Cryptanalysis of the ESSENCE Family of Hash Functions

ESSENCE is a family of cryptographic hash functions, accepted to the first round of NIST's SHA-3 competition. This paper presents the first known attacks on ESSENCE. We present a semi-free-start collision attack on 31 out of 32 rounds of ESSENCE-512, invalidating the design claim that at least 24 rounds of ESSENCE are secure against differential cryptanalysis. We develop a novel technique to satisfy the first nine rounds of the differential characteristic. Nonrandomness in the outputs of the feedback function F is used to construct several distinguishers on a 14-round ESSENCE block cipher and the corresponding compression function, each requiring only 217 output bits. This observation is extended to key-recovery attacks on the block cipher. Next, we show that the omission of round constants allows slid pairs and fixed points to be found. These attacks are independent of the number of rounds. Finally, we suggest several countermeasures against these attacks, while still keeping the design simple and easy to analyze.

[1]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[2]  Pieter Retief Kasselman,et al.  Analysis and design of cryptographic hash functions , 1999 .

[3]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[4]  V. Rich Personal communication , 1989, Nature.

[5]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[6]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[7]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[8]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[9]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[10]  Gaëtan Leurent,et al.  Message Freedom in MD4 and MD5 Collisions: Application to APOP , 2007, FSE.

[11]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[12]  Marshall T. Rose,et al.  Post Office Protocol: Version 3 , 1988, RFC.

[13]  Adi Shamir,et al.  Side Channel Cube Attacks on Block Ciphers , 2009, IACR Cryptol. ePrint Arch..

[14]  Thomas Peyrin,et al.  Cryptanalysis of ESSENCE , 2010, FSE.

[15]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[16]  Eric Rescorla,et al.  HTTP Over TLS , 2000, RFC.

[17]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[18]  Dag Arne Osvik,et al.  MD5 considered harmful today, creating a rogue CA certificate , 2008 .

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[21]  Thomas Peyrin,et al.  Hash Functions and the (Amplified) Boomerang Attack , 2007, CRYPTO.

[22]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[23]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[24]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.