
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

Cryptanalyses of DoubleMix MerkleDamgård Mode in the Original Version of AURORA512
Yu SASAKI
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E94A
No.1
pp.121128 Publication Date: 2011/01/01 Online ISSN: 17451337
DOI: 10.1587/transfun.E94.A.121 Print ISSN: 09168508 Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Hash Function Keyword: AURORA, SHA3, DMMD, collision, second preimage, HMAC,
Full Text: PDF>>
Summary:
We present cryptanalyses of the original version of AURORA512 hash function, which is a round1 SHA3 candidate. Our attack exploits weaknesses in a narrowpipe mode of operation of AURORA512 named "DoubleMix MerkleDamgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best secondpreimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2^{291}. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the secondpreimage attack can be used to attack the randomized hashing scheme. Finally, we present a keyrecovery attack on HMACAURORA512, which reveals 512bit secret keys with 2^{257} queries, 2^{259} AURORA512 operations, and negligible memory. The universal forgery on HMACAURORA384 is also possible by combining the secondpreimage and innerkeyrecovery attacks.

