Content uploaded by Florian Mendel

Author content

All content in this area was uploaded by Florian Mendel on Apr 12, 2014

Content may be subject to copyright.

Finding Collisions for Round-Reduced SM3

Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

Institute for Applied Information Processing and Communications (IAIK)

Graz University of Technology, Inﬀeldgasse 16a, A-8010 Graz, Austria.

tomislav.nad@iaik.tugraz.at

Abstract. In this work, we provide the ﬁrst security analysis of reduced

SM3 regarding its collision resistance. SM3 is a Chinese hash function

standard published by the Chinese Commercial Cryptography Adminis-

tration Oﬃce for the use of electronic authentication service systems and

hence, might be used in several cryptographic applications in China. So

far only few results have been published for the SM3 hash function. Since

the design of SM3 is very similar to the MD4 family of hash functions and

in particular to SHA-2, a revaluation of the security of SM3 regarding

collision resistance is important taking into account recent advances in

the cryptanalysis of SHA-2. In this paper, we extend the methods used

in the recent collision attacks on SHA-2 and show how the techniques

can be eﬀectively applied to SM3. Our results are a collision attack on

the hash function for 20 out of 64 steps and a free-start collision attack

for 24 steps of SM3, both with practical complexity.

Keywords: hash functions, cryptanalysis, collisions, free-start collisions

1 Introduction

A cryptographic hash function Hmaps a message Mof arbitrary length to a

ﬁxed-length hash value h. Informally, a cryptographic hash function has to fulﬁll

the following security requirements:

–Collision resistance: it is practically infeasible to ﬁnd two messages Mand

M∗, with M∗6=M, such that H(M) = H(M∗).

–Second preimage resistance: for a given message M, it is practically infeasible

to ﬁnd a second message M∗6=Msuch that H(M) = H(M∗).

–Preimage resistance: for a given hash value h, it is practically infeasible to

ﬁnd a message Msuch that H(M) = h.

The resistance of a hash function to collision and (second) preimage attacks

depends in the ﬁrst place on the length nof the hash value. Regardless of how a

hash function is designed, an adversary will always be able to ﬁnd preimages or

second preimages after trying out about 2ndiﬀerent messages. Finding collisions

requires a much smaller number of trials: about 2n/2due to the birthday paradox.

If the internal structure of a particular hash function allows collisions or (second)

preimages to be found more eﬃciently than what could be expected based on its

E. Dawson (Ed.): RSA 2013, LNCS 7779, pp. 174–188, 2013.

The original publication is available at http://dx.doi.org/10.1007/978-3-642- 36095-4_12

c

Springer-Verlag Berlin Heidelberg 2013

Finding Collisions for Round-Reduced SM3 175

hash length, then the function is considered to be broken. For a formal treatment

of the security properties of cryptographic hash functions we refer to [10,11].

Most cryptanalytic results on hash functions focus on collision attacks. In the

last years collisions have been shown for many commonly used hash functions. In

particular, the collision attacks of Wang et al. [13,14] on MD5 and SHA-1 have

convinced many cryptographers that these widely deployed hash functions can

no longer be considered secure. As a consequence, NIST proposed the transition

from SHA-1 to the SHA-2 family and many companies and organization are

migrating to SHA-2. Furthermore, researchers are evaluating alternative hash

functions in the SHA-3 initiative organized by NIST [9] to ﬁnd a new hash

function standard.

In this work, we analyze the Chinese hash function standard SM3. SM3 was

designed by Wang et al. [1] and is published by the Chinese Commercial Cryp-

tography Administration Oﬃce for the use of electronic authentication service

systems. The amount of cryptanalytic results on SM3 is low compared to other

hash function standards. Kircanski et al. [4] presented a distinguisher for the

compression function of SM3 up to 35 steps with complexity 2117.1. Moreover,

Zou et al. [15] presented a preimage attack on 30 steps of SM3 with complexity

of 2249.

