Linearization Framework for Collision Attacks: Application to CubeHash and MD6

  • Eric Brier
  • Shahram Khazaei
  • Willi Meier
  • Thomas Peyrin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.


Hash functions collisions differential attack SHA-3 CubeHash and MD6 


  1. 1.
    Aumasson, J.-P.: Collision for CubeHash-2/120 − 512. NIST mailing list, December 4 (2008),
  2. 2.
    Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 470–488. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Aumasson, J.-P., Meier, W., Naya-Plasencia, M., Peyrin, T.: Inside the hypercube. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 202–213. Springer, Heidelberg (2009)Google Scholar
  4. 4.
    Bernstein, D.J.: CubeHash specification (2.b.1). Submission to NIST SHA-3 competitionGoogle Scholar
  5. 5.
    Bernstein, D.J.: CubeHash parameter tweak: 16 times faster,
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Radiogatun, a belt-and-mill hash function. Presented at Second Cryptographic Hash Workshop, Santa Barbara (August 2006)Google Scholar
  7. 7.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Brier, E., Peyrin, T.: Cryptanalysis of CubeHash. Applied Cryptography and Network Security. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 354–368. Springer, Heidelberg (2009)Google Scholar
  9. 9.
    Brier, E., Khazaei, S., Meier, W., Peyrin, T.: Linearization Framework for Collision Attacks: Application to CubeHash and MD6 (Extended Version). In Cryptology ePrint Archive, Report 2009/382,
  10. 10.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory 44(1), 367–378 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  12. 12.
    Dai, W.: Collisions for CubeHash-1/45 and CubeHash-2/89 (2008),
  13. 13.
    eBASH: ECRYPT Benchmarking of All Submitted Hashes,
  14. 14.
    Fuhr, T., Peyrin, T.: Cryptanalysis of Radiogatun. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 122–138. Springer, Heidelberg (2009)Google Scholar
  15. 15.
    Indesteege, S., Preneel, B.: Practical collisions for EnRUPT. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 246–259. Springer, Heidelberg (2009)Google Scholar
  16. 16.
    Joux, A., Peyrin, T.: Hash Functions and the (Amplified) Boomerang Attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Khovratovich, D.: Nonrandomness of the 33-round MD6. Presented at the rump session of FSE 2009 (2009), Slides:
  18. 18.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. ePrint archive (2006),
  19. 19.
    Lipmaa, H., Moriai, S.: Efficient Algorithms for Computing Differential Properties of Addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Manuel, S., Peyrin, T.: Collisions on SHA-0 in One Hour. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 16–35. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Naito, Y., Sasaki, Y., Shimoyama, T., Yajima, J., Kunihiro, N., Ohta, K.: Improved Collision Search for SHA-0. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 21–36. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    National Institute of Science and Technology. Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register, 72(112) (November 2007)Google Scholar
  23. 23.
    Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function — a proposal to NIST for SHA–3. Submission to NIST SHA-3 competition (2008)Google Scholar
  24. 24.
    Peyrin, T.: Cryptanalysis of Grindahl. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 551–567. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Pramstaller, N., Rechberger, C., Rijmen, V.: Exploiting Coding Theory for Collision Attacks on SHA–1. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 78–95. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Rijmen, V., Oswald, E.: Update on SHA–1. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 58–71. Springer, Heidelberg (2005)Google Scholar
  27. 27.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Eric Brier
    • 1
  • Shahram Khazaei
    • 2
  • Willi Meier
    • 3
  • Thomas Peyrin
    • 1
  1. 1.IngenicoFrance
  2. 2.EPFLSwitzerland
  3. 3.FHNWSwitzerland

Personalised recommendations