The search functionality is under construction.

The search functionality is under construction.

We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2^{291}. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2^{257} queries, 2^{259} AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.

- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E94-A No.1 pp.121-128

- Publication Date
- 2011/01/01

- Publicized

- Online ISSN
- 1745-1337

- DOI
- 10.1587/transfun.E94.A.121

- Type of Manuscript
- Special Section PAPER (Special Section on Cryptography and Information Security)

- Category
- Hash Function

The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.

Copy

Yu SASAKI, "Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512" in IEICE TRANSACTIONS on Fundamentals,
vol. E94-A, no. 1, pp. 121-128, January 2011, doi: 10.1587/transfun.E94.A.121.

Abstract: We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2^{291}. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2^{257} queries, 2^{259} AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.

URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E94.A.121/_p

Copy

@ARTICLE{e94-a_1_121,

author={Yu SASAKI, },

journal={IEICE TRANSACTIONS on Fundamentals},

title={Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512},

year={2011},

volume={E94-A},

number={1},

pages={121-128},

abstract={We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2^{291}. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2^{257} queries, 2^{259} AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.},

keywords={},

doi={10.1587/transfun.E94.A.121},

ISSN={1745-1337},

month={January},}

Copy

TY - JOUR

TI - Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512

T2 - IEICE TRANSACTIONS on Fundamentals

SP - 121

EP - 128

AU - Yu SASAKI

PY - 2011

DO - 10.1587/transfun.E94.A.121

JO - IEICE TRANSACTIONS on Fundamentals

SN - 1745-1337

VL - E94-A

IS - 1

JA - IEICE TRANSACTIONS on Fundamentals

Y1 - January 2011

AB - We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2^{291}. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2^{257} queries, 2^{259} AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.

ER -