https://ehash.iaik.tugraz.at/api.php?action=feedcontributions&user=Tnad&feedformat=atomThe ECRYPT Hash Function Website - User contributions [en]2022-05-26T10:32:21ZUser contributionsMediaWiki 1.31.3https://ehash.iaik.tugraz.at/index.php?title=JH&diff=3701JH2011-04-22T07:44:36Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/JH_FinalRnd.zip JH_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf},<br />
howpublished = {Submission to NIST (round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09a,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''42''' rounds<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3637Blue Midnight Wish2010-12-06T12:59:53Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| partial-collision<sup>(1)</sup>|| compression function || 256,512 || || 2<sup>32</sup>,2<sup>64</sup> || - || [http://www.di.ens.fr/~leurent/files/BMW_Distinguisher.pdf Leurent ,Thomsen]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf Gligoroski,Klima]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf Gligoroski,Klima]<br />
|-<br />
| distinguisher || compression function || 256,512 || || 1 || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf Guo,Thomsen]<br />
|-<br />
| distinguisher || compression function|| 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function|| 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup>The BMW team commented on this partial-collision in [http://ehash.iaik.tugraz.at/uploads/7/7a/CommentNov2010.pdf this note]<br />
<br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Gaëtan Leurent and Søren S. Thomsen},<br />
title = {Practical Partial-Collisions on the Compression Function of BMW},<br />
url = {http://www.di.ens.fr/~leurent/files/BMW_Distinguisher.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={ Blue Midnight Wish (BMW) is one of the fastest SHA-3 candidates in the<br />
second round of the competition. In this paper we study the compression function of BMW<br />
and we obtain practical partial collisions in the case of BMW-256: we show a pair of inputs<br />
so that 300 pre-speciﬁed bits of the outputs collide (out of 512 bits). Our attack requires<br />
about 2^32 evaluations of the compression function. A similar attack can be developed for<br />
BMW-512, which will gives message pairs with around 600 colliding bits for a cost of 2^64.<br />
This analysis does not aﬀect the security of the iterated hash function, but it shows that<br />
the compression function is far from ideal.<br />
We also describe some tools for the analysis of systems of additions and rotations, which<br />
are used in our attack, and which can be useful for the analysis of other systems}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK10,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On Blue Midnight Wish Decomposition},<br />
booktitle = {SantaCrypt 2009},<br />
pages = {41-51},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf},<br />
abstract ={Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition. In this paper we present a decomposition of the Blue Midnight Wish core functions, what gives<br />
deeper look at the Blue Midnight Wish family of hash functions and a tool for their cryptanalysis. We<br />
used this decomposition for better understanding the insights of Blue Midnight Wish functions and<br />
to propose the tweak for the second round. We would like to encourage further cryptanalysis of Blue<br />
Midnight Wish, as the quickest candidate in the second round.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK102,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On the Computational Asymmetry of the S-Boxes Present in Blue Midnight Wish Cryptographic Hash},<br />
booktitle = {ICT Innovations 2009},<br />
editor = {Danco Davcev and Jorge Marx Gómez},<br />
publisher = {Springer},<br />
pages = {391-400},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf},<br />
abstract ={Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different.<br />
It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwGT10,<br />
author = {Jian Guo and Søren S. Thomsen},<br />
title = {Distinguishers for the Compression Function of Blue Midnight Wish with Probability 1},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={In this paper, we give distinguishers for the compression function of SHA-3 candidate Blue Midnight Wish (tweaked version for round 2) with probability 1. The computational complexity is about 20 compression function calls. This applies to security parameters 0/16, 1/15, and 2/14. However, it does not threaten the security of the BMW hash functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić and Josef Pieprzyk and Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3636Blue Midnight Wish2010-12-06T12:59:19Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| partial-collision<sup>(1)</sup>|| compression function || 256,512 || || 2<sup>32</sup>,2<sup>64</sup> || - || [http://www.di.ens.fr/~leurent/files/BMW_Distinguisher.pdf Leurent ,Thomsen]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf Gligoroski,Klima]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf Gligoroski,Klima]<br />
|-<br />
| distinguisher || compression function || 256,512 || || 1 || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf Guo,Thomsen]<br />
|-<br />
| distinguisher || compression function|| 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function|| 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup>The BMW team commented on these partial-collisions in [http://ehash.iaik.tugraz.at/uploads/7/7a/CommentNov2010.pdf this note]<br />
<br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Gaëtan Leurent and Søren S. Thomsen},<br />
title = {Practical Partial-Collisions on the Compression Function of BMW},<br />
url = {http://www.di.ens.fr/~leurent/files/BMW_Distinguisher.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={ Blue Midnight Wish (BMW) is one of the fastest SHA-3 candidates in the<br />
second round of the competition. In this paper we study the compression function of BMW<br />
and we obtain practical partial collisions in the case of BMW-256: we show a pair of inputs<br />
so that 300 pre-speciﬁed bits of the outputs collide (out of 512 bits). Our attack requires<br />
about 2^32 evaluations of the compression function. A similar attack can be developed for<br />
BMW-512, which will gives message pairs with around 600 colliding bits for a cost of 2^64.<br />
This analysis does not aﬀect the security of the iterated hash function, but it shows that<br />
the compression function is far from ideal.<br />
We also describe some tools for the analysis of systems of additions and rotations, which<br />
are used in our attack, and which can be useful for the analysis of other systems}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK10,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On Blue Midnight Wish Decomposition},<br />
booktitle = {SantaCrypt 2009},<br />
pages = {41-51},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf},<br />
abstract ={Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition. In this paper we present a decomposition of the Blue Midnight Wish core functions, what gives<br />
deeper look at the Blue Midnight Wish family of hash functions and a tool for their cryptanalysis. We<br />
used this decomposition for better understanding the insights of Blue Midnight Wish functions and<br />
to propose the tweak for the second round. We would like to encourage further cryptanalysis of Blue<br />
Midnight Wish, as the quickest candidate in the second round.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK102,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On the Computational Asymmetry of the S-Boxes Present in Blue Midnight Wish Cryptographic Hash},<br />
booktitle = {ICT Innovations 2009},<br />
editor = {Danco Davcev and Jorge Marx Gómez},<br />
publisher = {Springer},<br />
pages = {391-400},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf},<br />
abstract ={Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different.<br />
It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwGT10,<br />
author = {Jian Guo and Søren S. Thomsen},<br />
title = {Distinguishers for the Compression Function of Blue Midnight Wish with Probability 1},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={In this paper, we give distinguishers for the compression function of SHA-3 candidate Blue Midnight Wish (tweaked version for round 2) with probability 1. The computational complexity is about 20 compression function calls. This applies to security parameters 0/16, 1/15, and 2/14. However, it does not threaten the security of the BMW hash functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić and Josef Pieprzyk and Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=File:CommentNov2010.pdf&diff=3635File:CommentNov2010.pdf2010-12-06T12:57:31Z<p>Tnad: </p>
<hr />
<div></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3634Blue Midnight Wish2010-12-06T12:47:12Z<p>Tnad: added "Practical Partial-Collisions on the Compression Function of BMW"</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| partial-collision|| compression function || 256,512 || || 2<sup>32</sup>,2<sup>64</sup> || - || [http://www.di.ens.fr/~leurent/files/BMW_Distinguisher.pdf Leurent ,Thomsen]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf Gligoroski,Klima]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf Gligoroski,Klima]<br />
|-<br />
| distinguisher || compression function || 256,512 || || 1 || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf Guo,Thomsen]<br />
|-<br />
| distinguisher || compression function|| 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function|| 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Gaëtan Leurent and Søren S. Thomsen},<br />
title = {Practical Partial-Collisions on the Compression Function of BMW},<br />
url = {http://www.di.ens.fr/~leurent/files/BMW_Distinguisher.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={ Blue Midnight Wish (BMW) is one of the fastest SHA-3 candidates in the<br />
second round of the competition. In this paper we study the compression function of BMW<br />
and we obtain practical partial collisions in the case of BMW-256: we show a pair of inputs<br />
so that 300 pre-speciﬁed bits of the outputs collide (out of 512 bits). Our attack requires<br />
