Finding Second Preimages of Short Messages for Hamsi-256

Abstract

In this paper we study the second preimage resistance of Hamsi-256, a second round SHA-3 candidate. We show that it is possible to find affine equations between some input bits and some output bits on the 3-round compression function. This property enables an attacker to find pseudo preimages for the Hamsi-256 compression function. The pseudo preimage algorithm can be used to find second preimages of the digests of messages M with complexity 2251.3, which is lower than the best generic attacks when M is short.