Inside the Hypercube

  • Jean-Philippe Aumasson
  • Eric Brier
  • Willi Meier
  • María Naya-Plasencia
  • Thomas Peyrin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5594)


Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The submissions to NIST recommends r = 8, b = 1, and h ∈ {224,256,384,512}.

This paper presents the first external analysis of CubeHash, with
  • improved standard generic attacks for collisions and preimages

  • a multicollision attack that exploits fixed points

  • a study of the round function symmetries

  • a preimage attack that exploits these symmetries

  • a practical collision attack on a weakened version of CubeHash

  • a study of fixed points and an example of nontrivial fixed point

  • high-probability truncated differentials over 10 rounds

Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parameters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions.


Symmetric State Symmetry Class Compression Function Message Block Collision Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aumasson, J.-P.: Collision for CubeHash2/120-512. NIST mailing list (December 4, 2008),
  2. 2.
    Aumasson, J.-P., Meier, W., Naya-Plasencia, M., Peyrin, T.: Inside the hypercube. Cryptology ePrint Archive, Report 2008/486, version 20081124:132635 (2008)Google Scholar
  3. 3.
    Bernstein, D.J.: CubeHash appendix: complexity of generic attacks. Submission to NIST (2008)Google Scholar
  4. 4.
    Bernstein, D.J.: CubeHash attack analysis (2.B.5). Submission to NIST (2008)Google Scholar
  5. 5.
    Daniel, J.B.: CubeHash specification (2.B.1). Submission to NIST (2008)Google Scholar
  6. 6.
    Brier, E., Khazaei, S., Meier, W., Peyrin, T.: Attack for CubeHash-2/2 and collision for CubeHash-3/64. NIST mailing list (local link) (2009),
  7. 7.
    Brier, E., Peyrin, T.: Cryptanalysis of CubeHash (2009),
  8. 8.
    Dai, W.: Collisions for CubeHash1/45 and CubeHash2/89 (2008),
  9. 9.
    Diaconis, P., Mosteller, F.: Methods for studying coincidences. Journal of the American Statistical Association 84(408), 853–861 (1989)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    NIST. SP 800-22, a statistical test suite for random and pseudorandom number generators for cryptographic applications (2001)Google Scholar
  12. 12.
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Eric Brier
    • 3
  • Willi Meier
    • 1
  • María Naya-Plasencia
    • 2
  • Thomas Peyrin
    • 3
  1. 1.FHNWWindischSwitzerland
  2. 2.INRIA project-team SECRETFrance
  3. 3.IngenicoFrance

Personalised recommendations