about 2^32 evaluations of the compression function. A similar attack can be developed for<br />
BMW-512, which will gives message pairs with around 600 colliding bits for a cost of 2^64.<br />
This analysis does not aﬀect the security of the iterated hash function, but it shows that<br />
the compression function is far from ideal.<br />
We also describe some tools for the analysis of systems of additions and rotations, which<br />
are used in our attack, and which can be useful for the analysis of other systems}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK10,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On Blue Midnight Wish Decomposition},<br />
booktitle = {SantaCrypt 2009},<br />
pages = {41-51},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf},<br />
abstract ={Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition. In this paper we present a decomposition of the Blue Midnight Wish core functions, what gives<br />
deeper look at the Blue Midnight Wish family of hash functions and a tool for their cryptanalysis. We<br />
used this decomposition for better understanding the insights of Blue Midnight Wish functions and<br />
to propose the tweak for the second round. We would like to encourage further cryptanalysis of Blue<br />
Midnight Wish, as the quickest candidate in the second round.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK102,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On the Computational Asymmetry of the S-Boxes Present in Blue Midnight Wish Cryptographic Hash},<br />
booktitle = {ICT Innovations 2009},<br />
editor = {Danco Davcev and Jorge Marx Gómez},<br />
publisher = {Springer},<br />
pages = {391-400},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf},<br />
abstract ={Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different.<br />
It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwGT10,<br />
author = {Jian Guo and Søren S. Thomsen},<br />
title = {Distinguishers for the Compression Function of Blue Midnight Wish with Probability 1},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={In this paper, we give distinguishers for the compression function of SHA-3 candidate Blue Midnight Wish (tweaked version for round 2) with probability 1. The computational complexity is about 20 compression function calls. This applies to security parameters 0/16, 1/15, and 2/14. However, it does not threaten the security of the BMW hash functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić and Josef Pieprzyk and Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3631SIMD2010-12-06T11:08:59Z<p>Tnad: added "Security Analysis of SIMD"</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: total number of steps = '''32'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher<sup>(1)</sup> || compression || All|| Full || 1 || - || [http://eprint.iacr.org/2010/323.pdf Bouillaguet, Fouque,Leurent]<br />
|-<br />
| free-start near-collision || compression || 256 || 20 steps || 2<sup>107</sup> || - || [http://eprint.iacr.org/2010/304.pdf Yu, Wang]<br />
|-<br />
| free-start near-collision || compression || 512 || 24 steps || 2<sup>208</sup> || - || [http://eprint.iacr.org/2010/304.pdf Yu, Wang]<br />
|-<br />
| distinguisher<sup>(1)</sup> || compression || 512 || full || 2<sup>398</sup> || - || [http://eprint.iacr.org/2010/304.pdf Yu, Wang]<br />
|-<br />
| distinguisher<sup>(1)</sup> || compression || 512 || 12 steps || 2<sup>236</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher<sup>(1)</sup> || compression || 512 || linear message exp., 24 steps || 2<sup>497</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher<sup>(1)</sup> || compression || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The SIMD team commented on distinguishers in [http://eprint.iacr.org/2010/323.pdf this paper].<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:323,<br />
author = {Charles Bouillaguet and Pierre-Alain Fouque and Gaëtan Leurent},<br />
title = {Security Analysis of SIMD},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/323},<br />
url = {http://eprint.iacr.org/2010/323.pdf},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:304,<br />
author = {Hongbo Yu and Xiaoyun Wang},<br />
title = {Cryptanalysis of the Compression Function of SIMD},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/304},<br />
url={http://eprint.iacr.org/2010/304.pdf},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={SIMD is one of the second round candidates of the SHA-3 competition hosted by NIST. In this paper, we present some results on the compression function of SIMD 1.1 (the tweaked version) using the modular difference method. For SIMD-256, We give a free-start near collision attack on the compression function reduced to 20 steps with complexity $2^{-107}$. And for SIMD-512, we give a free-start near collision attack on the 24-step compression function with complexity $2^{208}$. Furthermore, we give a distinguisher attack on the full compression function of SIMD-512 with complexity $2^{398}$. Our attacks are also applicable for the final compression function of SIMD.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3614Shabal2010-10-15T14:46:30Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>159</sup> || || [http://gva.noekeon.org/papers/ShabalRotation.pdf Van Assche]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>21</sup> || || [http://eprint.iacr.org/2010/398.pdf Novotney]<br />
|- <br />
| | non-randomness || compression function || all || || 1 || || [http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt Aumasson]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalVA10,<br />
author = {Gilles Van Assche},<br />
title = {A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs},<br />
url = {http://gva.noekeon.org/papers/ShabalRotation.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract = {In this short note, we apply a rotational distinguisher to the keyed permutation of the SHA-3 candidate Shabal. We then discuss its applicability in the scope of Shabal's mode of operation and its impact on the security proofs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalNov10,<br />
author = {Peter Novotney},<br />
title = {Distinguisher for Shabal's Permutation Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/398},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this note we consider the Shabal permutation function $\mathcal{P}$ as a block cipher with input $A_p$,$B_p$ and key $C$,$M$ and describe a distinguisher with a data complexity of $2^{23}$ random inputs with a given difference. If the attacker can control one chosen bit of $B_p$, only $2^{21}$ inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Shabal construction. },<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Observation on Shabal},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2010},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3466Blue Midnight Wish2010-04-23T10:29:31Z<p>Tnad: 2 papers added</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf Gligoroski,Klima]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf Gligoroski,Klima]<br />
|-<br />
| distinguisher || compression function || 256,512 || || 1 || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf Guo,Thomsen]<br />
|-<br />
| distinguisher || compression function|| 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function|| 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK10,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On Blue Midnight Wish Decomposition},<br />
booktitle = {SantaCrypt 2009},<br />
pages = {41-51},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf},<br />
abstract ={Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition. In this paper we present a decomposition of the Blue Midnight Wish core functions, what gives<br />
deeper look at the Blue Midnight Wish family of hash functions and a tool for their cryptanalysis. We<br />
used this decomposition for better understanding the insights of Blue Midnight Wish functions and<br />
to propose the tweak for the second round. We would like to encourage further cryptanalysis of Blue<br />
Midnight Wish, as the quickest candidate in the second round.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK102,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On the Computational Asymmetry of the S-Boxes Present in Blue Midnight Wish Cryptographic Hash},<br />
booktitle = {ICT Innovations 2009},<br />
editor = {Danco Davcev and Jorge Marx Gómez},<br />
publisher = {Springer},<br />
pages = {391-400},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf},<br />
abstract ={Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different.<br />
It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwGT10,<br />
author = {Jian Guo and Søren S. Thomsen},<br />
title = {Distinguishers for the Compression Function of Blue Midnight Wish with Probability 1},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={In this paper, we give distinguishers for the compression function of SHA-3 candidate Blue Midnight Wish (tweaked version for round 2) with probability 1. The computational complexity is about 20 compression function calls. This applies to security parameters 0/16, 1/15, and 2/14. However, it does not threaten the security of the BMW hash functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić and Josef Pieprzyk and Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3423SIMD2010-03-24T12:05:33Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: total number of steps = 32<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
Recommended security parameter: total number of steps = 32<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression || 512 || 12 steps || 2<sup>236</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression || 512 || linear message exp., 24 steps || 2<sup>497</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3422SIMD2010-03-24T12:04:31Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: total number of steps = 32<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
