Paper 2013/233

Attacks on JH, Grøstl and SMASH Hash Functions

Yiyuan Luo and Xuejia Lai

Abstract

JH and Grøstl hash functions are two of the five finalists in NIST SHA-3 competition. JH-$s$ and Grøstl-$s$ are based on a $2n$ bit compression function and the final output is truncated to $s$ bits, where $n$ is $512$ and $s$ can be $224$,$256$,$384$ and $512$. Previous security proofs show that JH-$s$ and Grøstl-$s$ are optimal collision resistance without length padding to the last block. ~~~~In this paper we present collision and preimage attacks on JH-$s$ and Grøstl-$s$ without length padding to the last block. For collision attack on JH-$s$, after a $\frac{1}{e}2^{s/4+n}$ precomputing, the adversary needs $2^{s/4}$ queries to the underlying compression function to find a new collision. For preimage attack on JH-$s$, after a $\frac{1}{e}2^{s/2+n}$ precomputing, the adversary needs $2^{s/2}$ queries to the underlying compression function to find a new preimage. If $s=224$, the attacker only needs $2^{57}$ and $2^{113}$ compression function queries to mount a new collision attack and preimage attack respectively. For Grøstl, the query complexity of our collision and preimage attack are one half of birthday collision attack and exhaustive preimage attack respectively. ~~~~We also discuss how our attack works when the length is padded to the last message block. Our attacks exploit structure flaws in the design of JH and Grøstl. It is easily applied to MJH and SMASH and other generalizations since they have similar structure (we call it Evan-Mansour structure). At the same time the provable security of chopMD in the literature is challenged. Through our attack, it is easy to see that the chopMD mode used in JH or Grøstl does not improve its security.

Note: Some bugs in our attack are fixed in this version.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown status
Keywords
Hash FunctionsSHA-3JHGrøstl
Contact author(s)
luoyiyuan @ gmail com
History
2013-10-12: last of 6 revisions
2013-04-29: received
See all versions
Short URL
https://ia.cr/2013/233
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/233,
      author = {Yiyuan Luo and Xuejia Lai},
      title = {Attacks on {JH}, Grøstl and {SMASH} Hash Functions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/233},
      year = {2013},
      url = {https://eprint.iacr.org/2013/233}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.