The design of SM3 is very similar to the MD4 family in particular SHA-2. New

collision attacks on SHA-2 and similar hash functions have been shown [2, 5–8]

recently. The attacks have in common that they are all of practical complex-

ity and are based on automatic search algorithms to ﬁnd complex diﬀerential

characteristics.

In this paper, we develop the methods by Mendel et al. for SHA-256 [7]

further and apply them on SM3. We show how the technique can be eﬀectively

applied to SM3. Furthermore, we present a collision for 20 steps and a free-

start collision for 24 steps of SM3. These are the ﬁrst collision attacks on the

step-reduced SM3 hash and compression function.

The remainder of this paper is structured as follows. A description of the hash

function is given in Section 2. In Section 3 we describe the basic attack strategy.

In Section 4 we show how we can ﬁnd diﬀerential characteristics and conforming

message pairs for SM3. Finally, we present a collision and free-start-collision for

step-reduced SM3 in Section 5 and conclude in Section 6.

2 Description of SM3

SM3 is an iterated hash function that processes 512-bit input message blocks

and produces a 256-bit hash value. In the following, we brieﬂy describe the hash

function. It basically consists of two parts: the message expansion and the state

update transformation. A detailed description of the hash function is given in [1].

2.1 Message Expansion

The message expansion of SM3 is linear in GF (2). It splits the 512-bit message

block into 16 words Mi,i= 0,...,15, and expands them into 68 expanded

176 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

message words Wiand 64 expanded message words W0

ias follows:

Wi=Mi0≤i < 16

σ0(Wi−16 ⊕Wi−9⊕Wi−3≪15) ⊕Wi−13 ≪7⊕Wi−616 ≤i < 68

and

W0

i=Wi⊕Wi+4 0≤i < 64 .

The functions σ0(X) is given by

σ0(X) = X⊕(X≪15) ⊕(X≪23)

2.2 State Update Transformation

The state update transformation starts from a (ﬁxed) initial value IV of eight

32-bit words and updates them in 64 steps. In each step the 32-bit words Wi

and W0

iare used to update the eight state variables Ai−1, Bi−1, . . . , Hi−1.

T1= (Ai−1≪12 + Ei−1+Ki)≪7

T2=Hi−1+f0(Ei−1, Fi−1, Gi−1) + T1+Wi

Ai=Di−1+f1(Ai−1, Bi−1, Ci−1)+(T1⊕Ai−1≪12) + W0

i

Ei=Σ0(T2)

Bi=Ai−1

Ci=Bi−1≪9

Di=Ci−1

Fi=Ei−1

Gi=Fi−1≪19

Hi=Gi−1

(1)

For the deﬁnition of the step constants Kiwe refer to [1]. The bitwise Boolean

functions f0and f1are diﬀerent for each step. In the ﬁrst 16 steps fXOR is used

for both f0and f1. After step 16 f0is fIF and f1is fMAJ .

fXOR(X, Y , Z) = X⊕Y⊕Z

fIF(X, Y , Z) = XY ⊕XZ ⊕Z

fMAJ(X, Y , Z) = XY ⊕Y Z ⊕XZ

(2)

The linear function Σ0is deﬁned as follows:

Σ0(X) = X⊕(X≪9) ⊕(X≪17) (3)

After the last step of the state update transformation, the initial values are

XORed to the output values of the last four steps (Davies-Meyer construction).

The result is the ﬁnal hash value or the initial value for the next message block.

Finding Collisions for Round-Reduced SM3 177

3 Basic Attack Strategy

In the following, we ﬁrst give a brief overview of the attack strategy used in

the recent collision attacks on the MD4-family of hash functions [12, 14]. The

high-level strategy can be summarized as follows:

1. Find a characteristic for the hash function that holds with high probability.

2. Use message modiﬁcation techniques to fulﬁll conditions imposed by the

characteristic. This increases the probability of the characteristic.

3. Use random trials to ﬁnd values for the remaining free message bits such

that the message follows the characteristic.