Recommended security parameter: total number of steps = 32<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression || 512 || 12 steps || 2<sup>236</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression || 512 || linearized message expansion, 24 steps || 2<sup>497</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3420Blue Midnight Wish2010-03-24T11:53:37Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function|| 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function|| 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3419Blue Midnight Wish2010-03-24T11:49:47Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || hash || 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || hash || 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3418Blue Midnight Wish2010-03-24T11:42:11Z<p>Tnad: /* Cryptanalysis */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || hash || 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || (Round 2) || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3379Blue Midnight Wish2010-02-15T14:49:14Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation || hash || 256,512 || (Round 2) || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) a�ffected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3378Blue Midnight Wish2010-02-15T14:47:32Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation || hash || 256,512 || (Round 2) || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) a�ffected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3373SIMD2010-02-15T11:32:44Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: total number of steps = 32<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
Recommended security parameter: total number of steps = 32<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3372Blue Midnight Wish2010-02-15T11:24:15Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation || hash || 256,512 || (Round 2) || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3371Blue Midnight Wish2010-02-15T11:24:06Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation || hash || 256,512 || (Round 2) || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3370Shabal2010-02-15T11:23:32Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3369Shabal2010-02-15T11:23:21Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3368Shabal2010-02-15T10:59:06Z<p>Tnad: added footnote</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3366SIMD2010-02-15T10:26:48Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: 2.k='''2.16''' steps<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3365Blue Midnight Wish2010-02-15T10:26:33Z<p>Tnad: A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation || hash || 256,512 || (Round 2) || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3362SIMD2010-02-15T09:48:59Z<p>Tnad: A Distinguisher for the Compression Function of SIMD-512</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: 2.k='''2.16''' steps<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3361SIMD2010-02-15T09:45:29Z<p>Tnad: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
Recommended security parameter: 2.k='''2.16''' steps<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Tangle&diff=2655Tangle2008-12-11T13:14:03Z<p>Tnad: /* The algorithm */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Rafael Alvarez, Gary McGuire and Antonio Zamora<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Tangle.zip Tangle.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3AlvarezMZ08,<br />
author = {Rafael Alvarez, Gary McGuire and Antonio Zamora},<br />
title = {The Tangle Hash Function},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/40/Tangle.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=StreamHash&diff=2654StreamHash2008-12-11T13:13:45Z<p>Tnad: /* The algorithm */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Michal Trojnara<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/StreamHash.zip StreamHash.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3Trojnara08,<br />
author = {Michal Trojnara},<br />
title = {StreamHash Algorithm Specifications and Supporting Documentation},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/09/Streamhash.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SHAvite-3&diff=2653SHAvite-32008-12-11T13:13:29Z<p>Tnad: /* The algorithm */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Eli Biham and Orr Dunkelman<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SHAvite-3.zip SHAvite-3.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3BihamD08,<br />
author = {Eli Biham and Orr Dunkelman},<br />
title = {The SHAvite-3 Hash Function},<br />
url = {http://ehash.iaik.tugraz.at/uploads/f/f5/Shavite.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=2652Shabal2008-12-11T13:13:09Z<p>Tnad: /* The algorithm */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Twister&diff=2651Twister2008-12-11T13:12:46Z<p>Tnad: /* The algorithm */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ewan Fleischmann, Christian Forler and Michael Gorski<br />
* Website: http://www.twister-hash.com<br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Twister.zip Twister.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3FleischmannFG08,<br />
author = {Ewan Fleischmann, Christian Forler and Michael Gorski},<br />
title = {The Twister Hash Function Family},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/39/Twister.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=LUX&diff=2648LUX2008-12-11T13:11:42Z<p>Tnad: /* The algorithm */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ivica Nikolić, Alex Biryukov, and Dmitry Khovratovich<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LUX.zip LUX.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3BiryukovKN,<br />
author = {Ivica Nikolić, Alex Biryukov, and Dmitry Khovratovich},<br />
title = {Hash family LUX - Algorithm Specifications and<br />
Supporting Documentation},<br />
url = {http://ehash.iaik.tugraz.at/uploads/f/f3/LUX.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=StreamHash&diff=2615StreamHash2008-12-11T12:17:15Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Michal Trojnara<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/StreamHash.zip StreamHash.zip]<br />
<br />
<bibtex><br />
@misc{sha3Trojnara,<br />
author = {Michal Trojnara},<br />
title = {StreamHash Algorithm Specifications and Supporting Documentation},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Twister&diff=2601Twister2008-12-11T12:04:00Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ewan Fleischmann, Christian Forler and Michael Gorski<br />
* Website: http://www.twister-hash.com<br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Twister.zip Twister.zip]<br />
<br />
<bibtex><br />
@misc{sha3FleischmannFG,<br />
author = {Ewan Fleischmann, Christian Forler and Michael Gorski},<br />
title = {The Twister Hash Function Family},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=2598Shabal2008-12-11T12:01:16Z<p>Tnad: /* The algorithm = */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Anne Canteaut, Beno&#238;t Chevallier-Mames, Aline Gouget, Pascal Paillier, Thomas Pornin<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip]<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP,<br />
author = {Anne Canteaut, Beno&#238;t Chevallier-Mames, Aline Gouget, Pascal Paillier, Thomas Pornin},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Tangle&diff=2596Tangle2008-12-11T12:00:47Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Rafael Alvarez, Gary McGuire and Antonio Zamora<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Tangle.zip Tangle.zip]<br />
<br />
<bibtex><br />
@misc{sha3AlvarezMZ,<br />
author = {Rafael Alvarez, Gary McGuire and Antonio Zamora},<br />
title = {The Tangle Hash Function},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SHAvite-3&diff=2594SHAvite-32008-12-11T11:57:45Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Eli Biham and Orr Dunkelman<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SHAvite-3.zip SHAvite-3.zip]<br />
<br />
<bibtex><br />
@misc{sha3BihamD,<br />
author = {Eli Biham and Orr Dunkelman},<br />
title = {The SHAvite-3 Hash Function},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=2591Shabal2008-12-11T11:50:31Z<p>Tnad: </p>
<hr />
<div>= The algorithm ==<br />
<br />
* Author(s): Anne Canteaut, Beno&#238;t Chevallier-Mames, Aline Gouget, Pascal Paillier, Thomas Pornin<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip]<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP,<br />
author = {Anne Canteaut, Beno&#238;t Chevallier-Mames, Aline Gouget, Pascal Paillier, Thomas Pornin},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=LUX&diff=2572LUX2008-12-11T11:37:38Z<p>Tnad: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ivica Nikolic, Alex Biryukov, and Dmitry Khovratovich<br />
<!--<br />
* Website:<br />
--><br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LUX.zip LUX.zip]<br />
<br />
<bibtex><br />
@misc{sha3BiryukovKN,<br />
author = {Ivica Nikolic, Alex Biryukov, and Dmitry Khovratovich},<br />
title = {Hash family LUX},<br />
url = {},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
* None yet</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Boole&diff=2492Boole2008-12-02T14:17:15Z<p>Tnad: /* Cryptanalysis */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Greg Rose<br />
* Website: [http://seer-grog.net/Boole.html http://seer-grog.net/Boole.html]<br />
* Specification: <br />
<!--<br />
[http://ehash.iaik.tugraz.at/uploads/3/37/BoolePaper.pdf local link]<br />
--><br />
<br />
<bibtex><br />
@misc{sha3Rose08,<br />
author = {Gregory G. Rose},<br />
title = {Design and Primitive Specification for Boole},<br />
url = {http://seer-grog.net/BoolePaper.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<bibtex><br />
@misc{booleMNS08,<br />
author = {Florian Mendel, Tomislav Nad, Martin Schläffer},<br />
title = {Collision for Boole},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/0b/BooleCollision.txt},<br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{booleN08,<br />
author = {Ivica Nikolić},<br />
title = {Preimage attack on Boole-n},<br />
url = {http://ehash.iaik.tugraz.at/uploads/2/2f/Boole.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Boole is a family of hash functions proposed for SHA-3. In this paper we present a preimage attack on Boole-n that requires $2^{9n/16} computations and negligible memory.},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=File:BooleCollision.txt&diff=2491File:BooleCollision.txt2008-12-02T14:16:47Z<p>Tnad: </p>
<hr />
