Difference between revisions of "CubeHash"
From The ECRYPT Hash Function Website
(tables split + designer's analysis) |
(References sorted) |
||
| Line 116: | Line 116: | ||
| − | + | <bibtex> | |
| + | @misc{cryptoeprint:2009:407, | ||
| + | author = {Benjamin Bloom and Alan Kaminsky}, | ||
| + | title = {Single Block Attacks and Statistical Tests on CubeHash}, | ||
| + | howpublished = {Cryptology ePrint Archive, Report 2009/407}, | ||
| + | year = {2009}, | ||
| + | note = {\url{http://eprint.iacr.org/}}, | ||
| + | abstract = {This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash $r$/$b$-224 for $b > 100$; CubeHash$r$/$b$-256 for $b > 96$; CubeHash$r$/$b$-384 for $b > 80$; and CubeHash$r$/$b$-512 for $b > 64$. However, the attack does not break the CubeHash variants recommended for SHA-3. The attack requires minimal memory and can be performed in a massively parallel fashion. This paper also describes several statistical randomness tests on CubeHash. The tests were unable to disprove the hypothesis that CubeHash behaves as a random mapping. These results support CubeHash's viability as a secure cryptographic hash function.}, | ||
| + | } | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @ | + | @misc{cubehashBKMP09b, |
| − | + | author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin}, | |
| − | + | title = {Linearization Framework for Collision Attacks: Application to CubeHash and MD6}, | |
| − | + | howpublished = {Cryptology ePrint Archive, Report 2009/382}, | |
| − | + | year = {2009}, | |
| − | + | url = {http://eprint.iacr.org/2009/382.pdf}, | |
| − | + | note = {\url{http://eprint.iacr.org/}}, | |
| − | + | abstract = {In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector for the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on its output bits. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction of the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.}, | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | - | ||
| − | - | ||
| − | |||
} | } | ||
</bibtex> | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @misc{ | + | @misc{cubehashBKMP09a, |
| − | author = { | + | author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin}, |
| − | title = { | + | title = {Real Collisions for CubeHash-4/48}, |
| − | url | + | url = {http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt}, |
| − | howpublished = { | + | howpublished = {NIST mailing list (local link)}, |
| − | year | + | year = {2009}, |
} | } | ||
</bibtex> | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @misc{ | + | @misc{cubehashBKMP09a, |
| − | author = { | + | author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin}, |
| − | title = { | + | title = {Real Collisions for CubeHash-4/64}, |
| − | url = {http://ehash.iaik.tugraz.at/uploads/ | + | url = {http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt}, |
howpublished = {NIST mailing list (local link)}, | howpublished = {NIST mailing list (local link)}, | ||
| − | year = { | + | year = {2009}, |
} | } | ||
</bibtex> | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @misc{ | + | @misc{cubehashBKMP09, |
| − | author = { | + | author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin}, |
| − | title = { | + | title = {Attack for CubeHash-2/2 and collision for CubeHash-3/64}, |
| − | url = {http:// | + | url = {http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt}, |
| − | howpublished = { | + | howpublished = {NIST mailing list (local link)}, |
| − | year = { | + | year = {2009}, |
| − | |||
} | } | ||
</bibtex> | </bibtex> | ||
| Line 196: | Line 192: | ||
<bibtex> | <bibtex> | ||
| − | @misc{ | + | @misc{cubehashD08, |
| − | author = { | + | author = {Wei Dai}, |
| − | title = { | + | title = {Collisions for CubeHash1/45 and CubeHash2/89}, |
