zbMATH — the first resource for mathematics

Cryptanalyses of narrow-pipe mode of operation in AURORA-512 hash function. (English) Zbl 1267.94093
Jacobson, Michael J. jun. (ed.) et al., Selected areas in cryptography. 16th annual international workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009. Revised selected papers. Berlin: Springer (ISBN 978-3-642-05443-3/pbk). Lecture Notes in Computer Science 5867, 36-52 (2009).
Summary: We present cryptanalyses of the AURORA-512 hash function, which is a SHA-3 candidate. We first describe a collision attack on AURORA-512. We then show a second-preimage attack on AURORA-512/-384 and explain that the randomized hashing can also be attacked. We finally show a full key-recovery attack on HMAC-AURORA-512 and universal forgery on HMAC-AURORA-384. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named “double-mix Merkle-Damgård (DMMD)”, which produces 512-bit output by updating two 256-bit chaining variables in parallel. We do not look inside of the compression function. Hence, our attack can work even if the compression function is regarded as a random oracle. The time complexity of our collision attack is approximately \(2^{236}\) AURORA-512 operations, and \(2^{236}\times 512\) bits of memory is required. Our second-preimage attack works on any given message. The time complexity is approximately \(2^{290}\) AURORA-512 operations, and \(2^{288}\times 512\) bits of memory is required. Our key-recovery attack on HMAC-AURORA-512, which uses 512-bit secret keys, requires \(2^{257}\) queries, \(2^{259}\) off-line AURORA-512 operations, and a negligible amount of memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and key-recovery attacks.
For the entire collection see [Zbl 1177.94012].

94A60 Cryptography
Full Text: DOI