Collision Spectrum, Entropy Loss, T-Sponges, and Cryptanalysis of GLUON-64

Abstract

Abstract. In this paper, we investigate the properties of iterative non-injective functions and the security of primitives where they are used. First, we introduce the Collision Probability Spectrum (cps) parameter to quantify how far from a permutation a function is. In particular, we show that the output size decreases linearly with the number of iterations whereas the collision trees grow quadratically. Secondly, we investigate the t-sponge construction and show how certain cps and rate values lead to an improved preimage attack on long messages. As an example, we find collisions for the gluon-64 internal function, approximate its cps, and show an attack that violates the security claims. For instance, if a message ends with a sequence of 1 Mb (respectively 1 Gb) of zeros, then our preimage search takes time 2115.3 (respectively 2105.3) instead of 2128