Cryptanalysis of the ESSENCE Family of Hash Functions

  • Nicky Mouha
  • Gautham Sekar
  • Jean-Philippe Aumasson
  • Thomas Peyrin
  • Søren S. Thomsen
  • Meltem Sönmez Turan
  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6151)


ESSENCE is a family of cryptographic hash functions, accepted to the first round of NIST’s SHA-3 competition. This paper presents the first known attacks on ESSENCE. We present a semi-free-start collision attack on 31 out of 32 rounds of ESSENCE-512, invalidating the design claim that at least 24 rounds of ESSENCE are secure against differential cryptanalysis. We develop a novel technique to satisfy the first nine rounds of the differential characteristic. Non-randomness in the outputs of the feedback function F is used to construct several distinguishers on a 14-round ESSENCE block cipher and the corresponding compression function, each requiring only 217 output bits. This observation is extended to key-recovery attacks on the block cipher. Next, we show that the omission of round constants allows slid pairs and fixed points to be found. These attacks are independent of the number of rounds. Finally, we suggest several countermeasures against these attacks, while still keeping the design simple and easy to analyze.


Cryptanalysis hash function ESSENCE semi-free-start collision distinguisher key-recovery slide attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  4. 4.
    Dinur, I., Shamir, A.: Side Channel Cube Attacks on Block Ciphers. Cryptology ePrint Archive, Report 2009/127 (2009),
  5. 5.
    Dziembowski, S., Pietrzak, K.: Leakage-Resilient Cryptography. In: FOCS, pp. 293–302. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  6. 6.
    Grassl, M.: Tables of Linear Codes and Quantum Codes (June 2008),
  7. 7.
    Joux, A., Peyrin, T.: Hash Functions and the (Amplified) Boomerang Attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006),
  9. 9.
    Martin, J.W.: ESSENCE: A Family of Cryptographic Hashing Algorithms. Submitted to the NIST SHA-3 hash function competition, (2009/01/20)
  10. 10.
    Martin, J.W.: Personal Communication (2009)Google Scholar
  11. 11.
    Matsui, M.: Linear Cryptoanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  12. 12.
    Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  13. 13.
    National Institute of Standards and Technology. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Federal Register 27(212), 62212–62220 (November 2007), (2008/10/17)
  14. 14.
    Naya-Plasencia, M., Roeck, A., Peyrin, T., Aumasson, J.-P., Leurent, G., Meier, W.: Cryptanalysis of ESSENCE (2009) (Unpublished)Google Scholar
  15. 15.
    Pietrzak, K.: A Leakage-Resilient Mode of Operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Preneel, B.: Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven (1993)Google Scholar
  17. 17.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer (ed.) [3], pp. 1–18Google Scholar
  18. 18.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer (ed.) [3], pp. 19–35Google Scholar
  19. 19.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nicky Mouha
    • 1
    • 2
  • Gautham Sekar
    • 1
    • 2
  • Jean-Philippe Aumasson
    • 3
  • Thomas Peyrin
    • 4
  • Søren S. Thomsen
    • 5
  • Meltem Sönmez Turan
    • 6
  • Bart Preneel
    • 1
    • 2
  1. 1.Department of Electrical Engineering ESAT/SCD-COSICKatholieke Universiteit LeuvenHeverleeBelgium
  2. 2.Interdisciplinary Institute for BroadBand Technology (IBBT)Belgium
  3. 3.FHNW, WindischSwitzerland
  4. 4.IngenicoFrance
  5. 5.Department of MathematicsTechnical University of DenmarkKgs. LyngbyDenmark
  6. 6.Computer Security DivisionNational Institute of Standards and TechnologyUSA

Personalised recommendations