Collision Spectrum, Entropy Loss, T-Sponges, and Cryptanalysis of GLUON-64

  • Léo PerrinEmail author
  • Dmitry Khovratovich
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


In this paper, we investigate the properties of iterative non-injective functions and the security of primitives where they are used. First, we introduce the Collision Probability Spectrum (cps) parameter to quantify how far from a permutation a function is. In particular, we show that the output size decreases linearly with the number of iterations whereas the collision trees grow quadratically.

Secondly, we investigate the t-sponge construction and show how certain cps and rate values lead to an improved preimage attack on long messages. As an example, we find collisions for the gluon-64 internal function, approximate its cps, and show an attack that violates the security claims. For instance, if a message ends with a sequence of 1 Mb (respectively 1 Gb) of zeros, then our preimage search takes time \(2^{115.3}\) (respectively \(2^{105.3}\)) instead of \(2^{128}\).


Random function Collision probability spectrum  Collision tree T-sponge GLUON Collision search 



The authors thank the designers of the GLUON family of hash functions for providing a reference implementation, Alex Biryukov for very helpful discussions and the anonymous reviewers for their comments.

Supplementary material


  1. 1.
    Babbage, S., Dodd, M.: The MICKEY stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 191–209. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  2. 2.
    Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Kohno, T.: Hash function balance and its impact on birthday attacks. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 401–418. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  4. 4.
    Flajolet, P., Odlyzko, A.M.: Random mapping statistics. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 329–354. Springer, Heidelberg (1990) CrossRefGoogle Scholar
  5. 5.
    Hong, J., Kim, W.-H.: TMD-tradeoff and state entropy loss considerations of streamcipher MICKEY. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 169–182. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  6. 6.
    Röck, A.: Stream ciphers using a random update function: study of the entropy of the inner state. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 258–275. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT hash Workshop, vol. 2007, Citeseer (2007)Google Scholar
  8. 8.
    Teo, S.G., Bartlett, H., Alhamdan, A., Simpson, L., Wong, K.K.H., Dawson, E.: State convergence in bit-based stream ciphers (2013)Google Scholar
  9. 9.
    Biryukov, A., Shamir, A., Wagner, D.: real time cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  11. 11.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak and the sha-3 standardization. Slides of a NIST presentation (2013).
  13. 13.
    Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  14. 14.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2\(^{n}\) work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  15. 15.
    Berger, T.P., D’Hayer, J., Marquet, K., Minier, M., Thomas, G.: The GLUON family: a lightweight hash function family based on FCSRs. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 306–323. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Arnault, F., Berger, T.P.: F-FCSR: design of a new class of stream ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 83–97. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  17. 17.
    Hell, M., Johansson, T.: Breaking the stream ciphers F-FCSR-H and F-FCSR-16 in real time. J. Cryptology 24(3), 427–445 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  18. 18.
    Arnault, F., Berger, T., Lauradoux, C., Minier, M., Pousse, B.: A new approach for FCSRs. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 433–448. Springer, Heidelberg (2009) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.University of LuxembourgWalferdangeLuxembourg

Personalised recommendations