Cryptology ePrint Archive: Report 2013/381

Breaking the Even-Mansour Hash Function: Collision and Preimage Attacks on JH and Gr{\o}stl

Bingke Ma and Bao Li and Ronglin Hao

Abstract: The Even-Mansour structure and the chopMD mode are two widely-used strategies in hash function designs. They are adopted by many hash functions including two SHA-3 finalists, the JH hash function and the Gr{\o}stl hash function. The Even-Mansour structure combining the chopMD mode is supposed to enhance the security of hash functions against collision and preimage attacks, while our results show that it is not possible to achieve this goal with an unbalanced compression function. In this paper, we show generic attacks on the Even-Mansour hash functions including both collision and preimage attacks. Our attacks show the structure flaws of the Even-Mansour hash functions. All these attacks can be applied to specific hash functions based on the Even-Mansour structure. We achieve the first collision and (2nd-)preimage attacks on full JH and Gr{\o}stl respectively. For the JH hash function, we achieve collision and (2nd-)preimage attacks on the full JH compression function with a time gain $2^{10.22}$. After a simple modification of the padding rules, we obtain full round collision and (2nd-)preimage attacks on the modified JH hash function with a time gain $2^{10.22}$. For the Gr{\o}stl hash function, we obtain both collision and (2nd-)preimage attacks on the full Gr{\o}stl hash function with a limited time gain $2^{0.58}$.

Category / Keywords: Even-Mansour hash function, chopMD mode, preimage, collision, JH, Gr{\o}stl

Date: received 6 Jun 2013, last revised 9 Jun 2013, withdrawn 16 Aug 2013

Contact author: bkma at is ac cn

Available format(s): (-- withdrawn --)

Version: 20130817:054233 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]