Analysis of the Collision Resistance of RadioGatúnUsing Algebraic Techniques

  • Charles Bouillaguet
  • Pierre-Alain Fouque
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5381)


In this paper, we present some preliminary results on the security of the RadioGatúnhash function. RadioGatúnhas an internal state of 58 words, and is parameterized by the word size, from one to 64 bits. We mostly study the one-bit version of RadioGatúnsince according to the authors, attacks on this version also affect the reasonably-sized versions. On this toy version, we revisit the claims of the designers and first improve some results. Secondly, given a differential path, we show how to find a message pair colliding more efficiently than the strategy proposed by the authors using algebraic techniques. We experimented this strategy on the one-bit version since we can efficiently find differential path by brute force. Even though the complexity of this collision attack is higher than the general security claim on RadioGatún〈1 〉, it is still less than the birthday paradox on the size of the internal state.


Internal State Hash Function Computer Algebra System Compression Function Round Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Becker, T., Weispfenning, V., Kredel, H.: Gröbner bases: a computational approach to commutative algebra. Springer, London (1993)CrossRefzbMATHGoogle Scholar
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: RadioGatún, a Belt-and-Mill Hash Function. In: Presented at Second Cryptographic Hash Function Workshop, Santa Barbara, California, August 24-25 (2006),
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sponge functions. In: Presented at ECrypt Hash Function Workshop, Barcelona, Spain, May 24 (2007)Google Scholar
  5. 5.
    Biryukov, A. (ed.): FSE 2007. LNCS, vol. 4593. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  6. 6.
    Collart, S., Kalkbrener, M., Mall, D.: Converting bases with the gröbner walk. J. Symb. Comput. 24(3/4), 465–469 (1997)CrossRefzbMATHGoogle Scholar
  7. 7.
    Comon, H.: Inductionless induction. In: Robinson, J.A., Voronkov, A. (eds.) Handbook of Automated Reasoning, pp. 913–962. Elsevier and MIT Press (2001)Google Scholar
  8. 8.
    Cox, D., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra (Undergraduate Texts in Mathematics), February 2007. Springer, Heidelberg (2007)CrossRefzbMATHGoogle Scholar
  9. 9.
    Cramer, R. (ed.): EUROCRYPT 2005, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  10. 10.
    Daemen, J.: Cipher and hash function design. Strategies based on linear and differential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven (March 1995)Google Scholar
  11. 11.
    Daemen, J., Assche, G.V.: Producing collisions for panama, instantaneously. In: Biryukov [5], pp. 1–18 (2007)Google Scholar
  12. 12.
    Daemen, J., Clapp, C.S.K.: Fast hashing and stream encryption with PANAMA. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 60–74. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Dobbertin, H.: Cryptanalysis of md4. J. Cryptology 11(4), 253–271 (1998)CrossRefzbMATHGoogle Scholar
  14. 14.
    Faugère, J.-C.: A new efficient algorithm for computing grobner bases (f4). Journal of Pure and Applied Algebra 139(1-3), 61–68 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Faugère, J.-C., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)CrossRefzbMATHGoogle Scholar
  16. 16.
    Goubault-Larrecq, J., Roger, M., Verma, K.N.: Abstraction and resolution modulo ac: How to verify diffie-hellman-like protocols automatically. J. Log. Algebr. Program. 64(2), 219–251 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Lidl, R., Niederreiter, H.: Finite Fields (Encyclopedia of Mathematics and its Applications), October 1996. Cambridge University Press, Cambridge (1996)zbMATHGoogle Scholar
  18. 18.
    Peyrin, T.: Cryptanalysis of grindahl. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 551–567. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Rijmen, V., Van Rompay, B., Preneel, B., Vandewalle, J.: Producing collisions for PANAMA. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 37–51. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  21. 21.
    Sugita, M., Kawazoe, M., Perret, L., Imai, H.: Algebraic cryptanalysis of 58-round sha-1. In: Biryukov[5], pp. 349–365 (2007)Google Scholar
  22. 22.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer [9], pp. 1–18 (2005)Google Scholar
  23. 23.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup [20], pp. 17–36 (2005)Google Scholar
  24. 24.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer [9], pp. 19–35 (2005)Google Scholar
  25. 25.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup [20], pp. 1–16 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Charles Bouillaguet
    • 1
  • Pierre-Alain Fouque
    • 1
  1. 1.Ecole normale supérieure, CNRS, INRIAFrance

Personalised recommendations