Distinguishers for the Compression Function and Output Transformation of Hamsi-256

  • Jean-Philippe Aumasson
  • Emilia Käsper
  • Lars Ramkilde Knudsen
  • Krystian Matusiewicz
  • Rune Ødegård
  • Thomas Peyrin
  • Martin Schläffer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6168)


Hamsi is one of 14 remaining candidates in NIST’s Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi’s resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsi’s building blocks do not behave ideally.


hash functions differential cryptanalysis SHA-3 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aumasson, J.P., Käsper, E., Knudsen, L.R., Matusiewicz, K., Odegaard, R., Peyrin, T., Schlffer, M.: Differential distinguishers for the compression function and output transformation of Hamsi-256. Cryptology ePrint Archive, Report 2010/091 (2010)Google Scholar
  2. 2.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: Incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Bernstein, D.J.: Better price-performance ratios for generalized birthday attacks. In: SHARCS (2007),
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Note on zero-sum distinguishers of keccak-f. NIST mailing list (2010),
  5. 5.
    Biham, E., Anderson, R.J., Knudsen, L.R.: Serpent: A new block cipher proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 222–238. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Khovratovich, D., Biryukov, A., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  8. 8.
    Kücük, O.: The hash function Hamsi. Submission to NIST (January 2009),
  9. 9.
    Kücük, O.: Reference implementation of Hamsi. Submission to NIST (January 2009)Google Scholar
  10. 10.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R., Costello Jr., D., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography, pp. 227–233. Kluwer, Dordrecht (1992)Google Scholar
  11. 11.
    Mendel, F., Nad, T.: A distinguisher for the compression function of simd-512. In: Roy, B.K., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 219–232. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Nikolić, I.: Near collisions for the compression function of Hamsi-256. CRYPTO rump session (2009),
  13. 13.
    NIST: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register Notice. 72(112) (November 2007),
  14. 14.
    Singh, B., Alexander, L., Burman, S.: On algebraic relations of Serpent S-boxes. Cryptology ePrint Archive, Report 2009/038 (2009)Google Scholar
  15. 15.
    Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  16. 16.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Wang, M., Wang, X., Jia, K., Wang, W.: New pseudo-near-collision attack on reduced-round of Hamsi-256. Cryptology ePrint Archive, Report 2009/484 (2009)Google Scholar
  18. 18.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Emilia Käsper
    • 2
  • Lars Ramkilde Knudsen
    • 3
  • Krystian Matusiewicz
    • 4
  • Rune Ødegård
    • 5
  • Thomas Peyrin
    • 6
  • Martin Schläffer
    • 7
  1. 1.Nagravision SA, CheseauxSwitzerland
  2. 2.Katholieke Universiteit Leuven, ESAT-COSICBelgium
  3. 3.Department of MathematicsTechnical University of Denmark 
  4. 4.Institute of Mathematics and Computer ScienceWroclaw University of Technology 
  5. 5.Centre for Quantifiable Quality of Service in Communication Systems at the Norwegian University of Science and Technology 
  6. 6.IngenicoFrance
  7. 7.IAIK, TU GrazAustria

Personalised recommendations