Attacks on Round-Reduced BLAKE

BLAKE is a new hash family proposed for SHA-3. The core of compression function reuses the core function of ChaCha. A rounddependent permutation is used as message schedule. BLAKE is claimed to achieve full diffusion after 2 rounds. However, message words can be controlled on the first several founds. By exploiting properties of message permutation, we can attack 2.5 reduced rounds. The results do not threat the security claimed in the specification. 1 Description of BLAKE The hash family of BLAKE [1] includes four instances BLAKE-28, BLAKE-32, BLAKE-48, BLAKE-64. BLAKE-28 and BLAKE-32 operate on 32-bit words and output 224 bits and 256 bits digest. BLAKE-48 and BLAKE-64 operate 64-bit words and output 384 bits and 512 bits digest. We give a short description of BLAKE-32 with the same notations in [1]. The compression function of BLAKE-32 takes four values as inputs: – A previous chain value (8 words) ht−1 = ht−1 0 , · · · , h t−1 7 – A message block (16 words) m = m0, · · · ,m15 – A salt (4 words) s = s0, · · · , s3 – A counter (2 words) t = t0, t1 The compression function is written as: h = compress(ht−1,m, s, t) A 16-word state v0, · · · , v15 is initialized such that different inputs produce different initial states, which is represented as 4× 4 matrix as follows:  v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 ←  h0 h1 h2 h3 h4 h5 h6 h7 s0 ⊕ c0 s1 ⊕ c1 s2 ⊕ c2 s3 ⊕ c3 t0 ⊕ c4 t1 ⊕ c5 t0 ⊕ c6 t1 ⊕ c7  After initialized, the state v is transformed by a round function, which computes: G0(v0, v4, v8, v12) G1(v1, v5, v9, v13) G2(v2, v6, v10, v14) G3(v3, v7, v11, v15) G4(v0, v5, v10, v11) G5(v1, v6, v11, v12) G6(v2, v7, v8, v13) G7(v3, v4, v9, v14)