about 2^32 transforms. Recall that CubeHash2/120-512 has r=2 (2 rounds per transform, 20 rounds to initialize and 20 rounds to finalize), b=120 (message blocks are xored with 120 of the 128 state bytes), h=512 (digest bitlength).