Second Preimage Attack on SHAMATA-512

We present a second preimage attack on SHAMATA-512, which is a hash function of 512bit output and one of the first round candidates of the SHA-3 competition. The attack uses differential paths that hold with a probability one and a meet-in-the-middle approach to find second preimages. The time complexity is about 2 computation of the step function and the memory complexity is about 2 blocks of 128 bits. 1 Short Description of SHAMATA-512 The hash function SHAMATA[1] is a register based hash function. The internal state (chaining value) is of 2048-bit length and stored in 16 128-bit registers; four B registers and twelve K registers. A message is padded to a multiple of 128 bits and the message blocks are processed by the step function sequentially. Let pad(x) = M0||M1|| · · · ||Ml−1 be a l-block padded message. The hash value y = H(x) is computed as follows: S0 = Initialization(IV ), Si+1 = StepFunction(Si,Mi, i), i = 0, 1, · · · , l − 1 y = Finalization(Sl, l), where Si is the internal state before the i-th step is applied. We call the update process, described by Si+1 = StepFunction(Si,Mi, i), the i-th step. The StepFunction is called UpdateRegister in the specification of the hash function. [email protected] [email protected]