Tiger is a cryptographic hash function proposed by Anderson and Biham in 1996 and produces a 192-bit hash value. Recently, weaknesses have been shown in round-reduced variants of the Tiger hash function. Collision attacks have been presented for Tiger reduced to 16 and 19 (out of 24) rounds at FSE 2006 and Indocrypt 2006. Furthermore, Mendel and Rijmen presented a 1-bit pseudo-near-collision fo...

In this article, we analyze the security of the GOST hash function with respect to (second) preimage resistance. The GOST hash function, defined in the Russian standard GOST-R 34.11-94, is an iterated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterated structure, a...

In this note, we describe attacks on the recently proposed Haraka hash functions. First, for the two hash functions Haraka-256/256 and Haraka-512/256 in the family, we show how two colliding messages can be constructed in about 216 function evaluations. Second, we invalidate the preimage security claim for Haraka-512/256 with an attack finding one preimage in about 2192 function evaluations. Th...

In this note, we present a 2nd-preimage attack on AURORA512, which is one of the candidates for SHA-3. Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more. In such a case, the attack complexity is approximately 2 AURORA-512 operations, which is less than the brute force attack on AURORA-512,...

In this paper, we give the first pre-image attack against 1round KECCAK-512 hash function, which works for all variants of 1round KECCAK. The attack gives a preimage of length less than 1024 bits by solving a system of 384 linear equations. We also give a collision attack against 1-round KECCAK using similar analysis.

In this paper, we suggest a preimage attack on Hashing with Polynomials [2]. The algorithm has n-bit hash output and n-bit intermediate state. (for example, n = 163). The algorithm is very simple and light so that it can be implement in low memory environment. Our attack is based on the meet-in-the-middle attack. We show that we can find a preimage with the time complexity 2 + 2 ∗ (n+1/33) and ...

‘Provably Secure FFT Hashing’ (We call FFT-Hash in this paper) was suggested by Lyubashevsky et al.. in Second Hash Workshop in Aug. 2006. This paper shows preimage attacks on hash functions based on three modes of FFT-Hash. In case of ‘Nano’ whose output size is 513 bits, we can find a preimage with complexity 2. In case of ‘Mini’ whose output size is 1025 bits, we can find a preimage with com...

In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. Specifically, we apply a meet in the middle preimage attack on the compression functio...

We present a second preimage attack on SHAMATA-512, which is a hash function of 512bit output and one of the first round candidates of the SHA-3 competition. The attack uses differential paths that hold with a probability one and a meet-in-the-middle approach to find second preimages. The time complexity is about 2 computation of the step function and the memory complexity is about 2 blocks of ...

The Whirlwind hash function, which outputs a 512-bit digest, was designed by Barreto et al. and published by Design, Codes and Cryptography in 2010. In this paper, we provide a thorough cryptanalysis on Whirlwind. Firstly, we focus on security properties at the hash function level by presenting (second) preimage, collision and distinguishing attacks on reduced-round Whirlwind. In order to launc...