Collision attack on NaSHA-512

The hash function NaSHA [1] is a new algorithm proposed for SHA-3. The compression function adopts quasigroup transformations, which raise obstacles to analysis. However, the high probability difference to cause inner collision can be found in the quasigroup transformations. We propose a collision attack to NaSHA-512 with the time complexity 2 and negligible memory, which is lower than the complexity of birthday attack to NaSHA-512. Using the similar method, we find free-start collision on all versions with negligible complexity. 1 Description of NaSHA NaSHA [1] is a hash functions family, defined as NaSHA-(m,k,r). It adopts linear transformations LinTr2s and quasigroup transformationsMT . The parameters m denotes the length of hash value, k denotes the complexity of MT and 22r denotes the order of used quasigroup. The main transformations of MT is defined by three transformations Al, ρ and RAl. Definition 1 (The operation of quasigroup ∗). The operation of quasigroup ∗ is built from the Extended Feistel Networks FA,B,C(L,R) = (r ⊕ A,L ⊕ B ⊕ fa1,b1,c1,a2,b2,c2,a3,b3,c3,α,β,γ(R + C)), which is illustrated in Fig 1. The operation ∗(a1,b1,c1,a2,b2,c2,a3,b3,c3,α,β,γ,A,B,C) denoted by x ∗(a1,b1,c1,a2,b2,c2,a3,b3,c3,α,β,γ,A,B,C) y = FA,B,C(x⊕ y)⊕ y is the quasigroup operation in Z 2 . Definition 2 (Quasigroup additive string transformations Al : Q → Q with leader l). . Let t be a positive integer, let (Q, ∗) be quasigroup, Q = (z)2n , and l, xj , zj ∈ Q. Al(x1, . . . xt) = (z1, . . . zt)⇔ zj = { (l + x1) ∗ x1, j = 1 (zj−1 + xj) ∗ xj , 2 ≤ j ≤ t where + is addition modulo 2. The element l is said to be a leader of A. The transformation is illustrated in Fig 2. Fig. 1. The extended Feistel networks Fig. 2. The transformations Al The definition of ρ and RAl can be refer to the specification of NaSHA [1]. We ignore them because them have no relation with the attack. We give a short description of NaSHA-(512, 2, 6), which adopts 2048-bit (32 words) state and output 512-bit hash value. Firstly, the 512-bits message block M and the 512-bits initial value H form the state S alternately: S = M1||H1||M2||H2||M3||H3||...||M16||H16 Secondly, update state words 32 times by the transformations of LinTr512, which is defined by: LinTr512(S1||S2||...||S31||S32) = (S7 ⊕ S15 ⊕ S25 ⊕ S32)||S1||S2||...||S31) Then choose parameters for the quasigroup transformations MT according to the values of S1 to S16. And update the state one time by quasigroup transformations MT . After all message blocks have been processed, NaSHA-(512,2,6) output: NaSHA-(512, 2, 6)(M) = S4||S8||...||S28||S32 2 Observations of NaSHA We observed some properties, which help us to find collision in NaSHA-512. Observation 1 (Differential of basic calculation) (a + x) ∗ x is the basic calculation in the transformations Al, which is defined by the Extended Feistel Network. when a and x satisfy the conditions (a)64...32 = ¬(x)64...32, (a)32 = 1 and (a)31...1 = 0, the input difference ∆x = 0x00000000FFFFFFFF always lead to the zero output difference for the calculation of (a+x) ∗x. ((x)i denotes the i-th bit of x) For example, given x = 0xAAAAAAAA00000000, x′ = 0xAAAAAAAAFFFFFFFF and a = 0x5555555580000000, (a+x) ∗x = (a+x′) ∗x′ always holds no matter what parameters are set for the quasigroup operation ∗. The differential property attributes to the structure of Extended Feistel Network. The details are explained as follows. (a+ x) ∗ x = FA,B,C((a+ x)⊕ x)⊕ x = FA,B,C(0x5555555580000000)⊕ 0xAAAAAAAA00000000 = ((0x80000000⊕A)⊕ 0xAAAAAAAA) ||(f(0x80000000⊕ C)⊕B ⊕ 0x55555555) = (a+ x′) ∗ x′ = FA,B,C((a+ x′)⊕ x′)⊕ x′ = FA,B,C(0xAAAAAAAA80000000)⊕ 0xAAAAAAAAFFFFFFFF = ((0x80000000⊕A)⊕ 0xAAAAAAAA) ||(f(0x80000000⊕ C)⊕B ⊕ 0x55555555) The calculations of FA,B,C are illustrated in Fig 3. Fig. 3. The calculation of FA,B,C Observation 2 (The output of basic calculation) According to the definition of (a+x) ∗x, for the same parameters(a1, b1, c1, a2, b2, c2, a3, b3, c3, α, β, γ), the output value of (a+x) ∗x can be changed by modifying the parameters A, B and C. Especially, given a and x, we can choose the parameters