Semi-free start collision attack on Blender

Blender is a cryptographic hash function submitted to NIST’s SHA3 competition. We have found a semi-free start collision attack on Blender with trivial complexity. One pair of semi-free start collision messages with zero initial values is presented. 1. Description of Blender The hash function Blender consists of two procedures: preparing message, and hash computing. Blender has four variants regarding to the bit length of digest (224, 256, 384, 512). The procedures differ just a little among the four variants. The attack approach presented in this paper on different variants is almost the same. So here we just give a brief description of Blender-256 with digest length of 256 bits. Blender-256 uses eight 32-bit state variables, a0 to a7, eight 32-bit result variables, H0 to H7, and two single-bit carry variables, c1 and c2; these constitute the “state” of the algorithm carried from round to round. This algorithm also uses three 32-bit intermediate values, T, T1 and T2, and one intermediate integer value r used to hold a rotation factor. In the preparing message procedure of Blender-256, there are 5 steps. Step 1: Padding. The message M to be hashed with length of l bits is padded to P with p bytes, where p = (l + 7) >> 3. If the length of the message M is an exact multiple of 8 bits, no padding is added and the padded message P is identical to the original message M. Otherwise, the complement of the last bit of the message shall be appended repeatedly until the resulting length reaches the next exact multiple of 8 bits. The amount of padding added is at most seven bits. Step 2: Filling. The fill data F is the padded message P truncated to 13 bytes if necessary, unless the message M has zero length in which case F is 13 bytes of all zeros. The amount of fill data to be appended to the padded message depends on the block size and the message length. For the detail of filling, please refer to the specification of Blender [1]. Step 3: Appending the Message Lengths. After the message has been filled to the appropriate length, the message length as held in the byte array L is appended to the message. The single byte ll , the length of the length, is then appended to the result to complete the assembled message. The latter should be two 32-bit words short of an exact multiple of the block size. Step 4: Parsing the Assembled Message. After a message has been assembled as described above, it must be parsed into a number of 32-bit words before the hash computation can begin. The first byte of the message becomes the least significant byte of the first 32-bit word and successive bytes of the message become the progressively higher order bytes within the word. Successive words are defined similarly. Step 5: Appending the Checksums. The final step in preparing the message is to append two 32-bit checksum words. The first checksum is the complement of the sum modulo 2 of all the 32-bit words in the parsed message. The second checksum is the sum modulo 2 of the complement of all the 32-bit words in the parsed message. The hash computing procedure includes 2 steps. Step 1: Initialization Before hash computation begins, the working variables, a0 to a7, are initialized to the following eight 32-bit words in hex: a0 = 6a09e667 a1 = bb67ae85 a2 = 3c6ef372 a3 = a54ff53a a4 = 510e527f a5 = 9b05688c a6 = 1f83d9ab a7 = 5be0cd19 Step 2: Round function 1. Compute the preliminary intermediate values using add-with-carry: [c1,T1] = ( a5 ⊕ Wt ) + ( a1 ⊕ ROTL 8 (a3) ) + c1 [c2,T2] = ( a0 ⊕ ROTR (Wt) ) + ( a4 ⊕ ROTR 8 (a2) ) + c2 where, Wt is the t th 32-bit word of the result after preparing message procedure. 2. Compute the rotation factor: r = 8 – (c1 + c2) 3. Rotate the intermediate values: T1 = ROTL (T1) T2 = ROTR (T2) 4. Compute the next state: T = ROTR7 (a0) a0 = a1 ⊕ T2 a1 = a2 ⊕ T1 a2 = a3 ⊕ T2 a3 = a4 ⊕ T1 a4 = a5 ⊕ T2 a5 = a6 ⊕ T1 a6 = a7 ⊕ T2 a7 = T ⊕ T1 5. Update the hash result variables: H0 = H0 + a0 H1 = H1 + a1 H2 = H2 + a2 H3 = H3 + a3 H4 = H4 + a4 H5 = H5 + a5 H6 = H6 + a6 H7 = H7 + a7 After repeating step 2 for each word in the prepared message, the resulting 256-bit message digest of the message M is H0 || H1 || H2 || H3 || H4 || H5 || H6 || H7