A 2nd-Preimage Attack on AURORA-512

In this note, we present a 2nd-preimage attack on AURORA512, which is one of the candidates for SHA-3. Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more. In such a case, the attack complexity is approximately 2 AURORA-512 operations, which is less than the brute force attack on AURORA-512, namely, 2512−log2 9 ≈ 2. Our attack exploits some weakness in the mode of operation. keywords: AURORA, DMMD, 2nd-preimage, multi-collision 1 Description of AURORA-512 We briefly describe the specification of AURORA-512. Please refer to Ref. [1] for details. An input message is padded to be a multiple of 512 bits by the standard MD message padding, then, the padded message is divided into 512-bit message blocks (M0,M1, . . . , MN−1). In AURORA-512, compression functions Fk : {0, 1}256×{0, 1}512 → {0, 1}256 and Gk : {0, 1}256 × {0, 1}512 → {0, 1}256, two permutations MF : {0, 1}512 → {0, 1}512 and MFF : {0, 1}512 → {0, 1}512, and two initial 256-bit chaining values H 0 and H D 0 are defined . The algorithm to compute a hash value is as follows. 1. for k=0 to N − 1 { 2. H k+1 ← Fk(H k ,Mk). 3. H k+1 ← Gk(H k ,Mk). 4. If k mod 8 = 7 { 5. temp ← H k+1‖H k+1 6. H k+1‖H k+1 ← MF (temp). 7. } 8. } 9. Output MFF (H N‖H N ). 1 Fk and Fk′ are identical if k ≡ k′mod 8. Gk and Gk′ also follow the same rule. 2 Attack Description Our attack can generate 2nd-preimages of any given message, in particular, the attack complexity becomes optimal when the message length is 9 blocks or more, in which case it is approximately 2 AURORA-512 operations. Strictly speaking, the attack complexity depends on the output distribution of the compression function. We first assume that the output distribution is perfectly balanced, then discuss other cases later. The attack procedure for a 9-block message X0‖X1‖ · · · ‖X8 is as follows. The attack is also illustrated in Fig. 1