A Collision Attack on AURORA-512

In this note, we present a collision attack on AURORA-512, which is one of the candidates for SHA-3. The attack complexity is approximately 2 AURORA-512 operations, which is less than the birthday bound of AURORA-512, namely, 2. Our attack exploits some weakness in the mode of operation. keywords: AURORA, DMMD, collision, multi-collision 1 Description of AURORA-512 We briefly describe the specification of AURORA-512. Please refer Ref [1] for details. An input message is padded to be a multiple of 512 bits by the standard MD message padding, then, the padded message is divided into 512-bit message blocks (M0,M1, . . . , MN−1). In AURORA-512, compression functions Fk : {0, 1}256×{0, 1}512 → {0, 1}256 and Gk : {0, 1}256 × {0, 1}512 → {0, 1}256, two permutations MF : {0, 1}512 → {0, 1}512 and MFF : {0, 1}512 → {0, 1}512, and two initial 256-bit chaining values H 0 and H D 0 are defined . The algorithm to compute a hash value is as follows. 1. for k=0 to N − 1 { 2. H k+1 ← Fk(H k ,Mk). 3. H k+1 ← Gk(H k ,Mk). 4. If k mod 8 = 7 { 5. temp ← H k+1‖H k+1 6. H k+1‖H k+1 ← MF (temp). 7. } 8. } 9. Output MFF (H N‖H N ). For example, we show the computation of AURORA-512 for a 10-block message in Fig. 1. 2 Attack Description Our attack finds collisions of 8-block messages with a complexity of 2. The attack procedure is as follows. The attack is also illustrated in Fig. 2 1 Fk and F ′ k are identical if k ≡ k′mod 8. Gk and Gk also follow the same rule.