Cryptanalyses of Narrow-Pipe Mode of Operation in AURORA-512 Hash Function

  • Yu Sasaki
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5867)


We present cryptanalyses of the AURORA-512 hash function, which is a SHA-3 candidate. We first describe a collision attack on AURORA-512. We then show a second-preimage attack on AURORA-512/-384 and explain that the randomized hashing can also be attacked. We finally show a full key-recovery attack on HMAC-AURORA-512 and universal forgery on HMAC-AURORA-384. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named “Double-Mix Merkle-Damgård (DMMD),” which produces 512-bit output by updating two 256-bit chaining variables in parallel. We do not look inside of the compression function. Hence, our attack can work even if the compression function is regarded as a random oracle. The time complexity of our collision attack is approximately 2236 AURORA-512 operations, and 2236×512 bits of memory is required. Our second-preimage attack works on any given message. The time complexity is approximately 2290 AURORA-512 operations, and 2288×512 bits of memory is required. Our key-recovery attack on HMAC-AURORA-512, which uses 512-bit secret keys, requires 2257 queries, 2259 off-line AURORA-512 operations, and a negligible amount of memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and key-recovery attacks.


AURORA DMMD collision second preimage HMAC 


  1. 1.
    U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register 72(212), Friday (November 2, 2007) Notices,
  2. 2.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Iwata, T., Shibutani, K., Shirai, T., Moriai, S., Akishita, T.: AURORA: A Cryptographic Hash Algorithm Family. Initial submission version (October 31, 2008), AURORA home page,, NIST home page:
  4. 4.
    U.S. Department of Commerce, National Institute of Standards and Technology: Randomized Hashing for Digital Signatures (NIST Special Publication 800-106) (February 2009),
  5. 5.
    U.S. Department of Commerce, National Institute of Standards and Technology: The Keyed-Hash Message Authentication Code (HMAC) (Federal Information Processing Standards Publication 198) (July 2008),
  6. 6.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Knudsen, L.R., Mendel, F., Rechberger, C., Thomsen, S.S.: Cryptanalysis on MDC-2. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 106–120. Springer, Heidelberg (2009)Google Scholar
  8. 8.
    International Organization for Standardization: ISO/IEC 10118-2:1994, Information technology – Security techniques – Hash-functions – Part 2: Hash-functions using an n-bit block cipher algorithm (1994) (Revised in 2000)Google Scholar
  9. 9.
    Ferguson, N., Lucks, S.: Attacks on AURORA-512 and the Double-Mix Merkle-Damgaard transform. Cryptology ePrint Archive, Report 2009/113, Ver. 20090311:092718 (2009),
  10. 10.
    Joux, A., Lucks, S.: Improved generic algorithms for 3-collisions. Cryptology ePrint Archive, Report 2009/305 (2009),
  11. 11.
    Gauravaram, P., Knudsen, L.R.: On randomizing hash functions to strengthen the security of digital signatures. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 88–105. Springer, Heidelberg (2009)Google Scholar
  12. 12.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. The Internet Engineering Task Force (1997),
  13. 13.
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E91-A(1), 39–45 (2008)Google Scholar
  14. 14.
    Vaudenay, S.: A Classical Introduction to Cryptography: Applications for Communications Security. Springer, Heidelberg (2006)Google Scholar
  15. 15.
    Quisquater, J.J., Delescaille, J.P.: How easy is collision search. New results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yu Sasaki
    • 1
    • 2
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.The University of Electro-CommunicationsTokyoJapan

Personalised recommendations