<div></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Boole&diff=2490Boole2008-12-02T14:14:36Z<p>Tnad: /* Cryptanalysis */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Greg Rose<br />
* Website: [http://seer-grog.net/Boole.html http://seer-grog.net/Boole.html]<br />
* Specification: <br />
<!--<br />
[http://ehash.iaik.tugraz.at/uploads/3/37/BoolePaper.pdf local link]<br />
--><br />
<br />
<bibtex><br />
@misc{sha3Rose08,<br />
author = {Gregory G. Rose},<br />
title = {Design and Primitive Specification for Boole},<br />
url = {http://seer-grog.net/BoolePaper.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<bibtex><br />
@misc{booleMNS08,<br />
author = {Florian Mendel, Tomislav Nad, Martin Schläffer},<br />
title = {Collision for Boole},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/3f/BooleCollision.txt},<br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{booleN08,<br />
author = {Ivica Nikolić},<br />
title = {Preimage attack on Boole-n},<br />
url = {http://ehash.iaik.tugraz.at/uploads/2/2f/Boole.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Boole is a family of hash functions proposed for SHA-3. In this paper we present a preimage attack on Boole-n that requires $2^{9n/16} computations and negligible memory.},<br />
}<br />
</bibtex></div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=GenericAttacksHash&diff=1909GenericAttacksHash2008-03-11T12:17:49Z<p>Tnad: /* Collision attacks */</p>
<hr />
<div>= Preimage attacks =<br />
<br />
The resistance of a hash function to collision and (second) preimage<br />
attacks depends in the first place on the length $n$ of the hash<br />
value. Regardless of how a hash function is designed, an adversary<br />
will always be able to find preimages or second preimages after<br />
trying out about $2^n$ different messages. In case an adversary is<br />
given $2^k$ distinct target hashes, preimages can be found after<br />
trying about $2^{n-k}$ different<br />
messages~\cite[Chapter 2, pages 12-13]{Merkle79SecrecyAuthenticationAnd} %, chapter 2, pages 12-13}.<br />
<br />
= Collision attacks = <br />
As independently observed by Merkle~\cite{conf/crypto/Merkle89} and<br />
Yuval~\cite{journal/cryptologia/Yuval79} in 1979, finding collisions<br />
requires a much smaller number of trials: about $2^{n/2}$, as<br />
described subsequently in Sect.~\ref{sec:birth}. As a result, hash<br />
functions producing less than 160 bits of output are currently<br />
considered inherently insecure. Moreover, if the internal structure<br />
of a particular hash function allows collisions or preimages to be<br />
found more efficiently than what could be expected based on its hash<br />
length, then the function is considered to be broken.<br />
<bibtex><br />
@inproceedings{cryptoMerkle89,<br />
author = {Ralph C. Merkle},<br />
title = {A Certified Digital Signature},<br />
booktitle = {CRYPTO},<br />
year = {1989},<br />
pages = {218-238},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/0435/04350218.htm},<br />
editor = {Gilles Brassard},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {435},<br />
isbn = {3-540-97317-6},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseHochS06,<br />
author = {Jonathan J. Hoch and<br />
Adi Shamir},<br />
title = {Breaking the ICE - Finding Multicollisions in Iterated Concatenated<br />
and Expanded (ICE) Hash Functions},<br />
booktitle = {FSE},<br />
year = {2006},<br />
pages = {179-194},<br />
volume = {4047},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
isbn = {3-540-36597-4},<br />
url = {http://dx.doi.org/10.1007/11799313_12},<br />
crossref = {DBLP:conf/fse/2006},<br />
bibsource = {DBLP, http://dblp.uni-trier.de},<br />
abstract = {The security of hash functions has recently become one of <br />
the hottest topics in the design and analysis of cryptographic primitives. <br />
Since almost all the hash functions used today (including the MD and SHA families) <br />
have an iterated design, it is important to study the general security properties <br />
of such functions. At Crypto 2004 Joux showed that in any iterated hash function <br />
it is relatively easy to find exponential sized multicollisions, and thus the <br />
concatenation of several hash functions does not increase their security. However, <br />
in his proof it was essential that each message block is used at most once. In 2005 <br />
Nandi and Stinson extended the technique to handle iterated hash functions in which <br />
each message block is used at most twice. In this paper we consider the general case <br />
and prove that even if we allow each iterated hash function to scan the input multiple <br />
times in an arbitrary expanded order, their concatenation is not stronger than a <br />
single function. Finally, we extend the result to tree-based hash functions with arbitrary tree structures.}<br />
}<br />
</bibtex><br />
=== The birthday attack ===<br />
The birthday attack (also called''square-root'' attack) is a generic attack which considers a<br />
hash function as black box. Therefore, a birthday attack is<br />
successful for every hash function. For any message $m$ we can<br />
compute the $n$-bit hash value $y = h(m)$. Since at least a fraction<br />
$2^{-n}$ of the pairs $(m,m^*)$ satisfies $h(m) = h(m^*)$, one can<br />
expect to find a colliding message pair after trying about $2^n$<br />
arbitrary message pairs, \cf~\eqref{eqn:collision}. Nevertheless, it<br />
follows from the birthday paradox that one can check $2^n$ pairs<br />
with only $2^{n/2}$ evaluations of $h$. A birthday attack works as<br />
follows:<br />
\begin{enumerate}<br />
\item Pick any message $m$ and compute $h(m)$.<br />
\item Update list $L$ %Check if $h(m)$ is in the list $L$.<br />
\begin{itemize}<br />
\item if $(h(m),m)$ is already in $L$, a colliding message pair has been found.<br />
\item else save the pair $(h(m),m)$ in the list $L$ and go back to step 1.<br />
\end{itemize}<br />
\end{enumerate}<br />
From the birthday paradox we know that we can expect to find a<br />
matching entry, after performing about $2^{n/2}$ hash evaluations.<br />
Note that in a birthday attack an attacker has full control over the<br />
messages. Hence, as pointed out by Yuval~\cite{}, this method<br />
enables an attacker to construct meaningful collisions.<br />
<br />
=== Parallel collision search ===<br />
<br />
<bibtex><br />
@article{jocOorschotW99,<br />
author = {Paul C. van Oorschot and Michael J. Wiener},<br />
title = {{Parallel Collision Search with Cryptanalytic Applications}},<br />
journal = {J. Cryptology},<br />
volume = {12},<br />
number = {1},<br />
year = {1999},<br />
pages = {1-28},<br />
url = {http://link.springer.de/link/service/journals/00145/bibs/12n1p1.html},<br />
abstract = {A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meet-in-the-middle attacks such as a known-plaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA-1, MDC-2, and MDC-4; and double encryption and three-key triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in $GF(2^{155})$ thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a double-DES key from two known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meet-in-the-middle attack on double-DES. Based on this attack, double-DES offers only 17 more bits of security than single-DES.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@article{jocWiener04,<br />
author = {Michael J. Wiener},<br />
title = {The Full Cost of Cryptanalytic Attacks},<br />
journal = {J. Cryptology},<br />
volume = {17},<br />
number = {2},<br />
year = {2004},<br />
pages = {105-124},<br />
url = {http://dx.doi.org/10.1007/s00145-003-0213-5},<br />
abstract = {An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a given algorithm based on the number of processor steps. The full costs of several cryptanalytic attacks are determined, including Shanksrsquo method for computing discrete logarithms in cyclic groups of prime order n, which requires $n^{1/2}+o(1)$ processor steps, but, when all factors are taken into account, has full cost n2/3+o(1). Other attacks analyzed are factoring with the number field sieve, generic attacks on block ciphers, attacks on double and triple encryption, and finding hash collisions. In many cases parallel collision search gives a significant asymptotic advantage over well-known generic attacks.},<br />
}<br />
</bibtex><br />
<br />
= Attacks in the quantum setting =<br />
Results of quantum complexity theorists as well as newly invented<br />
algorithms suggest that even with the power of hypothetic quantum<br />
computers applied against commonly used hash functions, no<br />
exponential improvement over classical computers is possible. Here<br />
we briefly discuss hash function related aspects of this work.<br />
<br />
One of the celebrated results in quantum algorithms is<br />
Grover's~\cite{Grover1996AFastQuantum} from 1996.<br />
%(building up on pioneering work of Deutsch, etc..~\cite{}):<br />
The search for a particular element in an unordered database of size<br />
$r$ takes at most $O(r^{1/2})$, an actual algorithm is provided that<br />
uses xxx memory. Matching lower bounds exist for this problem as<br />
well~\cite{boyer98tight,zalka99GroversQuantumSearching}. This<br />
algorithm is of wide interest as it does not rely on a particular<br />
structure of the elements in the search space.<br />
<br />
This result has already direct implications on hash functions:<br />
There, the search for a preimage or a second preimage is at most as<br />
hard as a search in an unordered database, hence security against<br />
these types of generic attacks is lowered from $2^{n}$ to $2^{n/2}$<br />
in the quantum setting.<br />
<br />
How about collision attacks in the quantum setting? Here, the fact<br />
that many collisions exist and the problem is to find a single one<br />
indeed leads to (both asymptotically and for commonly used finite<br />
dimensions\todo{better wording than finite dim. needed!}) faster<br />
algorithms. An actual quantum algorithm for the collision problem is<br />
due to Brassard, H{\o}yer, and<br />
Tapp~\cite{DBLP:conf/latin/BrassardHT98} from 1997. This combination<br />
of Grover's algorithm with the birthday effect yields a runtime of<br />
$2^{n/3}$ for a hash function with $n$ bit output size. The<br />
algorithm requires $\Theta(n^{1/3}$log $n)$ classical bits of<br />
memory. To the best of the author's knowledge, no time/memory<br />
