Improved (Pseudo) Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-like Compression Functions (Full Version)

In this paper, we present improved preimage attacks on the reduced-round \texttt{GOST} hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round \texttt{GOST-256} is proposed which is the first preimage attack for \texttt{GOST-256} at the hash function level. Then we extend the (previous) attacks on 5-round \texttt{GOST-256} and 6-round \texttt{GOST-512} to 6.5 and 7.5 rounds respectively by exploiting the involution property of the \texttt{GOST} transposition operation. Secondly, inspired by the preimage attack on \texttt{GOST-256}, we also study the impacts of four representative truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against \texttt{AES}-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack. Based on our investigations, we are able to slightly improve the previous pseudo preimage attacks on reduced-round \texttt{Grøstl-256}

Security of the SHA-3 candidates Keccak and Blue Midnight Wish: Zero-sum property

The SHA-3 competition for the new cryptographic standard was initiated by National Institute of Standards and Technology (NIST) in 2007. In the following years, the event grew to one of the top areas currently being researched by the CS and cryptographic communities. The first objective of this thesis is to overview, analyse, and critique the SHA-3 competition. The second one is to perform an in-depth study of the security of two candidate hash functions, the finalist Keccak and the second round candidate Blue Midnight Wish. The study shall primarily focus on zero-sum distinguishers. First we attempt to attack reduced versions of these hash functions and see if any vulnerabilities can be detected. This is followed by attacks on their full versions. In the process, a novel approach is utilized in the search of zero-sum distinguishers by employing SAT solvers. We conclude that while such complex attacks can theoretically uncover undesired properties of the two hash functions presented, such attacks are still far from being fully realized due to current limitations in computing power

Cryptanalysis of Reduced-Round Whirlwind (Full Version)

The \texttt{Whirlwind} hash function, which outputs a 512-bit digest, was designed by Barreto $et\ al.$ and published by \textit{Design, Codes and Cryptography} in 2010. In this paper, we provide a thorough cryptanalysis on \texttt{Whirlwind}. Firstly, we focus on security properties at the hash function level by presenting (second) preimage, collision and distinguishing attacks on reduced-round \texttt{Whirlwind}. In order to launch the preimage attack, we have to slightly tweak the original Meet-in-the-Middle preimage attack framework on \texttt{AES}-like compression functions by partially fixing the values of the state. Based on this slightly tweaked framework, we are able to construct several new and interesting preimage attacks on reduced-round \texttt{Whirlpool} and \texttt{AES} hashing modes as well. Secondly, we investigate security properties of the reduced-round components of \texttt{Whirlwind}, including semi-free-start and free-start (near) collision attacks on the compression function, and a limited-birthday distinguisher on the inner permutation. As far as we know, our results are currently the best cryptanalysis on \texttt{Whirlwind}

Streebog compression function as PRF in secret-key settings

Security of the many keyed hash-based cryptographic constructions (such as HMAC) depends on the fact that the underlying compression function $g(H,M)$ is a pseudorandom function (PRF). This paper presents key-recovery algorithms for 7 rounds (of 12) of Streebog compression function. Two cases were considered, as a secret key can be used: the previous state $H$ or the message block $M$. The proposed methods implicitly show that Streebog compression function has a large security margin as PRF in the above-mentioned secret-key settings