Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512

  • Praveen Gauravaram
  • Gaëtan Leurent
  • Florian Mendel
  • María Naya-Plasencia
  • Thomas Peyrin
  • Christian Rechberger
  • Martin Schläffer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6055)


In this paper, we analyze the SHAvite-3-512 hash function, as proposed and tweaked for round 2 of the SHA-3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite-3-512, and on the full 14 round compression function of SHAvite-3-512. We show a second preimage attack on the hash function reduced to 10 rounds with a complexity of 2497 compression function evaluations and 216 memory. For the full 14-round compression function, we give a chosen counter, chosen salt preimage attack with 2384 compression function evaluations and 2128 memory (or complexity 2448 without memory), and a collision attack with 2192 compression function evaluations and 2128 memory.


hash function cryptanalysis collision (second) preimage 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andreeva, E., Bouillaguet, C., Fouque, P.A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Dunkelman, O.: A Framework for Iterative Hash Functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 (2007), (Accessed on 10/1/2010)
  3. 3.
    Biham, E., Dunkelman, O.: The SHAvite-3 Hash Function. Submission to NIST (2008), (Accessed on 10/1/2010)
  4. 4.
    Biham, E., Dunkelman, O.: The SHAvite-3 Hash Function. Second round SHA-3 candidate (2009), (Accessed on 10/1/2010)
  5. 5.
    Bouillaguet, C., Dunkelman, O., Leurent, G., Fouque, P.A.: Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3-512. Cryptology ePrint Archive, Report 2009/634 (2009), (Accessed on 10/1/2010)
  6. 6.
    De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  7. 7.
    De Cannière, C., Rechberger, C.: Preimages for Reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008)Google Scholar
  8. 8.
    Dean, R.D.: Formal Aspects of Mobile Code Security. Ph.D. thesis, Princeton University (1999)Google Scholar
  9. 9.
    Gauravaram, P., Knudsen, L.R.: On Randomizing Hash Functions to Strengthen the Security of Digital Signatures. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 88–105. Springer, Heidelberg (2009)Google Scholar
  10. 10.
    Halevi, S., Krawczyk, H.: Strengthening Digital Signatures Via Randomized Hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Kelsey, J., Schneier, B.: Second Preimages on n-bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Leurent, G.: MD4 is Not One-Way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Mendel, F., Rijmen, V.: Weaknesses in the HAS-V Compression Function. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    NIST: FIPS PUB 180-2-Secure Hash Standard (August 2002), (Accessed on 10/1/2010)
  15. 15.
    NIST: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Docket No: 070911510-7512-01 (November 2007)Google Scholar
  16. 16.
    NIST: Second Round Candidates. Official notification from NIST (2009), (Accessed on 8/1/2010)
  17. 17.
    van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. J. Cryptology 12(1), 1–28 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Peyrin, T.: Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function (2009), (Accessed on 10/1/2010)
  19. 19.
    Reyhanitabar, M.R., Susilo, W., Mu, Y.: Enhanced Security Notions for Dedicated-Key Hash Functions: Definitions and Relationships. In: Hong, S., Iwata, T. (eds.) FSE 2010, LNCS. Springer, Heidelberg (to appear, 2010)Google Scholar
  20. 20.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005), Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Praveen Gauravaram
    • 1
  • Gaëtan Leurent
    • 2
  • Florian Mendel
    • 3
  • María Naya-Plasencia
    • 4
  • Thomas Peyrin
    • 5
  • Christian Rechberger
    • 6
  • Martin Schläffer
    • 3
  1. 1.Department of MathematicsDTUDenmark
  2. 2.ENSFrance
  3. 3.IAIKTUGrazAustria
  4. 4.FHNW WindischSwitzerland
  5. 5.IngenicoFrance
  6. 6.ESAT/COSICK.U.Leuven and IBBTBelgium

Personalised recommendations