tradeoffs are known. Is this the best one can do? Nontrivial lower<br />
bounds for the collision problem were an open problem for some time.<br />
Only in 2001, Aaronson~\cite{DBLP:conf/stoc/Aaronson02} proved a<br />
query complexity of $\Omega(n^{1/5})$. Subsequent work of Shi<br />
improved this bound to $\Omega(n^{1/4})$ and finally to<br />
$\Omega(n^{1/3})$(\cite{DBLP:conf/focs/Shi02,DBLP:journals/jacm/AaronsonS04}).<br />
As this constitutes a tight bound, indeed one can not do better than<br />
Brassard~\etal. That is, given our current axiomatic assumptions<br />
about the nature of quantum mechanics.<br />
<br />
The bottom line here is as follows. Ignoring practical problems with<br />
implementations of large, stable quantum computers, and still<br />
requiring a (what now became standard) 128-bit security level gives<br />
rise to the following minimal output sizes for hash functions. If<br />
only oneway-ness but not collision resistance is required then<br />
256-bits would be enough, for collision resistance at least 384 bits<br />
are needed. Of course, these blackbox results might not be the end<br />
of the story, dedicated quantum cryptanalytic techniques have not<br />
been considered yet. Fast quantum algorithms to compute median and<br />
mean values~\cite{DBLP:conf/stoc/Grover98}, and other basic building<br />
blocks seem to be an interesting starting point.</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Parallel_FFT-Hash&diff=1907Parallel FFT-Hash2008-03-11T11:06:21Z<p>Tnad: /* Specification */</p>
<hr />
<div>== Specification ==<br />
<br />
* Variable size<br />
* Example<br />
** digest size: 128 bits<br />
<!--** max. message length: < 2<sup>128</sup> bits--><br />
** compression function: 128-bit message block, 256-bit chaining variable<br />
* Specification: <br />
<br />
<bibtex><br />
@inproceedings{fseSchnorrV93,<br />
author = {Claus-Peter Schnorr and Serge Vaudenay},<br />
title = {Parallel FFT-Hashing},<br />
pages = {149-156},<br />
editor = {Ross J. Anderson},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {809},<br />
year = {1994},<br />
isbn = {3-540-58108-1},<br />
url = {http://dx.doi.org/10.1007/3-540-58108-1_18},<br />
abstract = {We propose two families of scalable hash functions <br />
for collision-resistant hashing that are highly parallel and based <br />
on the generalized fast Fourier transform (FFT). FFT-hashing is based <br />
on multipermutations. This is a basic cryptographic primitive for <br />
perfect generation of diffusion and confusion which generalizes the <br />
boxes of the classic FFT. The slower FFT-hash functions iterate a <br />
compression function. For the faster FFT-hash functions all rounds are <br />
alike with the same number of message words entering each round.},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<br />
=== Best Known Results ===<br />
<br />
----<br />
<br />
=== Generic Attacks ===<br />
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]<br />
<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
----<br />
<br />
=== Preimage Attacks ===<br />
<br />
<br />
----<br />
<br />
=== Others ===</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Parallel_FFT-Hash&diff=1905Parallel FFT-Hash2008-03-11T10:56:32Z<p>Tnad: /* Specification */</p>
<hr />
<div>== Specification ==<br />
<br />
<br />
* digest size: 128 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 128-bit message block, 256-bit chaining variable<br />
* Specification: <br />
<br />
<bibtex><br />
@inproceedings{fseSchnorrV93,<br />
author = {Claus-Peter Schnorr and Serge Vaudenay},<br />
title = {Parallel FFT-Hashing},<br />
pages = {149-156},<br />
editor = {Ross J. Anderson},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {809},<br />
year = {1994},<br />
isbn = {3-540-58108-1},<br />
url = {http://dx.doi.org/10.1007/3-540-58108-1_18},<br />
abstract = {We propose two families of scalable hash functions <br />
for collision-resistant hashing that are highly parallel and based <br />
on the generalized fast Fourier transform (FFT). FFT-hashing is based <br />
on multipermutations. This is a basic cryptographic primitive for <br />
perfect generation of diffusion and confusion which generalizes the <br />
boxes of the classic FFT. The slower FFT-hash functions iterate a <br />
compression function. For the faster FFT-hash functions all rounds are <br />
alike with the same number of message words entering each round.},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<br />
=== Best Known Results ===<br />
<br />
----<br />
<br />
=== Generic Attacks ===<br />
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]<br />
<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
----<br />
<br />
=== Preimage Attacks ===<br />
<br />
<br />
----<br />
<br />
=== Others ===</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Parallel_FFT-Hash&diff=1889Parallel FFT-Hash2008-03-11T10:30:26Z<p>Tnad: /* Specification */</p>
<hr />
<div>== Specification ==<br />
<br />
<!-- <br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* Specification: <br />
--><br />
<br />
<bibtex><br />
@inproceedings{fseSchnorrV93,<br />
author = {Claus-Peter Schnorr and Serge Vaudenay},<br />
title = {Parallel FFT-Hashing},<br />
pages = {149-156},<br />
editor = {Ross J. Anderson},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {809},<br />
year = {1994},<br />
isbn = {3-540-58108-1},<br />
url = {http://dx.doi.org/10.1007/3-540-58108-1_18},<br />
abstract = {We propose two families of scalable hash functions <br />
for collision-resistant hashing that are highly parallel and based <br />
on the generalized fast Fourier transform (FFT). FFT-hashing is based <br />
on multipermutations. This is a basic cryptographic primitive for <br />
perfect generation of diffusion and confusion which generalizes the <br />
boxes of the classic FFT. The slower FFT-hash functions iterate a <br />
compression function. For the faster FFT-hash functions all rounds are <br />
alike with the same number of message words entering each round.},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<br />
=== Best Known Results ===<br />
<br />
----<br />
<br />
=== Generic Attacks ===<br />
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]<br />
<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
----<br />
<br />
=== Preimage Attacks ===<br />
<br />
<br />
----<br />
<br />
=== Others ===</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=Parallel_FFT-Hash&diff=1887Parallel FFT-Hash2008-03-11T10:28:01Z<p>Tnad: </p>
<hr />
<div>== Specification ==<br />
<br />
<!-- <br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* Specification: <br />
--><br />
<br />
== Cryptanalysis ==<br />
<br />
<br />
=== Best Known Results ===<br />
<br />
----<br />
<br />
=== Generic Attacks ===<br />
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]<br />
<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
----<br />
<br />
=== Preimage Attacks ===<br />
<br />
<br />
----<br />
<br />
=== Others ===</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1881SHA-12008-03-11T10:20:01Z<p>Tnad: /* Collision Attacks */</p>
<hr />
<div>== Specification ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* Specification: [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang et al. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 70-step collision for SHA-1, was published by DeCanniere, Mendel and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{sacryptCanniereMR07,<br />
author = {Christophe De Canni{\`e}re and Florian Mendel and Christian Rechberger},<br />
title = {Collisions for 70-Step SHA-1: On the Full Cost of Collision Search},<br />
booktitle = {Selected Areas in Cryptography},<br />
year = {2007},<br />
pages = {56-73},<br />
url = {http://dx.doi.org/10.1007/978-3-540-77360-3_4},<br />
editor = {Carlisle M. Adams and Ali Miri and Michael J. Wiener},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4876},<br />
isbn = {978-3-540-77359-7},<br />
abstract = {The diversity of methods for fast collision search in SHA-1 and similar hash functions makes a comparison of them difficult. The literature is at times very vague on this issue, which makes comparison even harder. In situations where differences in estimates of attack complexity of a small factor might influence short-term recommendations of standardization bodies, uncertainties and ambiguities in the literature amounting to a similar order of magnitude are unhelpful. We survey different techniques and propose a simple but effective method to facilitate comparison. In a case study, we consider a newly developed attack on 70-step SHA-1, and give complexity estimates and performance measurements of this new and improved collision search method.},<br />
}<br />
</bibtex><br />
<bibtex><br />
@inproceedings{fseSugitaKPI07, <br />
author = {Makoto Sugita and Mitsuru Kawazoe and Ludovic Perret and Hideki Imai},<br />
title = {Algebraic Cryptanalysis of 58-Round SHA-1},<br />
pages = {349-365},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74619-5_22},<br />
editor = {Alex Biryukov},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4593},<br />
year = {2007},<br />
isbn = {978-3-540-74617-1},<br />
abstract = {In 2004, a new attack against SHA-1 has been proposed <br />
by a team leaded by Wang [15]. The aim of this article is to sophisticate <br />
and improve Wang’s attack by using algebraic techniques. We introduce <br />
new notions, namely semi-neutral bit and adjuster and propose then an <br />
improved message modification technique based on algebraic techniques. <br />
In the case of the 58-round SHA-1, the experimental complexity of our <br />
improved attack is 2<sup>31</sup> SHA-1 computations, whereas Wang’s method needs <br />
2<sup>34</sup> SHA-1 computations. We have found many new collisions for the 58-round SHA-1. <br />
We also study the complexity of our attack for the full SHA-1.}<br />
}<br />
</bibtex><br />
<bibtex><br />
@inproceedings{asiacryptCanniereR06,<br />
author = {Christophe De Canni{\`e}re and Christian Rechberger},<br />
title = {Finding SHA-1 Characteristics: General Results and Applications},<br />
pages = {1-20},<br />
url = {http://dx.doi.org/10.1007/11935230_1},<br />
editor = {Xuejia Lai and Kefei Chen},<br />
booktitle = {ASIACRYPT},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4284},<br />