The most diﬃcult and important part of the attack is to ﬁnd a good diﬀerential

characteristic. The second important part of the attack is to ﬁnd conforming

inputs for the diﬀerential characteristic. For both parts we used the technique

of the recent attack on SHA-2 [7].

4 Automatic Search Tool

The collision attack on SHA-2 [7] can be summarized as follows:

1. Determine a starting point for the search which results in an attack on a

large number of steps. The resulting start characteristic should span over

few steps and only some message words should contain diﬀerences.

2. Use an automated search tool to ﬁnd a diﬀerential characteristic for the

unrestricted intermediate steps including the message expansion.

3. Continue the search to ﬁnd a conforming message pair. If no message pair

can be found, adjust the diﬀerential characteristic accordingly.

Due to the linearity of the message expansion, ﬁnding a good starting point is

rather simple. The most diﬃcult and important part of the attack is to ﬁnd a

good diﬀerential characteristic. Due to the increased complexity of SM3 com-

pared to hash functions like SHA-1 and MD5, ﬁnding good diﬀerential charac-

teristics by hand is almost impossible. Therefore, we use an automatic tool to

ﬁnd complex nonlinear diﬀerential characteristics. The tool is also used for solv-

ing nonlinear equations involving conditions on state words and free message

bits, i.e. to ﬁnd conﬁrming message pairs. The tool is based on the approach

of Mendel et al. [7] to ﬁnd nonlinear diﬀerential characteristics and conforming

message pairs for SHA-2.

4.1 Generalized Conditions

The tool and search algorithm is based on the concept of generalized conditions

introduced in [2]. Generalized conditions are inspired by signed-bit diﬀerences

and take all 16 possible conditions on a pair of bits into account. Table 1 lists

all these possible conditions and introduces the notation for the various cases.

178 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

Table 1. Notation for possible generalized conditions on a pair of bits [2].

(Xi, Xi

∗) (0,0) (1,0) (0,1) (1,1)

?X X X X

-X- - X

x-X X -

0X- - -

u-X- -

n- - X-

1- - - X

#- - - -

(Xi, X∗

i) (0,0) (1,0) (0,1) (1,1)

3X X - -

5X-X-

7XXX -

A-X-X

BX X -X

C- - X X

DX-X X

E-X X X

Using these generalized conditions and propagating them in a bitsliced man-

ner, we can construct complex diﬀerential characteristics in an eﬃcient way. The

basic idea of the search algorithm is to randomly pick a bit from a set of bit

positions with predeﬁned conditions, impose a more restricted condition and

compute how this new condition propagates. This is repeated until an inconsis-

tency is found or all unrestricted bits from the set are eliminated. Note that this

general approach can be used for both, ﬁnding diﬀerential characteristics and

conforming message pairs. There are three important aspects of the automated

tool: using a good starting point, using an eﬃcient condition propagation and

using a sophisticated search strategy. We discuss each aspect in the following

sections.

4.2 Deﬁning a Starting Point

Similar to the attack on SHA-256 [7] we construct a local collision with diﬀer-

ences in a few steps which results in a attack on a large number of steps. Since

the message expansion of SM3 is linear ﬁnding a starting point is easier than for

SHA-256.

To ﬁnd a good starting point for SM3, a system of linear equations repre-

senting the message expansion is constructed. Afterwards, linear constraints are

added and the system is solved. In that way several good starting points for up

to 24 steps have been found. The starting points for 20 and 24 steps are given

in the Appendix in Table 5 and Table 7.

Note that unlike in most hash function attacks so far, the non-linear part

for 24 steps is placed at the end instead of the beginning. This has several

reasons. First of all the diﬀerential characteristic for the message expansion is

more sparse. Furthermore, after step 16 the Boolean function IF and M AJ

instead of XOR are used. This again results in more sparse characteristic. In

general the more sparse a characteristic the easier it is to ﬁnd conforming message

pairs.

