291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks." />


Cryptanalyses of Double-Mix Merkle-Damgård Mode in the Original Version of AURORA-512

Yu SASAKI  

Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E94-A   No.1   pp.121-128
Publication Date: 2011/01/01
Online ISSN: 1745-1337
Print ISSN: 0916-8508
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
Category: Hash Function
Keyword: 
AURORA,  SHA-3,  DMMD,  collision,  second preimage,  HMAC,  

Full Text: PDF(535.9KB)
>>Buy this Article


Summary: 
We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.