Paper 2010/321

Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function

Martin Schläffer


In this work we present first results for the hash function of ECHO. We provide a subspace distinguisher for 5 rounds, near-collisions on 4.5 rounds and collisions for 4 out of 8 rounds of the ECHO-256 hash function. The complexities are $2^{96}$ compression function calls for the distinguisher and near-collision attack, and $2^{64}$ for the collision attack. The memory requirements are $2^{64}$ for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get distinguishers on 7 rounds and near-collisions for 6 and 6.5 rounds. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most one fourth of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.

Available format(s)
Publication info
Published elsewhere. Extended version of paper published at SAC 2010
hash functionsSHA-3 competitionECHOcryptanalysistruncated differential pathsrebound attacksubspace distinguishernear-collisionscollision attack
Contact author(s)
martin schlaeffer @ iaik tugraz at
2010-08-06: last of 2 revisions
2010-05-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Martin Schläffer},
      title = {Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function},
      howpublished = {Cryptology ePrint Archive, Paper 2010/321},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.