Cryptanalysis of Twister

  • Florian Mendel
  • Christian Rechberger
  • Martin Schläffer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5536)


In this paper, we present a semi-free-start collision attack on the compression function for all Twister variants with negligible complexity. We show how this compression function attack can be extended to construct collisions for Twister-512 slightly faster than brute force search. Furthermore, we present a second-preimage and preimage attack for Twister-512 with complexity of about 2384 and 2456 compression function evaluations, respectively.


SHA-3 Twister hash function collision- second-preimage- preimage attack 


  1. 1.
    Barreto, P.S.L.M., Rijmen, V.: The Whirlpool Hashing Function. Submitted to NESSIE (September 2000) (Revised May 2003), (2008/07/08)
  2. 2.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  3. 3.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard [2], pp. 416–427Google Scholar
  4. 4.
    Fleischmann, E., Forler, C., Gorski, M.: The Twister Hash Function Family. Submission to NIST (2008)Google Scholar
  5. 5.
    Fleischmann, E., Forler, C., Gorski, M., Lucks, S.: Twister - A Framework for Secure and Fast Hash Functions. In: Li, H., Bao, F. (eds.) ISPEC. Springer, Heidelberg (to appear, 2009)Google Scholar
  6. 6.
    Gauravaram, P., Kelsey, J.: Linear-XOR and Additive Checksums Don’t Protect Damgård-Merkle Hashes from Generic Attacks. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 36–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Mendel, F., Pramstaller, N., Rechberger, C.: A (Second) Preimage Attack on the GOST Hash Function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 224–234. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST Hash Function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) Fast Software Encryption. Springer, Heidelberg (to appear, 2009)Google Scholar
  11. 11.
    Ralph, C.M.: One Way Hash Functions and DES. In: Brassard [2], pp. 428–446Google Scholar
  12. 12.
    Morita, H., Ohta, K., Miyaguchi, S.: A Switching Closure Test to Analyze Cryptosystems. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 183–193. Springer, Heidelberg (1992)Google Scholar
  13. 13.
    National Institute of Standards and Technology. FIPS PUB 197, Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197, U.S. Department of Commerce (November 2001)Google Scholar
  14. 14.
    Government Committee of Russia for Standards. GOST 34.11-94, Gosudarstvennyi Standard of Russian Federation, Information Technology Cryptographic Data Security Hashing Function (in Russian) (1994)Google Scholar
  15. 15.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate (2008),
  16. 16.
    Quisquater, J.-J., Delescaille, J.-P.: How Easy is Collision Search. New Results and Applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Florian Mendel
    • 1
  • Christian Rechberger
    • 1
  • Martin Schläffer
    • 1
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations