Practical Near-Collisions on the Compression Function of BMW

Blue Midnight Wish (BMW) is one of the fastest SHA-3 candidates in the second round of the competition. In this paper we study the compression function of BMW and we obtain practical partial collisions in the case of BMW-256: we show a pair of inputs so that 300 pre-specified bits of the outputs collide (out of 512 bits). Our attack requires about 232 evaluations of the compression function. The attack can also be considered as a near-collision attack: we give an input pair with only 122 active bits in the output, while generic algorithm would require 255 operations for the same result. A similar attack can be developed for BMW-512, which will gives message pairs with around 600 colliding bits for a cost of 264. This analysis does not affect the security of the iterated hash function, but it shows that the compression function is far from ideal. We also describe some tools for the analysis of systems of additions and rotations, which are used in our attack, and which can be useful for the analysis of other systems.

[1]  Bruce Schneier One-way hash functions , 1991 .

[2]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[3]  Alex Biryukov,et al.  Selected Areas in Cryptography - 17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, Revised Selected Papers , 2011, Selected Areas in Cryptography.

[4]  Jian Guo,et al.  Deterministic Differential Properties of the Compression Function of BMW , 2010, Selected Areas in Cryptography.

[5]  Gilles Brassard,et al.  Advances in Cryptology — CRYPTO’ 89 Proceedings , 2001, Lecture Notes in Computer Science.

[6]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[7]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[8]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[9]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[10]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[11]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[12]  Søren S. Thomsen Pseudo-cryptanalysis of the Original Blue Midnight Wish , 2010, IACR Cryptol. ePrint Arch..

[13]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[14]  Mohamed El-Hadedy,et al.  Cryptographic hash function Blue Midnight Wish , 2009, 2009 Proceedings of the 1st International Workshop on Security and Communication Networks.

[15]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[16]  Donghoon Chang,et al.  Improved Indifferentiability Security Analysis of chopMD Hash Function , 2008, FSE.

[17]  Christophe Clavier,et al.  Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers , 2009, IACR Cryptol. ePrint Arch..

[18]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[19]  Bart Preneel,et al.  The Differential Analysis of S-Functions , 2010, Selected Areas in Cryptography.

[20]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.