Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Abstract: Hamsi is one of 14 remaining candidates in NIST's Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi's resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distin… Show more

“…In Hamsi-256, P f consists of 6 rounds of a round transformation R = L • S, where S corresponds to 128 parallel applications of a 4 × 4 Sbox of degree 3. Using that three iterations of the round transformation have degree at most 3 3 = 27, Proposition 2 leads to zero-sum partitions of size 2 28 , as reported in [1]. However, our techniques can be used for exhibiting zero-sum partitions of smaller size.…”

“…Then, combining both types of properties enables us to find zero-sum partitions for the inner permutations of two SHA-3 Round-2 candidates, Keccak [4] and Hamsi-256 [16]. More precisely, we exhibit several zero-sum partitions up to 20 (out of 24) rounds of the inner permutation in Keccak and we improve the zero-sum partitions found in [1] for the finalization permutation of Hamsi-256. Even if our results do not seem to affect the security of Keccak and Hamsi-256, they point out that the involved inner permutation of Hamsi-256 and 20 rounds of the inner permutation of Keccak do not have an ideal behavior.…”

“…Since two iterations of R −1 have degree at most 9, all elements in X a sum to zero because dim( 16 i=14 B i ) > 9. Moreover, e 0 , e 4 , e 8 , e 12 ⊂ L(V ) and it has been observed in [1] that 3 rounds of R have degree 3 with respect to the first four lsbs of the first word of the internal state. Therefore, since L(V ) can be seen as a union of cosets of B f = e 0 , e 4 , e 8 , e 12 , and D B f R 3 (x) = 0 for all x, we deduce that the images of all elements in X a under six rounds of R sum to zero.…”

“…For instance, the generalized birthday algorithm [19] κ+1 . When the size of the zero-sum, K, is larger than 2n, the previous generic algorithm can be improved by the XHASH attack [3], as pointed out in [5,1]: the complexity of this improved algorithm essentially corresponds to K evaluations of F , while the generalized birthday algorithm behaves similarly only for K ≥ 2 √ 2n . It is worth noticing that the information set decoding algorithm (and its variants [7]) can also be used for solving this problem and improve the previous algorithm when the size of the zero-sum is very small [12], but all these methods take as input a generator matrix for the code and then require a complete evaluation of F .…”

Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256

“…In Hamsi-256, P f consists of 6 rounds of a round transformation R = L • S, where S corresponds to 128 parallel applications of a 4 × 4 Sbox of degree 3. Using that three iterations of the round transformation have degree at most 3 3 = 27, Proposition 2 leads to zero-sum partitions of size 2 28 , as reported in [1]. However, our techniques can be used for exhibiting zero-sum partitions of smaller size.…”

“…Then, combining both types of properties enables us to find zero-sum partitions for the inner permutations of two SHA-3 Round-2 candidates, Keccak [4] and Hamsi-256 [16]. More precisely, we exhibit several zero-sum partitions up to 20 (out of 24) rounds of the inner permutation in Keccak and we improve the zero-sum partitions found in [1] for the finalization permutation of Hamsi-256. Even if our results do not seem to affect the security of Keccak and Hamsi-256, they point out that the involved inner permutation of Hamsi-256 and 20 rounds of the inner permutation of Keccak do not have an ideal behavior.…”

“…Since two iterations of R −1 have degree at most 9, all elements in X a sum to zero because dim( 16 i=14 B i ) > 9. Moreover, e 0 , e 4 , e 8 , e 12 ⊂ L(V ) and it has been observed in [1] that 3 rounds of R have degree 3 with respect to the first four lsbs of the first word of the internal state. Therefore, since L(V ) can be seen as a union of cosets of B f = e 0 , e 4 , e 8 , e 12 , and D B f R 3 (x) = 0 for all x, we deduce that the images of all elements in X a under six rounds of R sum to zero.…”

“…For instance, the generalized birthday algorithm [19] κ+1 . When the size of the zero-sum, K, is larger than 2n, the previous generic algorithm can be improved by the XHASH attack [3], as pointed out in [5,1]: the complexity of this improved algorithm essentially corresponds to K evaluations of F , while the generalized birthday algorithm behaves similarly only for K ≥ 2 √ 2n . It is worth noticing that the information set decoding algorithm (and its variants [7]) can also be used for solving this problem and improve the previous algorithm when the size of the zero-sum is very small [12], but all these methods take as input a generator matrix for the code and then require a complete evaluation of F .…”

Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256

“…Some of them rely on the fact that the algebraic degree of the internal permutation is small. In [1], Aumasson noticed that the algebraic degree of 5 rounds of the compression function as a function of the incoming chaining variable is at most 243. Aumasson and Meier then enhanced this observation to find zero-sum distinguishers on a 6-round version of the compression function [2].…”

Finding Second Preimages of Short Messages for Hamsi-256

Out of Oddity – New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems