Cryptanalysis of ESSENCE

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6147)


ESSENCE is a hash function submitted to the NIST Hash Competition that stands out as a hardware-friendly and highly parallelizable design. Previous analysis showed some non-randomness in the compression function which could not be extended to an attack on the hash function and ESSENCE remained unbroken. Preliminary analysis in its documentation argues that it resists standard differential cryptanalysis. This paper disproves this claim, showing that advanced techniques can be used to significantly reduce the cost of such attacks: using a manually found differential characteristic and an advanced search algorithm, we obtain collision attacks on the full ESSENCE-256 and ESSENCE-512, with respective complexities 267.4 and 2134.7. In addition, we show how to use these attacks to forge valid (message, MAC) pairs for HMAC-ESSENCE-256 and HMAC-ESSENCE-512, essentially at the same cost as a collision.


cryptanalysis hash functions SHA-3 


  1. 1.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  2. 2.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    Cannière, C.D., Rechberger, C.: Finding SHA-1 characteristics: General results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    NIST: FIPS 180-2 – secure hash standard (2002)Google Scholar
  6. 6.
    NIST: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (sha-3) family. In: Federal Register, November 2007, vol. 72(212) (2007)Google Scholar
  7. 7.
    NIST: Cryptographic hash algorithm competition,
  8. 8.
  9. 9.
    Martin, J.W.: ESSENCE: A candidate hashing algorithm for the NIST competition. Submission to NIST (2008)Google Scholar
  10. 10.
    Martin, J.W.: ESSENCE: A family of cryptographic hashing algorithms. Submission to NIST (2008)Google Scholar
  11. 11.
    Mouha, N., Sekar, G., Aumasson, J.P., Peyrin, T., Thomsen, S.S., Turan, M.S., Preneel, B.: Cryptanalysis of the ESSENCE family of hash functions. In: Inscrypt 2009. LNCS. Springer, Heidelberg (2009)Google Scholar
  12. 12.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  14. 14.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: Cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    NIST: FIPS 198 – the keyed-hash message authentication code, HMAC (2002)Google Scholar
  17. 17.
    Wang, L., Ohta, K., Kunihiro, N.: New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Rechberger, C., Rijmen, V.: New results on NMAC/HMAC when instantiated with popular hash functions. Journal of Universal Computer Science 14(3), 347–376 (2008)MathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.INRIA project-team SECRETFrance
  2. 2.Aalto University School of Science and TechnologyFinland
  3. 3.Nagravision SACheseauxSwitzerland
  4. 4.École Normale SupérieureParisFrance
  5. 5.FHNWWindischSwitzerland
  6. 6.IngenicoFrance

Personalised recommendations