Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA-256. This paper provides the first cryptanalytic work on this new scheme. We show that the 256-bit version of GRINDAHL is not collision resistant. With a work effort of approximatively 2 112 hash computations, one can generate a collision. Key words: GRINDAHL, hash functions, RIJNDAEL. 1

Abstract not found

Abstract. In this work we present new generic second preimage attacks on hash functions. Our rst attack is based on the herding attack, and applies to various Merkle-Damgård-based iterative hash functions. Compared to the previously known long-message second preimage attacks, our attack adds only a small computational overhead. In exchange, our attack gives the adversary a much greater control over the contents of the second message and in particular allows all the di erence to be concentrated in a few message blocks. As a result, the new second preimage attack is applicable to hash function constructions such as the dithered hash proposal of Rivest, Shoup's UOWHF, and the ROX hash construction, which were thought to be immune to the earlier known second preimage attacks. We also suggest a few time-memory-data tradeo variants for this type of attacks, allowing for faster online computations, and attacking signi cantly shorter messages. Furthermore, we analyze the properties of the dithering sequence used in Rivest's hash function proposal, and develop a time-memory tradeo which allows us to apply our second preimage attack to a much stronger than those in Rivest's proposals. Parts of our results rely on the kite generator, a new time-memory tradeo tool. We also exhibit a time-memory-data tradeo attack on tree hashes for second preimages. Finally, we show how both the existing second preimage attacks and our new attacks can be applied even more e ciently when given multiple short target messages rather than a single long target message.

PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services) SHA-3 Design and Cryptanalysis Report

Abstract. In the recent years, several hash constructions have been introduced that aim at achieving enhanced security margins by strengthening the Merkle-Damgård mode. However, their security analysis have been conducted independently and using a variety of proof methodologies. This paper unifies these results by proposing a unique indifferentiability proof that considers a broadened form of the general compression function introduced by Stam at FSE09. This general definition enables us to capture in a realistic model most of the features of the mode of operation (e.g., message encoding, blank rounds, message insertion,...) within the pre-processing and post-processing functions. Furthermore, it relies on an inner primitive which can be instantiated either by an ideal block cipher, or by an ideal permutation. Then, most existing hash functions can be seen as the Chop-MD construction applied to some compression function which fits the broadened Stam model. Our result then gives the tightest known indifferentiability bounds for several general modes of operations, including Chop-MD, Haifa or sponges. Moreover, we show that it applies in a quite automatic way, by providing the security bounds for 7 out of the 14 second round SHA-3 candidates, which are in some cases improved over previously known ones. Keywords: hash function, indifferentiability, SHA-3. 1