Paper 2010/535

Linear Analysis of Reduced-Round CubeHash

Tomer Ashur and Orr Dunkelman


Recent developments in the field of cryptanalysis of hash functions has inspired NIST to announce a competition for selecting a new cryptographic hash function to join the SHA family of standards. One of the 14 second-round candidates is CubeHash designed by Daniel J. Bernstein. CubeHash is a unique hash function in the sense that it does not iterate a common compression function, and offers a structure which resembles a sponge function, even though it is not exactly a sponge function. In this paper we analyze reduced-round variants of CubeHash where the adversary controls the full 1024-bit input to reduced-round CubeHash and can observe its full output. We show that linear approximations with high biases exist in reduced-round variants. For example, we present an 11-round linear approximation with bias of 2^{−235}, which allows distinguishing 11-round CubeHash using about 2^{470} queries. We also discuss the extension of this distinguisher to 12 rounds using message modification techniques. Finally, we present a linear distinguisher for 14-round CubeHash which uses about 2^{812} queries.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
CubeHash SHA-3 competitionLinear cryptanalysis
Contact author(s)
orr dunkelman @ weizmann ac il
2010-10-19: received
Short URL
Creative Commons Attribution


      author = {Tomer Ashur and Orr Dunkelman},
      title = {Linear Analysis of Reduced-Round CubeHash},
      howpublished = {Cryptology ePrint Archive, Paper 2010/535},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.