Paper 2024/605

Security Analysis of XHASH8/12

Léo Perrin
Abstract

We have investigated both the padding scheme and the applicability of algebraic attacks to both XHash8 and XHash12. The only vulnerability of the padding scheme we can find is plausibly applicable only in the multi-rate setting---for which the authors make no claim---and is safe otherwise. For algebraic attack relying on the computation and exploitation of a Gröbner basis, our survey of the literature suggests to base a security argument on the complexity of the variable elimination step rather than that of the computation of the Gröbner basis itself. Indeed, it turns out that the latter complexity is hard to estimate---and is sometimes litteraly non-existent. Focusing on the elimination step, we propose a generalization of the "FreeLunch" approach which, under a reasonable conjecture about the behaviour of the degree of polynomial ideals of dimension 0, is sufficient for us to argue that both XHash8 and XHash12 are safe against such attacks. We implemented a simplified version of the generation (and resolution) of the corresponding set of equations in SAGE, which allowed us to validate our conjecture at least experimentally, and in fact to show that the lower bound it provides on the ideal degree is not tight---meaning we are a priori understimating the security of these permutations against the algebraic attacks we consider. At this stage, if used as specified, these hash functions seem safe from Gröbner bases-based algebraic attacks.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
XHashcrypanalysispaddingalgebraic attack
Contact author(s)
perrin leo @ gmail com
History
2024-04-22: approved
2024-04-19: received
See all versions
Short URL
https://ia.cr/2024/605
License
No rights reserved
CC0

BibTeX

@misc{cryptoeprint:2024/605,
      author = {Léo Perrin},
      title = {Security Analysis of {XHASH8}/12},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/605},
      year = {2024},
      url = {https://eprint.iacr.org/2024/605}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.