Finding Collisions for Round-Reduced SM3 179

4.3 Eﬃcient Condition Propagation

The eﬃcient propagation of new conditions is crucial for the performance of the

algorithm, since it is the most often needed operation in the search algorithm.

Due to the nature of the search algorithm where changes to the characteristic

(using generalized conditions) are done on bit-level, we perform the propagation

of conditions also on bit-level. At the beginning of the search every bit has at

least one of the 16 generalized conditions (see Table 1). During the search we

impose conditions on speciﬁc bits. These bits are inputs or outputs of functions.

If a bit in the output is changed then all bits which are used to determine this

output bit are updated. We call such a set of bits a bit-slice. If the changed bit

is an input of a function then all other bits of the corresponding bit-slice are

updated. The following example illustrates this process.

Example 1 (Condition Propagation). Let f:F3

32 →F32 be the Boolean IF func-

tion operating on 32-bit words and deﬁned as follows:

f(x, y, z) = (x∧y)⊕(¬x∧z) = o.

Then the output bit oidepends on the bits {xi, yi, zi}and {xi, yi, zi, oi}forms

a bit-slice. If the generalized condition ∇xichanges then the conditions of the

set {∇xi,∇yi,∇zi,∇oi}are updated.

In our approach the update process is done exhaustively by computing all

possible conditions of a bit-slice. This seems at ﬁrst to be ineﬃcient but we are

using two techniques to signiﬁcantly speed up the process. The ﬁrst one splits the

state update in smaller functions and the second one utilizes a cache. However,

the update process for a modular addition is done in a slightly diﬀerent way.

The bit-slices of a modular addition contain also input carry and output carry.

Hence, the bit-slices are connected through the carry bits. If the condition for a

carry bit changes, then the connected bit-slice is updated as well. Furthermore,

the whole update process is iterative and updates bits until conditions do not

change any more.

4.4 Increasing the Propagation Performance

In the state update transformation of SM3, only two state variables are updated

in each step, namely Aiand Ei. Therefore, we can redeﬁne the state update

such that only these two variables are involved. In this case, we get the following

mapping between the original and new state variables:

AiBiCiDiEiFiGiHi

AiAi−1Ai−2Ai−3EiEi−1Ei−2Ei−3

Hence, only two state variables need to be stored. Furthermore, the complexity

of propagating generalized conditions increases exponentially with the number

of input bits and additions. Similar as in SHA-2 the number of input bits in

the update of Ai,Eiand Wiis high. To reduce the computational complexity of

180 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

the propagation, we further split the update of Wi,Eiand Aiinto sub-steps.

The decision where to split need to be done carefully. If too many sub-steps are

introduced we are losing too much information resulting in a worse propagation

and late detection of contradictions. If too few sub-steps are introduced the per-

formance of the propagation is too slow. Therefore, we found the following sepa-

ration of the SM3 state update which leads to a good performance/propagation

ratio:

Si=Wi−16 ⊕Wi−9⊕Wi−3≪15,

Pi=Si⊕Si≪15 ⊕Si≪23,

Wi=Pi⊕Wi−13 ≪7⊕Wi−6,

W0

i=Wi⊕Wi+4,

Li=Ai−1≪12 + Ei−1+Ki≪7,

Fi=Ai−1⊕Ai−2⊕Ai−3≪9,

Ai=Fi+W0

i+Ai−4≪9+(Li≪7⊕Ai−1≪12),

Gi=Ei−1⊕Ei−2⊕Ei−3≪19,

Ri=Ei−4≪19 + Li≪7 + Wi+Gi,

Ei=Ri⊕Ri≪9⊕Ri≪17.

By carefully analyzing the state update and message expansion we have split up

the computations such that one step does not have more than 5 inputs. Using

this representation of SM3 we can use a cache during the propagation eﬃciently.

Furthermore, for those steps with only three inputs we are able to compute all

possibilities beforehand, changing the propagation of this steps to a simple table

lookup.