| − | url = {http:// | + | url = {http://www.cryptopp.com/sha3/cubehash.pdf}, |
| − | howpublished = { | + | howpublished = {Available online}, |
| − | year = { | + | year = {2008}, |
| + | abstract = {Collisions were found for the hash functions CubeHash1/45-512 and CubeHash2/89-512. Attack code is included.}, | ||
} | } | ||
</bibtex> | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @misc{ | + | @misc{cubehashA08, |
| − | author = { | + | author = {Jean-Philippe Aumasson}, |
| − | title = { | + | title = {Collision for CubeHash2/120-512}, |
| − | url = {http://ehash.iaik.tugraz.at/uploads/ | + | url = {http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt}, |
howpublished = {NIST mailing list (local link)}, | howpublished = {NIST mailing list (local link)}, | ||
| − | year = { | + | year = {2008}, |
} | } | ||
</bibtex> | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @misc{ | + | @misc{cubehashKNW08, |
| − | author = { | + | author = {Dmitry Khovratovich and Ivica Nikolic' and Ralf-Philipp Weinmann}, |
| − | title = { | + | title = {Preimage attack on CubeHash512-r/4 and CubeHash512-r/8}, |
| − | url = {http://ehash.iaik.tugraz.at/uploads/ | + | url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf}, |
| − | howpublished = { | + | howpublished = {Available online}, |
| − | year = { | + | year = {2008}, |
} | } | ||
</bibtex> | </bibtex> | ||
<bibtex> | <bibtex> | ||
| − | @ | + | @inproceedings{cubehashAMPP09, |
| − | + | author = {Jean-Philippe Aumasson and Eric Brier and Willi Meier and María Naya-Plasencia and Thomas Peyrin}, | |
| − | + | title = {Inside the Hypercube}, | |
| − | + | booktitle = {ACISP}, | |
| − | + | publisher = {Springer}, | |
| − | + | editor = {Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto}, | |
| − | + | series = {LNCS}, | |
| − | + | pages = {202-213}, | |
| − | + | volume = {5594}, | |
| − | + | url = {http://www.131002.net/data/papers/ABMNP08.pdf}, | |
| − | + | year = {2009}, | |
| − | + | abstract = {Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h. The 1024-bit internal state of CubeHash is represented as a five-dimension hypercube. Submissions to NIST have r = 8, b = 1, and $h \in {224, 256, 384, 512}$. | |
| − | + | This paper gives the first external analysis of CubeHash, with | |
| − | + | - improved standard generic attacks for collisions and preimages | |
| − | + | - a multicollision attack that exploits fixed points | |
| − | + | - a study of the round function symmetries | |
| − | + | - a preimage attack that exploits these symmetries | |
| − | + | - a practical collision attack on a weakened version of CubeHash | |
| − | + | - high-probability truncated differentials over the 8-round transform | |
| + | Our results do not contradict the security claims about CubeHash.}, | ||
} | } | ||
</bibtex> | </bibtex> | ||
Revision as of 11:14, 15 February 2010
1 The algorithm
- Author(s): Dan Bernstein
- Website: http://cubehash.cr.yp.to/
- NIST submission package:
- round 1: CubeHash.zip
- round 2: CubeHash_Round2.zip
Daniel J. Bernstein - CubeHash specification (2.B.1)
- ,2009
- http://cubehash.cr.yp.to/submission2/spec.pdf
BibtexAuthor : Daniel J. Bernstein
Title : CubeHash specification (2.B.1)
In : -
Address :
Date : 2009
Daniel J. Bernstein - CubeHash parameter tweak: 16 times faster
- ,2009
- http://cubehash.cr.yp.to/submission/tweak.pdf
BibtexAuthor : Daniel J. Bernstein
Title : CubeHash parameter tweak: 16 times faster
In : -
Address :
Date : 2009
Daniel J. Bernstein - CubeHash Specification (2.B.1)
- ,2008
- http://cubehash.cr.yp.to/submission/spec.pdf
BibtexAuthor : Daniel J. Bernstein
Title : CubeHash Specification (2.B.1)
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
2.1 Hash function
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.
