Difference between revisions of "AURORA"
From The ECRYPT Hash Function Website
m (Unorangized key-recovery) |
|||
(12 intermediate revisions by 3 users not shown) | |||
Line 2: | Line 2: | ||
* Author(s): Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita | * Author(s): Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita | ||
− | + | * Website: [http://www.sony.net/aurora/ http://www.sony.net/aurora/] | |
− | * Website: | ||
− | |||
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/AURORA.zip AURORA.zip] | * NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/AURORA.zip AURORA.zip] | ||
<bibtex> | <bibtex> | ||
− | @misc{ | + | @misc{sha3IwataSSM+08, |
− | author = {Tetsu Iwata | + | author = {Tetsu Iwata and Kyoji Shibutani and Taizo Shirai and Shiho Moriai and Toru Akishita}, |
title = {AURORA: A Cryptographic Hash Algorithm Family}, | title = {AURORA: A Cryptographic Hash Algorithm Family}, | ||
− | url = {}, | + | url = {http://ehash.iaik.tugraz.at/uploads/b/ba/AURORA.pdf}, |
howpublished = {Submission to NIST}, | howpublished = {Submission to NIST}, | ||
year = {2008}, | year = {2008}, | ||
} | } | ||
</bibtex> | </bibtex> | ||
+ | |||
== Cryptanalysis == | == Cryptanalysis == | ||
− | + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | |
+ | |- style="background:#efefef;" | ||
+ | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
+ | |- | ||
+ | | style="background:orange" | 2nd preimage || hash || 512 || || 2<sup>291</sup> || 2<sup>31.5</sup> || [http://eprint.iacr.org/2009/113.pdf Ferguson, Lucks] | ||
+ | |- | ||
+ | | style="background:greenyellow" | collision || hash || 512 || || 2<sup>249</sup> || - || [http://eprint.iacr.org/2009/113.pdf Ferguson, Lucks] | ||
+ | |- | ||
+ | | style="background:yellow" | collision || hash || 512 || || 2<sup>234.5</sup> || 2<sup>229.6</sup> || [http://eprint.iacr.org/2009/113.pdf Ferguson, Lucks] | ||
+ | |- | ||
+ | | style="background:yellow" | 2nd preimage || hash || 512 || || 2<sup>291</sup> || 2<sup>288</sup> || [http://eprint.iacr.org/2009/112.pdf Sasaki] | ||
+ | |- | ||
+ | | style="background:yellow" | collision || hash || 512 || || 2<sup>236</sup> || 2<sup>236</sup> || [http://eprint.iacr.org/2009/106.pdf Sasaki] | ||
+ | |- | ||
+ | | | key-recovery || HMAC || 512 || || 2<sup>259</sup> || - || [http://eprint.iacr.org/2009/125.pdf Sasaki] | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | A description of this table is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | ||
+ | |||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2009:113, | ||
+ | author = {Niels Ferguson and Stefan Lucks}, | ||
+ | title = {Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2009/113}, | ||
+ | year = {2009}, | ||
+ | note = {\url{http://eprint.iacr.org/}}, | ||
+ | url = {http://eprint.iacr.org/2009/113.pdf}, | ||
+ | abstract = {We analyse the Double-Mix Merkle-Damgaard construction (DMMD) used in the AURORA family of hash functions. We show that DMMD falls short of providing the expected level of security. Specifically, we are able to find 2nd pre-images for AURORA-512 in time 2^{291}, and collisions in time 2^{234.4}. A limited-memory variant finds collisions in time 2^{249}.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2009:112, | ||
+ | author = {Yu Sasaki}, | ||
+ | title = {A 2nd-Preimage Attack on AURORA-512}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2009/112}, | ||
+ | year = {2009}, | ||
+ | note = {\url{http://eprint.iacr.org/}}, | ||
+ | url = {http://eprint.iacr.org/2009/112.pdf}, | ||
+ | abstract = {In this note, we present a 2nd-preimage attack on AURORA-512, which is one of the candidates for SHA-3. Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more. In such a case, the attack complexity is approximately $2^{290}$ AURORA-512 operations, which is less than the brute force attack on AURORA-512, namely, $2^{512-\log_2{9}}\approx2^{508}$. Our attack exploits some weakness in the mode of operation.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2009:106, | ||
+ | author = {Yu Sasaki}, | ||
+ | title = {A Collision Attack on AURORA-512}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2009/106}, | ||
+ | year = {2009}, | ||
+ | note = {\url{http://eprint.iacr.org/}}, | ||
+ | url ={http://eprint.iacr.org/2009/106.pdf}, | ||
+ | abstract = { In this note, we present a collision attack on AURORA-512, which is one of the candidates for SHA-3. The attack complexity is approximately $2^{236}$ AURORA-512 operations, which is less than the birthday bound of AURORA-512, namely, $2^{256}$. Our attack exploits some weakness in the mode of operation.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2009:125, | ||
+ | author = {Yu Sasaki}, | ||
+ | title = {A Full Key Recovery Attack on HMAC-AURORA-512}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2009/125}, | ||
+ | year = {2009}, | ||
+ | note = {\url{http://eprint.iacr.org/}}, | ||
+ | abstract = {In this note, we present a full key recovery attack on HMAC-AURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires $2^{257}$ queries and the off-line complexity is $2^{259}$ AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack can also recover the inner-key of HMAC-AURORA-384 with almost the same complexity as in HMAC-AURORA-512. This attack does not recover the outer-key of HMAC-AURORA-384, but universal forgery is possible by combining the inner-key recovery and 2nd-preimage attacks. Our attack exploits some weaknesses in the mode of operation. } | ||
+ | } | ||
+ | </bibtex> |
Latest revision as of 11:26, 27 March 2009
1 The algorithm
- Author(s): Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita
- Website: http://www.sony.net/aurora/
- NIST submission package: AURORA.zip
Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita - AURORA: A Cryptographic Hash Algorithm Family
- ,2008
- http://ehash.iaik.tugraz.at/uploads/b/ba/AURORA.pdf
BibtexAuthor : Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita
Title : AURORA: A Cryptographic Hash Algorithm Family
In : -
Address :
Date : 2008
2 Cryptanalysis
Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
2nd preimage | hash | 512 | 2291 | 231.5 | Ferguson, Lucks | |
collision | hash | 512 | 2249 | - | Ferguson, Lucks | |
collision | hash | 512 | 2234.5 | 2229.6 | Ferguson, Lucks | |
2nd preimage | hash | 512 | 2291 | 2288 | Sasaki | |
collision | hash | 512 | 2236 | 2236 | Sasaki | |
key-recovery | HMAC | 512 | 2259 | - | Sasaki |
A description of this table is given here.
Niels Ferguson, Stefan Lucks - Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform
- ,2009
- http://eprint.iacr.org/2009/113.pdf
BibtexAuthor : Niels Ferguson, Stefan Lucks
Title : Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform
In : -
Address :
Date : 2009
Yu Sasaki - A 2nd-Preimage Attack on AURORA-512
- ,2009
- http://eprint.iacr.org/2009/112.pdf
BibtexAuthor : Yu Sasaki
Title : A 2nd-Preimage Attack on AURORA-512
In : -
Address :
Date : 2009
Yu Sasaki - A Collision Attack on AURORA-512
- ,2009
- http://eprint.iacr.org/2009/106.pdf
BibtexAuthor : Yu Sasaki
Title : A Collision Attack on AURORA-512
In : -
Address :
Date : 2009
Yu Sasaki - A Full Key Recovery Attack on HMAC-AURORA-512