Cryptanalysis of tweaked versions of SMASH and reparation

Abstract

In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(22√n) for the first tweak version, which means an attack against SMASH-256 in c·232 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the ideal-cipher model in Ω(2n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a non-trivial attack in O(23n/8)queries. Finally, we also prove that our construction is preimage resistant in Ω(2n/2) queries, which the best security level that can be reached for 2-permutation based hash functions, as proved in [12]. © 2009 Springer.