On Free-Start Collisions and Collisions for TIB3

  • Florian Mendel
  • Martin Schläffer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)


In this paper, we present free-start collisions for the TIB3 hash functions with a complexity of about 232 compression function evaluations. By using message modification techniques the complexity can be further reduced to 224. Furthermore, we show how to construct collisions for TIB3 slightly faster than brute force search using the fact that we can construct several (different) free-start collisions for the compression function. The complexity to construct collisions is about 2122.5 for TIB3-256 and 2242 for TIB3-512 with memory requirements of 253 and 2100 respectively. The attack shows that compression function attacks have been underestimated in the design of TIB3. Although the practicality of the proposed attacks might be debatable, they nevertheless exhibit non-random properties that are not present in the SHA-2 family.


Hash function SHA-3 competition TIB3 free-start collision collision attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    NIST: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Federal Register Notice (November 2007),
  2. 2.
    Montes, M., Penazzi, D.: The TIB3 Hash. Submission to NIST (2008)Google Scholar
  3. 3.
    Fleischmann, E., Forler, C., Gorski, M.: Classification of the SHA-3 Candidates. Cryptology ePrint Archive, Report 2008/511 (2008),
  4. 4.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  5. 5.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Matyas, S.M., Meyer, C.H., Oseas, J.: Generating strong one-way functions with crypographic algorithm. IBM Technical Disclosure Bulletin 27(10A), 5658–5659 (1985)Google Scholar
  7. 7.
    den Boer, B., Bosselaers, A.: Collisions for the Compression Function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  8. 8.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. J. Cryptology 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Quisquater, J.J., Delescaille, J.P.: How Easy is Collision Search. New Results and Applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Florian Mendel
    • 1
  • Martin Schläffer
    • 1
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations