Breaking the Even-Mansour Hash Function: Collision and Preimage Attacks on JH and Grøstl

The Even-Mansour structure and the chopMD mode are two widely-used strategies in hash function designs. They are adopted by many hash functions including two SHA-3 finalists, the JH hash function and the Grøstl hash function. The Even-Mansour structure combining the chopMD mode is supposed to enhance the security of hash functions against collision and preimage attacks, while our results show that it is not possible to achieve this goal with an unbalanced compression function. In this paper, we show generic attacks on the Even-Mansour hash functions including both collision and preimage attacks. Our attacks show the structure flaws of the Even-Mansour hash functions. All these attacks can be applied to specific hash functions based on the Even-Mansour structure. We achieve the first collision and (2nd-)preimage attacks on full JH and Grøstl respectively. For the JH hash function, we achieve collision and (2nd-)preimage attacks on the full JH compression function with a time gain 2. After a simple modification of the padding rules, we obtain full round collision and (2nd-)preimage attacks on the modified JH hash function with a time gain 2. For the Grøstl hash function, we obtain both collision and (2nd-)preimage attacks on the full Grøstl hash function with a limited time gain 2.