Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function

In this work we present first results for the hash function of ECHO. We provide a subspace distinguisher for 5 rounds and collisions for 4 out of 8 rounds of the ECHO-256 hash function. The complexities are 296 compression function calls for the distinguisher and 264 for the collision attack. The memory requirements are 264 for all attacks. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most one fourth of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.

[1]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[2]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[3]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[4]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[5]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[6]  Yu Sasaki,et al.  Rebound Attack on the Full Lane Compression Function , 2009, ASIACRYPT.

[7]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[8]  Frederic P. Miller,et al.  Advanced Encryption Standard , 2009 .

[9]  María Naya-Plasencia,et al.  Cryptanalysis of Luffa v2 Components , 2010, Selected Areas in Cryptography.

[10]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.

[11]  Thomas Peyrin,et al.  Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher , 2009, Selected Areas in Cryptography.

[12]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[13]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[14]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[15]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[16]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[17]  Olivier Billet , .

[18]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.