MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO’08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic

We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2, and the complexity of the pseudo-(second) preimage attack is around 2.

In this paper, we explain the design choices of Panama [8] and RadioGatún [1], which lead to Keccak [3]. After a brief recall of Panama, RadioGatún and the trail backtracking cost, we focus on three important aspects. First, we explain the role of the belt in the light of differential trails. Second, we discuss the relative advantages of a block mode hash function compared to a stream mode one....

On October 2-nd 2012 NIST announced its selection of the Keccak scheme as the new SHA-3 hash standard. In this paper we present the first published collision finding attacks on reduced-round versions of Keccak-384 and Keccak-512, providing actual collisions for 3-round versions, and describing attacks which are much faster than birthday attacks for 4-round Keccak-384. For Keccak-256, we increas...

Keccak is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called Keccakf . In this paper, we find that for the inverse of the only one nonlinear transformation of Keccak-f , the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combi...

We introduce internal differential boomerang distinguisher as a combination of internal differentials and classical boomerang distinguishers. The new boomerangs can be successful against cryptographic primitives having high-probability round-reduced internal differential characteristics. The internal differential technique, which follow the evolution of differences between parts of the state, i...

In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differen...

In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differentials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-...

The SHA-3 competition organized by NIST [1] aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions ...

The Secure Hash Standard (SHS) [3] includes hashing algorithms denoted SHA-n, n ∈ 224, 256, 384, 512 for producing message digests of length n. These algorithms are based on a common design, sometimes known as SHA-2, that consists of a message schedule and a register. The most successful attacks on the SHA algorithms are Chabaud-Joux differential collisions [1, 2, 4, 5, 7], which are based on f...