Recommended security parameters: r/b = 16/32 (n=224,256); 16/1 (n=384,512)
| Type of Analysis | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| collision | 512 | 7/64 | 2203 | - | Brier,Khazaei,Meier,Peyrin |
| collision | all | 4/48 | example (237) | - | Brier,Khazaei,Meier,Peyrin |
| collision | all | 4/64 | example (234) | - | Brier,Khazaei,Meier,Peyrin |
| collision | all | 3/64 | example (224) | - | Brier,Khazaei,Meier,Peyrin |
| collision | 512 | 2/2 | 2196 | - | Brier,Khazaei,Meier,Peyrin |
| collision | 512 | 5/64 | 2231 | - | Brier,Peyrin |
| collision | all | 3/64 | 289 | - | Brier,Peyrin |
| collision | 512 | 4/3 | 2207 | - | Brier,Peyrin |
| collision | 384,512 | 4/4 | 2189 | - | Brier,Peyrin |
| collision | all | 2/3 | 246 | - | Brier,Peyrin |
| collision | 512 | 2/4 | example | - | Brier,Peyrin |
| collision | 512 | 1/45, 2/89 | example | - | Dai |
| collision | 512 | 2/120 | example | - | Aumasson |
| preimage | 512 | r/8 | 2480 | - | Khovratovich,Nikolic',Weinmann |
| preimage | 512 | r/4 | 2496 | - | Khovratovich,Nikolic',Weinmann |
| preimage | 512 | 2511 | 2508 | Khovratovich,Nikolic',Weinmann | |
| preimage | all | 2513-4b | - | Aumasson,Meier,Naya-Plasencia,Peyrin | |
| collision | all | 2521-4b-log b | - | submission document | |
| preimage | all | 2522-4b-log b | - | submission document |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| observations | hash | all | Bloom,Kaminsky | |||
| multi-collision | hash | all | 2513-4b | - | Aumasson,Meier,Naya-Plasencia,Peyrin | |
| observations | permutation | all | Aumasson,Meier,Naya-Plasencia,Peyrin |
Benjamin Bloom, Alan Kaminsky - Single Block Attacks and Statistical Tests on CubeHash
Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin - Linearization Framework for Collision Attacks: Application to CubeHash and MD6
- ,2009
- http://eprint.iacr.org/2009/382.pdf
BibtexAuthor : Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin
Title : Linearization Framework for Collision Attacks: Application to CubeHash and MD6
In : -
Address :
Date : 2009
Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin - Real Collisions for CubeHash-4/48
- ,2009
- http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt
BibtexAuthor : Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin
Title : Real Collisions for CubeHash-4/48
In : -
Address :
Date : 2009
Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin - Real Collisions for CubeHash-4/64
- ,2009
- http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt
BibtexAuthor : Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin
Title : Real Collisions for CubeHash-4/64
In : -
Address :
Date : 2009
Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin - Attack for CubeHash-2/2 and collision for CubeHash-3/64
- ,2009
- http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt
BibtexAuthor : Eric Brier, Shahram Khazaei, Willi Meier, Thomas Peyrin
Title : Attack for CubeHash-2/2 and collision for CubeHash-3/64
In : -
Address :
Date : 2009
Eric Brier, Thomas Peyrin - Cryptanalysis of CubeHash
- ,2009
- http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf
BibtexAuthor : Eric Brier, Thomas Peyrin
Title : Cryptanalysis of CubeHash
In : -
Address :
Date : 2009
Wei Dai - Collisions for CubeHash1/45 and CubeHash2/89
- ,2008
- http://www.cryptopp.com/sha3/cubehash.pdf
BibtexAuthor : Wei Dai
Title : Collisions for CubeHash1/45 and CubeHash2/89
In : -
Address :
Date : 2008
Jean-Philippe Aumasson - Collision for CubeHash2/120-512
- ,2008
- http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt
BibtexAuthor : Jean-Philippe Aumasson
Title : Collision for CubeHash2/120-512
In : -
Address :
Date : 2008
Dmitry Khovratovich, Ivica Nikolic', Ralf-Philipp Weinmann - Preimage attack on CubeHash512-r/4 and CubeHash512-r/8
- ,2008
- http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf
BibtexAuthor : Dmitry Khovratovich, Ivica Nikolic', Ralf-Philipp Weinmann
Title : Preimage attack on CubeHash512-r/4 and CubeHash512-r/8
In : -
Address :
Date : 2008
Jean-Philippe Aumasson, Eric Brier, Willi Meier, María Naya-Plasencia, Thomas Peyrin - Inside the Hypercube
