3 research outputs found
A 2nd-Preimage Attack on AURORA-512
In this note, we present a 2nd-preimage attack on AURORA-512, which is one of the candidates for SHA-3. Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more. In such a case, the attack complexity is approximately AURORA-512 operations, which is less than the brute force attack on AURORA-512, namely, . Our attack exploits some weakness in the mode of operation
A Full Key Recovery Attack on HMAC-AURORA-512
In this note, we present a full key recovery attack on HMAC-AURORA-512 when
512-bit secret keys are used and the MAC length is 512-bit long.
Our attack requires queries and the off-line complexity is AURORA-512 operations,
which is significantly less than the complexity of the exhaustive search for a 512-bit key.
The attack can be carried out with a negligible amount of memory.
Our attack can also recover the inner-key of HMAC-AURORA-384 with almost the same complexity as in HMAC-AURORA-512.
This attack does not recover the outer-key of HMAC-AURORA-384, but
universal forgery is possible by combining the inner-key recovery and 2nd-preimage attacks.
Our attack exploits some weaknesses in the mode of operation