Improved Linear Differential Attacks on CubeHash

  • Shahram Khazaei
  • Simon Knellwolf
  • Willi Meier
  • Deian Stefan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6055)


This paper presents improved collision attacks on round-reduced variants of the hash function CubeHash, one of the SHA-3 second round candidates. We apply two methods for finding linear differential trails that lead to lower estimated attack complexities when used within the framework introduced by Brier, Khazaei, Meier and Peyrin at ASIACRYPT 2009. The first method yields trails that are relatively dense at the beginning and sparse towards the end. In combination with the condition function concept, such trails lead to much faster collision attacks. We demonstrate this by providing a real collision for CubeHash-5/96. The second method randomizes the search for highly probable linear differential trails and leads to significantly better attacks for up to eight rounds.


hash function differential attack collision linearization SHA-3 CubeHash 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bernstein, D.J.: Cubehash. Submission to NIST (2008)Google Scholar
  2. 2.
    Bernstein, D.J.: Cubehash. Submission to NIST, Round 2 (2009)Google Scholar
  3. 3.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Brier, E., Khazaei, S., Meier, W., Peyrin, T.: Linearization Framework for Collision Attacks: Application to CubeHash and MD6. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 560–577. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Brier, E., Khazaei, S., Meier, W., Peyrin, T.: Linearization Framework for Collision Attacks: Application to CubeHash and MD6 (extended version). Cryptology ePrint Archive, Report 2009/382 (2009),
  6. 6.
    Brier, E., Peyrin, T.: Cryptanalysis of CubeHash. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 354–368. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  8. 8.
    Indesteege, S., Preneel, B.: Practical Collisions for EnRUPT. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 246–259. Springer, Heidelberg (2009)Google Scholar
  9. 9.
    Naito, Y., Sasaki, Y., Shimoyama, T., Yajima, J., Kunihiro, N., Ohta, K.: Improved Collision Search for SHA-0. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 21–36. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    National Institute of Standards and Techonolgy. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithms (SHA-3) Family. Federal Register, 72 (2007)Google Scholar
  11. 11.
    Pramstaller, N., Rechberger, C., Rijmen, V.: Exploiting coding theory for collision attacks on SHA-1. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 78–95. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Rijmen, V., Oswald, E.: Update on SHA-1. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 58–71. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Shoup, V.: NTL: A Library for doing Number Theory. Version 5.5.2,
  14. 14.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Shahram Khazaei
    • 1
  • Simon Knellwolf
    • 2
  • Willi Meier
    • 2
  • Deian Stefan
    • 3
  1. 1.EPFLSwitzerland
  2. 2.FHNWSwitzerland
  3. 3.The Cooper UnionUSA

Personalised recommendations