On Free-Start Collisions and Collisions for TIB3
In this paper, we present free-start collisions for the TIB3 hash functions with a complexity of about 232 compression function evaluations. By using message modification techniques the complexity can be further reduced to 224. Furthermore, we show how to construct collisions for TIB3 slightly faster than brute force search using the fact that we can construct several (different) free-start collisions for the compression function. The complexity to construct collisions is about 2122.5 for TIB3-256 and 2242 for TIB3-512 with memory requirements of 253 and 2100 respectively. The attack shows that compression function attacks have been underestimated in the design of TIB3. Although the practicality of the proposed attacks might be debatable, they nevertheless exhibit non-random properties that are not present in the SHA-2 family.
KeywordsHash function SHA-3 competition TIB3 free-start collision collision attack
Unable to display preview. Download preview PDF.
- 1.NIST: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Federal Register Notice (November 2007), http://csrc.nist.gov
- 2.Montes, M., Penazzi, D.: The TIB3 Hash. Submission to NIST (2008)Google Scholar
- 3.Fleischmann, E., Forler, C., Gorski, M.: Classification of the SHA-3 Candidates. Cryptology ePrint Archive, Report 2008/511 (2008), http://eprint.iacr.org
- 4.Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
- 5.Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
- 6.Matyas, S.M., Meyer, C.H., Oseas, J.: Generating strong one-way functions with crypographic algorithm. IBM Technical Disclosure Bulletin 27(10A), 5658–5659 (1985)Google Scholar
- 11.Quisquater, J.J., Delescaille, J.P.: How Easy is Collision Search. New Results and Applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar