Meet-in-the-Middle Attacks on SHA-3 Candidates

  • Dmitry Khovratovich
  • Ivica Nikolić
  • Ralf-Philipp Weinmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5665)


We present preimage attacks on the SHA-3 candidates Boole, EnRUPT, Edon-R, and Sarmal, which are found to be vulnerable against a meet-in-the-middle attack. The idea is to invert (or partially invert) the compression function and to exploit its non-randomness. To launch an attack on a large internal state we manipulate the message blocks to be injected in order to fix some part of the internal state and to reduce the complexity of the attack. To lower the memory complexity of the attack we use the memoryless meet-in-the-middle approach proposed by Morita-Ohta-Miyaguchi.


Hash Function Compression Function State Word Input Word Hash Family 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions (2007),
  2. 2.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: General results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Diffie, W., Hellman, M.E.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10, 74–84 (1977)CrossRefGoogle Scholar
  4. 4.
    Gligoroski, D., Ødegård, R.S., Mihova, M., Knapskog, S.J., Kocarev, L., Drápal, A.: Cryptographic hash function Edon-R. Submission to NIST (2008),
  5. 5.
    Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST hash function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Morita, H., Ohta, K., Miyaguchi, S.: A switching closure test to analyze cryptosystems. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 183–193. Springer, Heidelberg (1992)Google Scholar
  7. 7.
    National Institute of Standards and Technology. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA–3) Family 72(212) of Federal Register (November 2007)Google Scholar
  8. 8.
    O’Neil, S.: EnRUPT: First all-in-one symmetric cryptographic primitive. In: SASC 2008 (2008),
  9. 9.
    O’Neil, S., Nohl, K., Henzen, L.: EnRUPT hash function specification (2008),
  10. 10.
    Preneel, B.: Analysis and Design of Cryptographic Hash Functions. PhD thesis, Katholieke Universiteit Leuven, Leuven, Belgium (January 1993)Google Scholar
  11. 11.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search? Application to DES (extended summary). In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 429–434. Springer, Heidelberg (1989)CrossRefGoogle Scholar
  12. 12.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. new results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Rose, G.G.: Design and primitive specification for Boole,
  14. 14.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: ACM Conference on Computer and Communications Security, pp. 210–218 (1994)Google Scholar
  15. 15.
    Varıcı, K., Özen, O., Kocair, Ç.: Sarmal: SHA-3 proposal. Submission to NIST (2008)Google Scholar
  16. 16.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Dmitry Khovratovich
    • 1
  • Ivica Nikolić
    • 1
  • Ralf-Philipp Weinmann
    • 1
  1. 1.University of LuxembourgLuxembourg

Personalised recommendations