Cryptology ePrint Archive: Report 2010/321

Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function

Martin Schläffer

Abstract: In this work we present first results for the hash function of ECHO. We provide a subspace distinguisher for 5 rounds, near-collisions on 4.5 rounds and collisions for 4 out of 8 rounds of the ECHO-256 hash function. The complexities are $2^{96}$ compression function calls for the distinguisher and near-collision attack, and $2^{64}$ for the collision attack. The memory requirements are $2^{64}$ for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get distinguishers on 7 rounds and near-collisions for 6 and 6.5 rounds. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most one fourth of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.

Category / Keywords: hash functions, SHA-3 competition, ECHO, cryptanalysis, truncated differential paths, rebound attack, subspace distinguisher, near-collisions, collision attack

Publication Info: Extended version of paper published at SAC 2010

Date: received 31 May 2010, last revised 6 Aug 2010

Contact author: martin schlaeffer at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Version: 20100806:225718 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]