Cryptology ePrint Archive: Report 2010/535

Linear Analysis of Reduced-Round CubeHash

Tomer Ashur and Orr Dunkelman

Abstract: Recent developments in the field of cryptanalysis of hash functions has inspired NIST to announce a competition for selecting a new cryptographic hash function to join the SHA family of standards. One of the 14 second-round candidates is CubeHash designed by Daniel J. Bernstein. CubeHash is a unique hash function in the sense that it does not iterate a common compression function, and offers a structure which resembles a sponge function, even though it is not exactly a sponge function. In this paper we analyze reduced-round variants of CubeHash where the adversary controls the full 1024-bit input to reduced-round CubeHash and can observe its full output. We show that linear approximations with high biases exist in reduced-round variants. For example, we present an 11-round linear approximation with bias of 2^{−235}, which allows distinguishing 11-round CubeHash using about 2^{470} queries. We also discuss the extension of this distinguisher to 12 rounds using message modification techniques. Finally, we present a linear distinguisher for 14-round CubeHash which uses about 2^{812} queries.

Category / Keywords: secret-key cryptography / CubeHash SHA-3 competition, Linear cryptanalysis

Date: received 19 Oct 2010

Contact author: orr dunkelman at weizmann ac il

Available formats: PDF | BibTeX Citation

Version: 20101019:213125 (All versions of this report)

Discussion forum: Show discussion | Start new discussion