Structural Attacks on Two SHA-3 Candidates: Blender-n and DCH-n

  • Mario Lamberger
  • Florian Mendel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)


The recently started SHA-3 competition in order to find a new secure hash standard and thus a replacement for SHA-1/SHA-2 has attracted a lot of interest in the academic world as well as in industry. There are 51 round one candidates building on sometimes very different principles.

In this paper, we show how to attack two of the 51 round one hash functions. The attacks have in common that they exploit structural weaknesses in the design of the hash function and are independent of the underlying compression function. First, we present a preimage attack on the hash function Blender-n. It has a complexity of about n·2 n/2 and negligible memory requirements. Secondly, we show practical collision and preimage attacks on DCH-n. To be more precise, we can trivially construct a (28 + 2)-block collision for DCH-n and a 1297-block preimage with only 521 compression function evaluations. The attacks on both hash functions work for all output sizes and render the hash functions broken.


Hash functions collision attacks preimage attacks SHA-3 Blender DCH 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    National Institute of Standards and Technology: FIPS 180-3, Secure Hash Standard, Federal Information Processing Standard (FIPS), Publication 180-3. Federal Information Processing Standard (October 2008),
  4. 4.
    National Institute of Standards and Technology: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Federal Register Notice (November 2007),
  5. 5.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Bertoni, G., Daemen, J., Assche, G.V., Peeters, M.: Sponge Functions. In: ECRYPT Hash Workshop 2007, Barcelona, May 24-25 (2007)Google Scholar
  8. 8.
    Biham, E., Dunkelman, O.: A Framework for Iterative Hash Functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 (2007),
  9. 9.
    Lucks, S.: A Failure-Friendly Design Principle for Hash Functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Bradbury, C.: BLENDER: A Proposed New Family of Cryptographic Hash Algorithms. Submission to NIST (2008),
  11. 11.
    Wilson, D.A.: The DCH Hash Function. Submission to NIST (2008),
  12. 12.
    Newbold, C.: Observations and Attacks on the SHA-3 Candidate Blender (2008),
  13. 13.
    Klima, V.: A near-collision attack on Blender-256 (2008),
  14. 14.
    Klima, V.: Huge Multicollisions and Multipreimages of Hash Functions BLENDER-n. Cryptology ePrint Archive, Report 2009/006 (2009),
  15. 15.
    Liangyu, X., Ji, L.: Semi-free start collision attack on Blender. Cryptology ePrint Archive, Report 2008/532 (2008),
  16. 16.
    Ferguson, N., Lucks, S.: Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard Transform. Cryptology ePrint Archive, Report 2009/113 (2009),
  17. 17.
    Sasaki, Y.: A 2nd-Preimage Attack on AURORA-512. Cryptology ePrint Archive, Report 2009/112 (2009),
  18. 18.
    Sasaki, Y.: A Collision Attack on AURORA-512. Cryptology ePrint Archive, Report 2009/106 (2009),
  19. 19.
    Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST Hash Function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Gauravaram, P., Kelsey, J.: Linear-XOR and Additive Checksums Don’t Protect Damgård-Merkle Hashes from Generic Attacks. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 36–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Quisquater, J.J., Delescaille, J.P.: How Easy is Collision Search. New Results and Applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar
  23. 23.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  24. 24.
    Khovratovich, D., Nikolic, I.: Cryptanalysis of DCH-n (2008),
  25. 25.
    Lamberger, M., Pramstaller, N., Rechberger, C., Rijmen, V.: Analysis of the Hash Function Design Strategy Called SMASH. IEEE Transactions on Information Theory 54(8), 3647–3655 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Andreeva, E., Bouillaguet, C., Fouque, P.A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Lidl, R., Niederreiter, H.: Finite fields, 2nd edn. Encyclopedia of Mathematics and its Applications, vol. 20. Cambridge University Press, Cambridge (1997); With a foreword by P. M. CohnzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Mario Lamberger
    • 1
  • Florian Mendel
    • 1
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations