Cryptanalysis of FORK-256

In this paper we present a cryptanalysis of a new 256-bit hash function, FORK-256, proposed by Hong et al. at FSE 2006. This cryptanalysis is based on some unexpected differentials existing for the step transformation. We show their possible uses in different attack scenarios by giving a 1-bit (resp. 2-bit) near collision attack against the full compression function of FORK-256 running with complexity of 2125 (resp. 2120) and with negligible memory, and by exhibiting a 22-bit near pseudo-collision. We also show that we can find collisions for the full compression function with a small amount of memory with complexity not exceeding 2126.6 hash evaluations. We further show how to reduce this complexity to 2109.6 hash computations by using 273 memory words. Finally, we show that this attack can be extended with no additional cost to find collisions for the full hash function, i.e. with the predefined IV.

[1]  Vincent Rijmen,et al.  Breaking a New Hash Function Design Strategy Called SMASH , 2005, Selected Areas in Cryptography.

[2]  Philippe Dumas,et al.  On the Additive Differential Probability of Exclusive-Or , 2004, FSE.

[3]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[4]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[5]  Henri Gilbert,et al.  The RIPEMD and RIPEMD Improved Variants of MD4 Are Not Collision Free , 2001, FSE.

[6]  Vincent Rijmen,et al.  On the Collision Resistance of RIPEMD-160 , 2006, ISC.

[7]  Jennifer Seberry,et al.  HAVAL - A One-Way Hashing Algorithm with Variable Length of Output , 1992, AUSCRYPT.

[8]  Lars R. Knudsen SMASH - A Cryptographic Hash Function , 2005, FSE.

[9]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[10]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[11]  Bruce Schneier,et al.  Unbalanced Feistel Networks and Block Cipher Design , 1996, FSE.

[12]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[13]  Bart Preneel,et al.  Cryptanalysis of Reduced Variants of the FORK-256 Hash Function , 2007, CT-RSA.

[14]  Josef Pieprzyk,et al.  Collisions for two branches of FORK-256 , 2006 .

[15]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[16]  Markku-Juhani O. Saarinen Security of VSH in the Real World , 2006, INDOCRYPT.

[17]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[18]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[19]  Seokhie Hong,et al.  A New Dedicated 256-Bit Hash Function: FORK-256 , 2006, FSE.

[20]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[21]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[22]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[23]  Ron Steinfeld,et al.  VSH, an Efficient and Provable Collision Resistant Hash Function , 2006, IACR Cryptol. ePrint Arch..

[24]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[25]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[26]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[27]  Bai En A One-Way Hashing Algorithm with Variable Length of Output , 2004 .

[28]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[29]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.