Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform

We analyse the Double-Mix Merkle-Damgaard construction (DMMD) used in the AURORA family of hash functions. We show that DMMD falls short of providing the expected level of security. Specically, we are able to find 2nd pre-images for AURORA-512 in time 2^{291}, and collisions in time 2^{234.4}. A limited-memory variant finds collisions in time 2^{249}