year = {2006},<br />
isbn = {3-540-49475-8},<br />
abstract = {The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacryptJutlaP06,<br />
author = {Charanjit S. Jutla and Anindya C. Patthak},<br />
title = {Provably Good Codes for Hash Function Design},<br />
booktitle = {Selected Areas in Cryptography},<br />
year = {2006},<br />
pages = {376-393},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74462-7_26},<br />
editor = {Eli Biham and Amr M. Youssef},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4356},<br />
isbn = {978-3-540-74461-0},<br />
abstract = {We develop a new technique to lower bound the minimum distance of quasi-cyclic codes with large dimension by reducing the problem to lower bounding the minimum distance of a few significantly smaller dimensional codes. Using this technique, we prove that a code which is similar to the SHA-1 message expansion code has minimum distance at least 82, and that too in just the last 64 of the 80 expanded words. Further the minimum weight in the last 60 words (last 48 words) is at least 75 (52 respectively). We expect our technique to be helpful in designing future practical collision-resistant hash functions. We also use the technique to find the minimum weight of the SHA-1 code (25 in the last 60 words), which was an open problem.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacryptPramstallerRR05a,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions},<br />
booktitle = {Selected Areas in Cryptography},<br />
year = {2005},<br />
pages = {261-275},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
editor = {Bart Preneel and Stafford E. Tavares},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
isbn = {3-540-33108-5},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, i.e. the rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaRijmenO05,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA},<br />
year = {2005},<br />
pages = {58-71},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2^80 operations.},<br />
url = {http://dx.doi.org/10.1007/b105222}}<br />
</bibtex><br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<bibtex><br />
@inproceedings{fseMendelPRR06a, <br />
author = {Florian Mendel and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {The Impact of Carries on the Complexity of Collision Attacks on SHA-1},<br />
pages = {278-292},<br />
url = {http://dx.doi.org/10.1007/11799313_18},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4047},<br />
year = {2006},<br />
isbn = {3-540-36597-4},<br />
abstract = {In this article we present a detailed analysis of <br />
the impact of carries on the estimation of the attack complexity <br />
for SHA-1. We build up on existing estimates and refine them. We <br />
show that the attack complexity is slightly lower than estimated <br />
in all published work to date. We point out that it is more accurate <br />
to consider probabilities instead of conditions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iswSatoh05,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1},<br />
booktitle = {ISC},<br />
year = {2005},<br />
pages = {259-273},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
editor = {Jianying Zhou and Javier Lopez and Robert H. Deng and Feng Bao},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
isbn = {3-540-29001-X},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to $2^{69}$, which is only 1/2,000 of the $2^{80}$ operations needed for a birthday attack. The complexity is still too large even for today's supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation $2^{56}$ times at a maximum, but the complexity of $2^{69}$ hash operations to break SHA-1 does not mean $2^{69}$ SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the $2^{69}$ SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-$\micro m$ CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A \$10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.},<br />
}<br />
</bibtex><br />
<br />
----</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1880SHA-12008-03-11T10:19:44Z<p>Tnad: /* Collision Attacks */</p>
<hr />
<div>== Specification ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* Specification: [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang et al. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 70-step collision for SHA-1, was published by DeCanniere, Mendel and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<bibtex><br />
@inproceedings{fseSugitaKPI07, <br />
author = {Makoto Sugita and Mitsuru Kawazoe and Ludovic Perret and Hideki Imai},<br />
title = {Algebraic Cryptanalysis of 58-Round SHA-1},<br />
pages = {349-365},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74619-5_22},<br />
editor = {Alex Biryukov},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4593},<br />
year = {2007},<br />
isbn = {978-3-540-74617-1},<br />
abstract = {In 2004, a new attack against SHA-1 has been proposed <br />
by a team leaded by Wang [15]. The aim of this article is to sophisticate <br />
and improve Wang’s attack by using algebraic techniques. We introduce <br />
new notions, namely semi-neutral bit and adjuster and propose then an <br />
improved message modification technique based on algebraic techniques. <br />
In the case of the 58-round SHA-1, the experimental complexity of our <br />
improved attack is 2<sup>31</sup> SHA-1 computations, whereas Wang’s method needs <br />
2<sup>34</sup> SHA-1 computations. We have found many new collisions for the 58-round SHA-1. <br />
We also study the complexity of our attack for the full SHA-1.}<br />
}<br />
</bibtex><br />
<bibtex><br />
@inproceedings{sacryptCanniereMR07,<br />
author = {Christophe De Canni{\`e}re and Florian Mendel and Christian Rechberger},<br />
title = {Collisions for 70-Step SHA-1: On the Full Cost of Collision Search},<br />
booktitle = {Selected Areas in Cryptography},<br />
year = {2007},<br />
pages = {56-73},<br />
url = {http://dx.doi.org/10.1007/978-3-540-77360-3_4},<br />
editor = {Carlisle M. Adams and Ali Miri and Michael J. Wiener},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4876},<br />
isbn = {978-3-540-77359-7},<br />
abstract = {The diversity of methods for fast collision search in SHA-1 and similar hash functions makes a comparison of them difficult. The literature is at times very vague on this issue, which makes comparison even harder. In situations where differences in estimates of attack complexity of a small factor might influence short-term recommendations of standardization bodies, uncertainties and ambiguities in the literature amounting to a similar order of magnitude are unhelpful. We survey different techniques and propose a simple but effective method to facilitate comparison. In a case study, we consider a newly developed attack on 70-step SHA-1, and give complexity estimates and performance measurements of this new and improved collision search method.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{asiacryptCanniereR06,<br />
author = {Christophe De Canni{\`e}re and Christian Rechberger},<br />
title = {Finding SHA-1 Characteristics: General Results and Applications},<br />
pages = {1-20},<br />
url = {http://dx.doi.org/10.1007/11935230_1},<br />
editor = {Xuejia Lai and Kefei Chen},<br />
booktitle = {ASIACRYPT},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4284},<br />
year = {2006},<br />
isbn = {3-540-49475-8},<br />
abstract = {The most efficient collision attacks on members of the SHA family presented so far all use complex characteristics which were manually constructed by Wang et al. In this report, we describe a method to search for characteristics in an automatic way. This is particularly useful for multi-block attacks, and as a proof of concept, we give a two-block collision for 64-step SHA-1 based on a new characteristic. The highest number of steps for which a SHA-1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search, which facilitates optimization.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacryptJutlaP06,<br />
author = {Charanjit S. Jutla and Anindya C. Patthak},<br />
title = {Provably Good Codes for Hash Function Design},<br />
booktitle = {Selected Areas in Cryptography},<br />
year = {2006},<br />
pages = {376-393},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74462-7_26},<br />
editor = {Eli Biham and Amr M. Youssef},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4356},<br />
isbn = {978-3-540-74461-0},<br />
abstract = {We develop a new technique to lower bound the minimum distance of quasi-cyclic codes with large dimension by reducing the problem to lower bounding the minimum distance of a few significantly smaller dimensional codes. Using this technique, we prove that a code which is similar to the SHA-1 message expansion code has minimum distance at least 82, and that too in just the last 64 of the 80 expanded words. Further the minimum weight in the last 60 words (last 48 words) is at least 75 (52 respectively). We expect our technique to be helpful in designing future practical collision-resistant hash functions. We also use the technique to find the minimum weight of the SHA-1 code (25 in the last 60 words), which was an open problem.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacryptPramstallerRR05a,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions},<br />
booktitle = {Selected Areas in Cryptography},<br />
year = {2005},<br />
pages = {261-275},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
editor = {Bart Preneel and Stafford E. Tavares},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
isbn = {3-540-33108-5},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, i.e. the rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaRijmenO05,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA},<br />
year = {2005},<br />
pages = {58-71},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2^80 operations.},<br />
url = {http://dx.doi.org/10.1007/b105222}}<br />
</bibtex><br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<bibtex><br />
@inproceedings{fseMendelPRR06a, <br />
author = {Florian Mendel and Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {The Impact of Carries on the Complexity of Collision Attacks on SHA-1},<br />
pages = {278-292},<br />
url = {http://dx.doi.org/10.1007/11799313_18},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4047},<br />