4.5 Search Strategy

To reduce the complexity of the system and eventually ﬁnd a solution, random

additional conditions are introduced. In other words, some variables are guessed.

Even the most eﬃcient method to propagate information may not result in

a solution if we make poor guesses. We need a guessing strategy, which can

eﬃciently use the new information generated by the propagation of information

introduced by previous guesses. The goal of a good guessing strategy is to discard

invalid solutions and to ﬁnd a valid solution as soon as possible. The guessing

strategy depends in ﬁrst place on the shape of the equations and the storeable

information propagated. Furthermore, external knowledge of the structure of the

attacked cryptographic system can help to improve the guessing strategy.

Our guessing strategy is similar to the one used by Mendel et al. in the

attack on SHA-256 reduced to 32 steps [7]. However, there are some small but

important modiﬁcations. In our approach for SM3 we further reﬁne the search

strategy for SM3 by considering speciﬁc output words for guessing. As in the

attack of [7], our search strategy consists of several stages and each stage can

basically be divided into three parts: decision, deduction and backtracking. Note

Finding Collisions for Round-Reduced SM3 181

that the same separation is done in many other ﬁelds, like SAT solvers [3]. In the

decision part, we decide which bit is chosen and which constraints are imposed

at its position. In the deduction part we compute the propagation of the new

information and check for consistence. In the case of an inconsistency we need

to backtrack and undo previous decisions, which is the third and last part.

Let Ube a set of generalized conditions. Repeat the following until Uis empty:

Decision

1. Pick according to some heuristic (or randomly) a bit in U.

2. Impose new constraints on this bit according to Table 2.

Deduction

3. Propagate the Information to the other variables and equations as de-

scribed in Section 4.3.

4. If an inconsistency is detected start backtracking, else continue with step

1.

Backtracking

5. Try the second choice for the decision bit.

6. If this still results in an inconsistency mark this bit as critical.

7. Jump back until the critical bit can be resolved.

8. Continue with step 1.

Note that in each stage diﬀerent bits are chosen (guessed). In total we have

two stages which can be summarized as follows.

Stage 1: In the ﬁrst stage we search for a consistent diﬀerential characteristic

in the state words. Therefore, we add all unconstrained bits of AiandEi

that are ?or xto the set U. Furthermore, we add bits of Lias well to U.

Experience has shown that guessing the output of modular additions ﬁrst

provides a signiﬁcant speed up. Due to the additional freedom added by

the carry bits, the propagation of conditions is slow towards the output of

modular additions if these bits are not included in U.

Stage 2: In the second stage we search for conforming inputs. Therefore, we pick

decision bits with many two-bit conditions, since this ensures that bits which

inﬂuence a lot of other bits are guessed ﬁrst. Furthermore, many other bits

propagate by deﬁning the value of a single bit. Hence, this way inconsistent

characteristics are discarded earlier and valid solutions are found faster. The

concept of two-bit conditions was introduced in [7] .

Note that we dynamically switch between the two stages. Additionally, we restart

the search from scratch after a certain amount of inconsistencies to terminate

branches which appear to be stuck because of exploring a search space far from

a solution.

5 Results for Reduced SM3

To ﬁnd collisions for reduced SM3 we apply the techniques described in Sec-

tion 4. We ﬁrst construct a diﬀerential characteristic with low Hamming weight

182 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

Table 2. Decision rules of our guessing strategy with r∈ {0,1}a random value.

Decision bit rChoice 1 Choice 2

?1,0 - x

x0u n

1n u

-00 1

11 0

in the message expansion which functions as starting point for the automatic

search algorithm. Next the search algorithm is applied. Running on a cluster

with 72 nodes, the algorithm ﬁnds a diﬀerential characteristic in less than 1

hour. Afterwards, we continue the search for a conforming message pair which

can be found in several seconds.

