Preimage Attacks Against Spectral Hash and PTX Functions

This paper presents a novel pre-image attack on SHA-3 candidate Spectral Hash (shash), which was until now thought to be resistant to pre-image attacks. PTX (Permute Transform XOR) functions are an idealisation of shash [1] in which its pseudorandom functions have been replaced with random oracles. We extend our previous practical collision attacks on PTX functions to practical pre-image attacks against all PTX functions [3]. As shown in our previous work, the security of shash depends on the security of PTX functions, thus our result also applies to the pre-image security of shash. Our technique is to use the chaining variable collision introduced in our previous attack, which reduces PTX functions, under a special set of inputs, to a series of random oracles XORed together. PT X(x) = RO(x0)⊕RO(x1)...⊕RO(xm) Note that while this property does not hold for every input x, it does hold for an infinite number of them. Finding a set of inputs to those random oracles such that the outputs, y = RO(x), are an orthogonal basis of the output space is trivial [2]. Using this basis we span the entire output space of the hash function, therefore we can generate arbitrary outputs of our choosing. That is, for any output, we can compute a pre-image in constant time. BODY We break the pre-image security of PTX and shash by reducing it to the trivially solvable problem [2] of finding independent random vectors.