year = {2006},<br />
isbn = {3-540-36597-4},<br />
abstract = {In this article we present a detailed analysis of <br />
the impact of carries on the estimation of the attack complexity <br />
for SHA-1. We build up on existing estimates and refine them. We <br />
show that the attack complexity is slightly lower than estimated <br />
in all published work to date. We point out that it is more accurate <br />
to consider probabilities instead of conditions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iswSatoh05,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1},<br />
booktitle = {ISC},<br />
year = {2005},<br />
pages = {259-273},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
editor = {Jianying Zhou and Javier Lopez and Robert H. Deng and Feng Bao},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
isbn = {3-540-29001-X},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to $2^{69}$, which is only 1/2,000 of the $2^{80}$ operations needed for a birthday attack. The complexity is still too large even for today's supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation $2^{56}$ times at a maximum, but the complexity of $2^{69}$ hash operations to break SHA-1 does not mean $2^{69}$ SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the $2^{69}$ SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-$\micro m$ CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A \$10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.},<br />
}<br />
</bibtex><br />
<br />
----</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=MD4&diff=1874MD42008-03-11T10:16:31Z<p>Tnad: /* Collision Attacks */</p>
<hr />
<div>== Specification ==<br />
<br />
* digest size: 128 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 512-bit message block, 128-bit chaining variable<br />
* Specification:<br />
<bibtex><br />
@inproceedings{cryptoRivest90,<br />
author = {Ronald L. Rivest},<br />
title = {The MD4 Message Digest Algorithm},<br />
booktitle = {CRYPTO},<br />
year = {1990},<br />
pages = {303-311},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/0537/05370303.htm},<br />
editor = {Alfred Menezes and Scott A. Vanstone},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {537},<br />
isbn = {3-540-54508-5},<br />
editor = {Alfred Menezes and Scott A. Vanstone},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {537},<br />
isbn = {3-540-54508-5},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<br />
=== Best Known Results ===<br />
<br />
----<br />
<br />
=== Generic Attacks ===<br />
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]<br />
<br />
----<br />
<br />
=== Collision Attacks ===<br />
<bibtex><br />
@inproceedings{fseSasakiWOK07,<br />
author = {Yu Sasaki and Lei Wang and Kazuo Ohta and Noboru Kunihiro},<br />
title = {New Message Difference for MD4},<br />
pages = {329-348},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74619-5_21},<br />
editor = {Alex Biryukov},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4593},<br />
year = {2007},<br />
isbn = {978-3-540-74617-1},<br />
abstract = {This paper proposes several approaches to improve <br />
the collision attack on MD4 proposed by Wang et al. First, we <br />
propose a new local collision that is the best for the MD4 collision <br />
attack. Selection of a good message difference is the most important <br />
step in achieving effective collision attacks. This is the first paper <br />
to introduce an improvement to the message difference approach of <br />
Wang et al., where we propose a new local collision. Second, we propose <br />
a new algorithm for constructing differential paths. While similar <br />
algorithms have been proposed, they do not support the new local collision <br />
technique.Finally, we complete a collision attack, and show that the <br />
complexity is smaller than the previous best work.}<br />
} <br />
</bibtex><br />
<bibtex><br />
@inproceedings{fseLeurent07,<br />
author = {Ga&euml;tan Leurent},<br />
title = {Message Freedom in MD4 and MD5 Collisions: Application to APOP},<br />
pages = {309-328},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74619-5_20},<br />
editor = {Alex Biryukov},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4593},<br />
year = {2007},<br />
isbn = {978-3-540-74617-1},<br />
abstract = {In Wang’s attack, message modifications allow to <br />
deterministically satisfy certain sufficient conditions to find <br />
collisions efficiently. Unfortunately, message modifications <br />
significantly change the messages and one has little control <br />
over the colliding blocks. In this paper, we show how to choose <br />
small parts of the colliding messages. Consequently, we break a <br />
security countermeasure proposed by Szydlo and Yin at CT-RSA ’06, <br />
where a fixed padding is added at the end of each block. Furthermore, <br />
we also apply this technique to recover part of the passwords in the <br />
Authentication Protocol of the Post Office Protocol (POP). This shows <br />
that collision attacks can be used to attack real protocols, which means that finding collisions is a real threat.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{eurocryptWangLFCY05,<br />
author = {Xiaoyun Wang and Xuejia Lai and Dengguo Feng and Hui Chen and Xiuyuan Yu},<br />
title = {Cryptanalysis of the Hash Functions MD4 and RIPEMD},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {1-18},<br />
abstract = {MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2–2 to 2–6, and the complexity of finding a collision doesnrsquot exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2–122. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
isbn = {3-540-25910-4},<br />
url = {http://dx.doi.org/10.1007/11426639_1},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@article{jocDobbertin98,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis of MD4},<br />
journal = {J. Cryptology},<br />
volume = {11},<br />
number = {4},<br />
year = {1998},<br />
pages = {253-271},<br />
url = {http://link.springer.de/link/service/journals/00145/bibs/11n4p253.html},<br />
abstract = {In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. In 1995 the author found an attack against two of three rounds of RIPEMD. As we show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows us to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseDobbertin96,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis of MD4},<br />
pages = {53-69},<br />
editor = {Dieter Gollmann},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {1039},<br />
year = {1996},<br />
isbn = {3-540-60865-6},<br />
abstract = {In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD,<br />
a European proposal, was designed as a stronger mode of MD4. In 1995 the<br />
author found an attack against two of three rounds of RIPEMD. As we show<br />
in the present note, the methods developed to attack RIPEMD can be modified<br />
and supplemented such that it is possible to break the full MD4, while <br />
previously only partial attacks were known. An implementation of our attack<br />
allows us to find collisions for MD4 in a few seconds on a PC. <br />
An example of a collision is given demonstrating that our attack is of practical relevance.},<br />
url = {http://dx.doi.org/10.1007/s001459900047}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseVaudenay94,<br />
author = {Serge Vaudenay},<br />
title = {On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER},<br />
pages = {286-297},<br />
editor = {Bart Preneel},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {1008},<br />
year = {1995},<br />
abstract = {Cryptographic primitives are usually based on a network with boxes. <br />
At EUROCRYPT'94, Schnorr and the author of this paper claimed that<br />
all boxes should be multipermutations. Here, we investigate a few <br />
combinatorial properties of multipermutations. We argue that boxes which <br />
fail to be multipermutations can open the way to unsuspected attacks. <br />
We illustrate this statement with two examples. Firstly, <br />
we show how to construct collisions to MD4 restricted to<br />
its first two rounds. This allows one to forge digests close <br />
to each other using the full compression function of MD4. Secondly, <br />
we show that variants of SAFER are subject to attack faster than <br />
exhaustive search in 6.1% cases. This attack can be implemented if<br />
we decrease the number of rounds from 6 to 4.},<br />
url = {http://dx.doi.org/10.1007/3-540-60590-8_22}<br />
} <br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
----<br />
<br />
=== Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{fseDobbertin98,<br />
owner = {tnad},<br />
author = {Hans Dobbertin},<br />
title = {The First Two Rounds of MD4 are Not One-Way},<br />
pages = {284-292},<br />
editor = {Serge Vaudenay},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {1372},<br />
year = {1998},<br />
isbn = {3-540-64265-X},<br />
abstract = {In [1] it was shown that there are very effective attacks leading<br />
to collisions for the hash function MD4 designed by R. Rivest [3].<br />
A summary of the status of hash functions of the MD4-family with respect to<br />
collision-resistence can be found in [2] and [4]. However, attacking the one-wayness<br />
of a hash function is a much more demanding challenge, and in case of success it has much more devastating<br />
consequences. No result along this line is known for MD4 and its <br />
successors. Therefore it is worth to explore how the recently developed <br />
new analytic methods for finding collisions can be applied to construct<br />
preimages or second preimages. As a first step, we state here the following partial result.},<br />
url = {http://dx.doi.org/10.1007/3-540-69710-1_19}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Others ===<br />
<bibtex><br />
@inproceedings{fseSchlafferO06,<br />
author = {Martin Schläffer and Elisabeth Oswald},<br />
title = {Searching for Differential Paths in MD4},<br />
pages = {242-261},<br />
url = {http://dx.doi.org/10.1007/11799313_16},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4047},<br />
year = {2006},<br />
isbn = {3-540-36597-4},<br />
abstract = {The ground-breaking results of Wang et al. <br />
have attracted a lot of attention to the collision resistance<br />
of hash functions. In their articles, Wang et al. give input<br />
