Difference between revisions of "AURORA"

From The ECRYPT Hash Function Website
m
m (Unorangized key-recovery)
 
(11 intermediate revisions by 3 users not shown)
Line 2: Line 2:
  
 
* Author(s): Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita
 
* Author(s): Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita
<!--
+
* Website: [http://www.sony.net/aurora/ http://www.sony.net/aurora/]
* Website:
 
-->
 
 
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/AURORA.zip AURORA.zip]
 
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/AURORA.zip AURORA.zip]
  
  
 
<bibtex>
 
<bibtex>
@misc{sha3ISSMA,
+
@misc{sha3IwataSSM+08,
   author    = {Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita},
+
   author    = {Tetsu Iwata and Kyoji Shibutani and Taizo Shirai and Shiho Moriai and Toru Akishita},
 
   title    = {AURORA: A Cryptographic Hash Algorithm Family},
 
   title    = {AURORA: A Cryptographic Hash Algorithm Family},
 
   url        = {http://ehash.iaik.tugraz.at/uploads/b/ba/AURORA.pdf},
 
   url        = {http://ehash.iaik.tugraz.at/uploads/b/ba/AURORA.pdf},
Line 17: Line 15:
 
}
 
}
 
</bibtex>
 
</bibtex>
 +
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
  
* None yet
+
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center"                 
 +
|- style="background:#efefef;"                 
 +
|    Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference
 +
|-                                       
 +
|  style="background:orange" | 2nd preimage || hash || 512 ||  || 2<sup>291</sup> || 2<sup>31.5</sup> || [http://eprint.iacr.org/2009/113.pdf Ferguson, Lucks]
 +
|-                                                   
 +
|  style="background:greenyellow" | collision || hash || 512 ||  || 2<sup>249</sup> || - || [http://eprint.iacr.org/2009/113.pdf Ferguson, Lucks]
 +
|-                                                   
 +
|  style="background:yellow" | collision || hash || 512 ||  || 2<sup>234.5</sup> || 2<sup>229.6</sup> || [http://eprint.iacr.org/2009/113.pdf Ferguson, Lucks]
 +
|-                                                   
 +
|  style="background:yellow" | 2nd preimage || hash || 512 ||  || 2<sup>291</sup> || 2<sup>288</sup> || [http://eprint.iacr.org/2009/112.pdf Sasaki]
 +
|-                                                   
 +
|  style="background:yellow" | collision || hash || 512 ||  || 2<sup>236</sup> || 2<sup>236</sup> || [http://eprint.iacr.org/2009/106.pdf Sasaki]
 +
|- 
 +
|  | key-recovery || HMAC || 512 ||  || 2<sup>259</sup> || - || [http://eprint.iacr.org/2009/125.pdf Sasaki]
 +
|-
 +
|}                   
 +
 
 +
A description of this table is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].
 +
 
 +
 
 +
<bibtex>
 +
@misc{cryptoeprint:2009:113,
 +
    author = {Niels Ferguson and Stefan Lucks},
 +
    title = {Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform},
 +
    howpublished = {Cryptology ePrint Archive, Report 2009/113},
 +
    year = {2009},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
    url = {http://eprint.iacr.org/2009/113.pdf},
 +
    abstract = {We analyse the Double-Mix Merkle-Damgaard construction (DMMD) used in the AURORA family of hash functions. We show that DMMD falls short of providing the expected level of security. Specifically, we are able to find 2nd pre-images for AURORA-512 in time 2^{291}, and collisions in time 2^{234.4}. A limited-memory variant finds collisions in time 2^{249}.},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@misc{cryptoeprint:2009:112,
 +
    author = {Yu Sasaki},
 +
    title = {A 2nd-Preimage Attack on AURORA-512},
 +
    howpublished = {Cryptology ePrint Archive, Report 2009/112},
 +
    year = {2009},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
    url = {http://eprint.iacr.org/2009/112.pdf},
 +
    abstract = {In this note, we present a 2nd-preimage attack on AURORA-512, which is one of the candidates for SHA-3. Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more. In such a case, the attack complexity is approximately $2^{290}$ AURORA-512 operations, which is less than the brute force attack on AURORA-512, namely, $2^{512-\log_2{9}}\approx2^{508}$. Our attack exploits some weakness in the mode of operation.},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@misc{cryptoeprint:2009:106,
 +
    author = {Yu Sasaki},
 +
    title = {A Collision Attack on AURORA-512},
 +
    howpublished = {Cryptology ePrint Archive, Report 2009/106},
 +
    year = {2009},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
    url ={http://eprint.iacr.org/2009/106.pdf},
 +
    abstract = { In this note, we present a collision attack on AURORA-512, which is one of the candidates for SHA-3. The attack complexity is approximately $2^{236}$ AURORA-512 operations, which is less than the birthday bound of AURORA-512, namely, $2^{256}$. Our attack exploits some weakness in the mode of operation.},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@misc{cryptoeprint:2009:125,
 +
    author = {Yu Sasaki},
 +
    title = {A Full Key Recovery Attack on HMAC-AURORA-512},
 +
    howpublished = {Cryptology ePrint Archive, Report 2009/125},
 +
    year = {2009},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
    abstract = {In this note, we present a full key recovery attack on HMAC-AURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires $2^{257}$ queries and the off-line complexity is $2^{259}$ AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack can also recover the inner-key of HMAC-AURORA-384 with almost the same complexity as in HMAC-AURORA-512. This attack does not recover the outer-key of HMAC-AURORA-384, but universal forgery is possible by combining the inner-key recovery and 2nd-preimage attacks. Our attack exploits some weaknesses in the mode of operation. }
 +
}
 +
</bibtex>

Latest revision as of 11:26, 27 March 2009

1 The algorithm


Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita - AURORA: A Cryptographic Hash Algorithm Family

,2008
http://ehash.iaik.tugraz.at/uploads/b/ba/AURORA.pdf
Bibtex
Author : Tetsu Iwata, Kyoji Shibutani, Taizo Shirai, Shiho Moriai, Toru Akishita
Title : AURORA: A Cryptographic Hash Algorithm Family
In : -
Address :
Date : 2008


2 Cryptanalysis

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
2nd preimage hash 512 2291 231.5 Ferguson, Lucks
collision hash 512 2249 - Ferguson, Lucks
collision hash 512 2234.5 2229.6 Ferguson, Lucks
2nd preimage hash 512 2291 2288 Sasaki
collision hash 512 2236 2236 Sasaki
key-recovery HMAC 512 2259 - Sasaki

A description of this table is given here.


Niels Ferguson, Stefan Lucks - Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform

,2009
http://eprint.iacr.org/2009/113.pdf
Bibtex
Author : Niels Ferguson, Stefan Lucks
Title : Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform
In : -
Address :
Date : 2009

Yu Sasaki - A 2nd-Preimage Attack on AURORA-512

,2009
http://eprint.iacr.org/2009/112.pdf
Bibtex
Author : Yu Sasaki
Title : A 2nd-Preimage Attack on AURORA-512
In : -
Address :
Date : 2009

Yu Sasaki - A Collision Attack on AURORA-512

,2009
http://eprint.iacr.org/2009/106.pdf
Bibtex
Author : Yu Sasaki
Title : A Collision Attack on AURORA-512
In : -
Address :
Date : 2009

Yu Sasaki - A Full Key Recovery Attack on HMAC-AURORA-512

,2009
Bibtex
Author : Yu Sasaki
Title : A Full Key Recovery Attack on HMAC-AURORA-512
In : -
Address :
Date : 2009
Retrieved from "https://ehash.iaik.tugraz.at/index.php?title=AURORA&oldid=3040"