of A, B and C to make (a + x) ∗ x = a. For the same parameters(a1, b1, c1, a2, b2, c2, a3, b3, c3, α, β, γ, A,B,C), (a + x′) ∗ x′ = a always holds if the difference ∆x = x ⊕ x′ = 0x00000000FFFFFFFF. Observation 3 (Continuous collisions in Al) According to the observation 1 and the observation 2, difference sequence to generate continuous collisions in full transformation of Al can be constructed easily. Firstly, select the triple x, x′, a to make (a + x) ∗ x = (a + x′) ∗ x′ for any quasigroup operation ∗. Secondly, select the parameters of the operation ∗ to make (a + x) ∗ x = a hold. For the basic calculation of (zj−1 + xj) ∗ xj , if zj−1 = a and xj = xj+1 = . . . = xj+k = x (k denotes the length of the differential sequence), after the transformation Al, all differences on the difference sequence will be absorbed. We can control the state words before the transformation Al freely to keep xj = xj+1 = . . . = xj+k = x due to the message input scheme. It is not easy to control the state words directly afterAl, such as zj−1. The continuous collision requires one word conditions (64 bits) on the first leader(zj−1). Fig. 4. Continuous collision in Al Observation 4 (Difference absorption for parameters) The first 16-words of state will be used as parameters of the quasigroup operations. However, it is easy to select differences on state words to make no difference on these parameters. For example: α1||β1||γ1||α2 = S7 +S8. If ∆S7 = ∆S8 = ∆x and S7 = x, S′ 7 = x′, S8 = x′, S′ 8 = x, then S7 + S8 = x + x ′ = S′ 7 + S ′ 8. Parameters α1, β1, γ1, α2 have no differences. Observation 5 (Freedom on state words) For NaSHA-512, only 16-word out of 32-word are used to calculate parameters of quasigroup transformation, some state words can be changed freely while parameters of quasigroup transformation keeps. First 16-word of state is chose to calculate parameters of quasigroup transformation Al and RAl. Eight state words are selected as parameters of quasigroup transformation Al as follows: S3 + S4 = l2, S5 + S6 = a1||b1||c1||a2||b2||c2||a3||b3, c3 = a1, S7 + S8 = α1||β1||γ1||−, S11 + S12 = A||B,S13 + S14 = C|| − . l2 is the 64-bit leader of Al, the 8-bit words a1, b1, c1, a2, b2, c2, a3, b3, c3, the 16-bit words α1, β1, γ1 and the 32-bit words A,B,C are parameters of the operation ∗. (The two − denotes the values do not used in Al). These observations can be used to construct collision in full transformation Al. 3 Collision attack of NaSHA-512 According to these observations in section 2, we can choose differences on state words to find collision. Some differential patterns can be found. The differential pattern illustrated in Fig 5 can generate collision with least conditions and most free state words. We set three continuous differentials on state words, which results in the complexity of 23∗64 because three words conditions need to be fulfilled. We have enough free words to satisfied all conditions. Following we explain the details. 3.1 Differential Pattern Following we give a differential pattern with three continuous differentials. Fig. 5. The differential pattern Following the differential pattern, we set differences on the state words after LinTr512: ∆S9 = ∆S10 = ∆S17 = ∆S18 = ∆S19 = ∆S20 = ∆S21 = ∆S29 = ∆S31 = ∆x = 0x00000000FFFFFFFF. No difference exists on other state words. Set the value of state words S9 = x, S10 = x′ and set S17, S18, S19, S20, S21, S29, S30, S31 as x or x′. The state words will be process by the transformation Al: Al(S1, S2, ..., S31, S32) = (z1, z2, ..., z31, z32). According to the observation 3, if three headers z8 = z16 = z21 = a, all differences on the state words absorbed. That is sufficient conditions for the differential pattern to generate collision attack. Following we explain how to select free state words to fulfill the three words conditions. 3.2 Free State Words To use the given differential pattern to generate collision, we need some free state words to satisfy these three words conditions. Denote H as initial value, M32×16 LinTr512 as the transformation matrix from the state S to H. H =  H1 H2 · · · H16  = M 16×32 LinTr512 ×  S1 S2 · · ·