differences, differential paths and the corresponding conditions<br />
that allow to find collisions with a high probability. However, <br />
Wang et al. do not explain how these paths were found. The common <br />
assumption is that they were found by hand with a great deal of intuition. <br />
In this article, we present an algorithm that allows to find paths <br />
in an automated way. Our algorithm is successful for MD4. We have found <br />
over 1000 differential paths so far. Amongst them, there are paths that <br />
have fewer conditions in the second round than the path of Wang et al. <br />
for MD4. This makes them better suited for the message modification techniques <br />
that were also introduced by Wang et al.}<br />
}</div>Tnadhttps://ehash.iaik.tugraz.at/index.php?title=MD4&diff=1873MD42008-03-11T10:16:19Z<p>Tnad: /* Collision Attacks */</p>
<hr />
<div>== Specification ==<br />
<br />
* digest size: 128 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* compression function: 512-bit message block, 128-bit chaining variable<br />
* Specification:<br />
<bibtex><br />
@inproceedings{cryptoRivest90,<br />
author = {Ronald L. Rivest},<br />
title = {The MD4 Message Digest Algorithm},<br />
booktitle = {CRYPTO},<br />
year = {1990},<br />
pages = {303-311},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/0537/05370303.htm},<br />
editor = {Alfred Menezes and Scott A. Vanstone},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {537},<br />
isbn = {3-540-54508-5},<br />
editor = {Alfred Menezes and Scott A. Vanstone},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {537},<br />
isbn = {3-540-54508-5},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
<br />
=== Best Known Results ===<br />
<br />
----<br />
<br />
=== Generic Attacks ===<br />
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]<br />
<br />
----<br />
<br />
=== Collision Attacks ===<br />
@inproceedings{fseSasakiWOK07,<br />
author = {Yu Sasaki and Lei Wang and Kazuo Ohta and Noboru Kunihiro},<br />
title = {New Message Difference for MD4},<br />
pages = {329-348},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74619-5_21},<br />
editor = {Alex Biryukov},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4593},<br />
year = {2007},<br />
isbn = {978-3-540-74617-1},<br />
abstract = {This paper proposes several approaches to improve <br />
the collision attack on MD4 proposed by Wang et al. First, we <br />
propose a new local collision that is the best for the MD4 collision <br />
attack. Selection of a good message difference is the most important <br />
step in achieving effective collision attacks. This is the first paper <br />
to introduce an improvement to the message difference approach of <br />
Wang et al., where we propose a new local collision. Second, we propose <br />
a new algorithm for constructing differential paths. While similar <br />
algorithms have been proposed, they do not support the new local collision <br />
technique.Finally, we complete a collision attack, and show that the <br />
complexity is smaller than the previous best work.}<br />
} <br />
</bibtex><br />
<bibtex><br />
@inproceedings{fseLeurent07,<br />
author = {Ga&euml;tan Leurent},<br />
title = {Message Freedom in MD4 and MD5 Collisions: Application to APOP},<br />
pages = {309-328},<br />
url = {http://dx.doi.org/10.1007/978-3-540-74619-5_20},<br />
editor = {Alex Biryukov},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4593},<br />
year = {2007},<br />
isbn = {978-3-540-74617-1},<br />
abstract = {In Wang’s attack, message modifications allow to <br />
deterministically satisfy certain sufficient conditions to find <br />
collisions efficiently. Unfortunately, message modifications <br />
significantly change the messages and one has little control <br />
over the colliding blocks. In this paper, we show how to choose <br />
small parts of the colliding messages. Consequently, we break a <br />
security countermeasure proposed by Szydlo and Yin at CT-RSA ’06, <br />
where a fixed padding is added at the end of each block. Furthermore, <br />
we also apply this technique to recover part of the passwords in the <br />
Authentication Protocol of the Post Office Protocol (POP). This shows <br />
that collision attacks can be used to attack real protocols, which means that finding collisions is a real threat.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{eurocryptWangLFCY05,<br />
author = {Xiaoyun Wang and Xuejia Lai and Dengguo Feng and Hui Chen and Xiuyuan Yu},<br />
title = {Cryptanalysis of the Hash Functions MD4 and RIPEMD},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {1-18},<br />
abstract = {MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2–2 to 2–6, and the complexity of finding a collision doesnrsquot exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2–122. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
isbn = {3-540-25910-4},<br />
url = {http://dx.doi.org/10.1007/11426639_1},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@article{jocDobbertin98,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis of MD4},<br />
journal = {J. Cryptology},<br />
volume = {11},<br />
number = {4},<br />
year = {1998},<br />
pages = {253-271},<br />
url = {http://link.springer.de/link/service/journals/00145/bibs/11n4p253.html},<br />
abstract = {In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. In 1995 the author found an attack against two of three rounds of RIPEMD. As we show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows us to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseDobbertin96,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis of MD4},<br />
pages = {53-69},<br />
editor = {Dieter Gollmann},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {1039},<br />
year = {1996},<br />
isbn = {3-540-60865-6},<br />
abstract = {In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD,<br />
a European proposal, was designed as a stronger mode of MD4. In 1995 the<br />
author found an attack against two of three rounds of RIPEMD. As we show<br />
in the present note, the methods developed to attack RIPEMD can be modified<br />
and supplemented such that it is possible to break the full MD4, while <br />
previously only partial attacks were known. An implementation of our attack<br />
allows us to find collisions for MD4 in a few seconds on a PC. <br />
An example of a collision is given demonstrating that our attack is of practical relevance.},<br />
url = {http://dx.doi.org/10.1007/s001459900047}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseVaudenay94,<br />
author = {Serge Vaudenay},<br />
title = {On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER},<br />
pages = {286-297},<br />
editor = {Bart Preneel},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {1008},<br />
year = {1995},<br />
abstract = {Cryptographic primitives are usually based on a network with boxes. <br />
At EUROCRYPT'94, Schnorr and the author of this paper claimed that<br />
all boxes should be multipermutations. Here, we investigate a few <br />
combinatorial properties of multipermutations. We argue that boxes which <br />
fail to be multipermutations can open the way to unsuspected attacks. <br />
We illustrate this statement with two examples. Firstly, <br />
we show how to construct collisions to MD4 restricted to<br />
its first two rounds. This allows one to forge digests close <br />
to each other using the full compression function of MD4. Secondly, <br />
we show that variants of SAFER are subject to attack faster than <br />
exhaustive search in 6.1% cases. This attack can be implemented if<br />
we decrease the number of rounds from 6 to 4.},<br />
url = {http://dx.doi.org/10.1007/3-540-60590-8_22}<br />
} <br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
----<br />
<br />
=== Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{fseDobbertin98,<br />
owner = {tnad},<br />
author = {Hans Dobbertin},<br />
title = {The First Two Rounds of MD4 are Not One-Way},<br />
pages = {284-292},<br />
editor = {Serge Vaudenay},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {1372},<br />
year = {1998},<br />
isbn = {3-540-64265-X},<br />
abstract = {In [1] it was shown that there are very effective attacks leading<br />
to collisions for the hash function MD4 designed by R. Rivest [3].<br />
A summary of the status of hash functions of the MD4-family with respect to<br />
collision-resistence can be found in [2] and [4]. However, attacking the one-wayness<br />
of a hash function is a much more demanding challenge, and in case of success it has much more devastating<br />
consequences. No result along this line is known for MD4 and its <br />
successors. Therefore it is worth to explore how the recently developed <br />
new analytic methods for finding collisions can be applied to construct<br />
preimages or second preimages. As a first step, we state here the following partial result.},<br />
url = {http://dx.doi.org/10.1007/3-540-69710-1_19}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Others ===<br />
<bibtex><br />
@inproceedings{fseSchlafferO06,<br />
author = {Martin Schläffer and Elisabeth Oswald},<br />
title = {Searching for Differential Paths in MD4},<br />
pages = {242-261},<br />
url = {http://dx.doi.org/10.1007/11799313_16},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4047},<br />
year = {2006},<br />
isbn = {3-540-36597-4},<br />
abstract = {The ground-breaking results of Wang et al. <br />
have attracted a lot of attention to the collision resistance<br />
of hash functions. In their articles, Wang et al. give input<br />
differences, differential paths and the corresponding conditions<br />
that allow to find collisions with a high probability. However, <br />
Wang et al. do not explain how these paths were found. The common <br />
assumption is that they were found by hand with a great deal of intuition. <br />
In this article, we present an algorithm that allows to find paths <br />
in an automated way. Our algorithm is successful for MD4. We have found <br />
over 1000 differential paths so far. Amongst them, there are paths that <br />
have fewer conditions in the second round than the path of Wang et al. <br />
for MD4. This makes them better suited for the message modification techniques <br />
that were also introduced by Wang et al.}<br />
}</div>Tnad