CubeHash is a family of hash functions submitted by Bernstein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash-1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and based on a linearization of the scheme, allowed us to compute a collision for the CubeHash-2/4 hash function. Finally, a theoretical collision attack against CubeHash-2/3, CubeHash-4/4 and CubeHash-4/3 is described. This is currently by far the best known cryptanalysis result on this SHA-3 candidate.


hash functions CubeHash collision 


  1. 1.
    Aumasson, J.-P.: Collision for CubeHash2/120-512. NIST mailing list, local link (2008)Google Scholar
  2. 2.
    Aumasson, J.-P., Meier, W., Naya-Plasencia, M., Peyrin, T.: Inside the hypercube. Cryptology ePrint Archive, Report 2008/486 (2008)Google Scholar
  3. 3.
    Bernstein, D.J.: CubeHash specification (2.b.1). Submission to NIST (2008)Google Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  6. 6.
    Dai, W.: Collisions for CubeHash1/45 and CubeHash2/89 (2008)Google Scholar
  7. 7.
    Dai, W.: Collision for CubeHash2/12 (2009)Google Scholar
  8. 8.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  9. 9.
    National Institute of Standards and Technology. FIPS 180-2: Secure Hash Standard (August 2002)Google Scholar
  10. 10.
    National Institute of Standards and Technology. Cryptographic Hash Algorithm CompetitionGoogle Scholar
  11. 11.
    Peyrin, T.: Cryptanalysis of Grindahl. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 551–567. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Rivest, R.L.: RFC 1321: The MD5 Message-Digest Algorithm (April 1992)Google Scholar
  13. 13.
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  14. 14.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer [5], pp. 1–18 (2005)Google Scholar
  15. 15.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup [13], pp. 17–36Google Scholar
  16. 16.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [5], pp. 19–35Google Scholar
  17. 17.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup [13], pp. 1–16Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Eric Brier
    • 1
  • Thomas Peyrin
    • 1
  1. 1.IngenicoFrance

Personalised recommendations