5.1 Collision Attack

Using the starting point given in Table 5 and our automatic search algorithm

described in Section 4, we are able to construct collisions for up to 20 steps

of SM3. The diﬀerential characteristic is given Table 6. In Table 3 we present

colliding message pairs. Note that we have used an additional ﬁrst message block

to generate several diﬀerent initial values for the second message block. These

degrees of freedom were needed for the attack to work, otherwise we could not

ﬁnd a conﬁrming message pair.

Table 3. Collision for 20 steps of SM3.

h07380166f 4914b2b9 172442d7 da8a0600 a96f30bc 163138aa e38dee4d b0fb0e4e

m0

03c98f41 a8bda164 709a299c d76610eb 26b351ac 53547024 8efdff59 7e818400

4188b7f1 954faf0e a32f9984 6e5d8975 dc3b528a 973480e4 f6be9d9b cf07f13e

h15e801aac 4b8c7a46 c8f34646 3b2420c1 97e775ae e3a6c399 83a05d40 6a257995

m1

559654cd 8d4f9e94 8ca64e4a b85d989c 8c185880 b51caad1 03eca739 be66a265

ca21ab71 9c341028 2c043967 d4617038 bf6744ca d8772f12 a58e12c0 35f4f9f2

m∗

1

559654cd 8d1f9e84 8ca64e5a b85d989c 8c185880 950cbad1 03eca739 be66a265

ca71ab61 9c341028 2c043967 d4617038 bf6744ca d8772f12 a58e12c0 35f4f9f2

∆m1

00000000 00500010 00000010 00000000 00000000 20101000 00000000 00000000

00500010 00000000 00000000 00000000 00000000 00000000 00000000 00000000

h2b2033829 677c16d2 a6de9db9 fd898668 a9119d20 476364d6 a0838adc 08d3833d

5.2 Free-Start Collision

Using the starting point given in Table 7 and our automatic search algorithm

described in Section 4, we are able to construct free-start collisions for up to

24 steps of SM3. The diﬀerential characteristic is given in Table 8. In Table 4

Finding Collisions for Round-Reduced SM3 183

we present a colliding message pair and IV pair resulting in a collision after 24

steps. Again this attack has practical complexity. The main diﬀerence in this

attack to previous attack is, that we had to place the non-linear part at the end

to get sparse characteristics.

Table 4. Free-Start-Collision for 24 steps of SM3.

h0898991b0 8de47668 6e54847c 9167ff5e 3c7d51fe e2101301 6c53d522 7b3809df

h∗

0898991b0 8da47668 ee54847c 1127ff5e 3c7d51fe e2100301 ec53d522 fb3819df

∆h000000000 00400000 80000000 80400000 00000000 00001000 80000000 80001000

m07595c54 e01e0245 facd449a 07ca096d 510445e8 4e1d0dff 97f2a3c0 79f02f14

2ebfac50 48cdde2d e88f68e1 2b5032d1 3aa9a79f 656d1380 693417c1 ce82a62a

m∗07595c54 e01e0245 7acd449a 07ca096d 510445e8 4e1d0dff 97f2a3c0 79f02f14

2ebfac50 48cdde2d e88f68e1 2b5032d1 3aa9a79f 656d1380 693417c1 ce82a62a

∆m 00000000 00000000 80000000 00000000 00000000 00000000 00000000 00000000

00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

h1a83d45dc 9eda869d 48baa718 78ccd026 25696682 d0be9f4a e70babf3 f4852e70

6 Conclusions

Since the collision attacks of Wang et al. [13, 14] on MD5 and SHA-1 many

cryptographers are convinced that these widely deployed hash functions can no

longer be considered secure. As a consequence, NIST proposed the transition

from SHA-1 to the SHA-2 family and many companies and organization are

migrating to SHA-2. Furthermore, researchers are evaluating alternative hash

functions in the SHA-3 initiative. In this work, we analyze the Chinese hash

function standard SM3. SM3 was designed by Wang et al [1] and is published

by the Chinese Commercial Cryptography Administration Oﬃce for the use of

electronic authentication service systems. The amount of cryptanalytic results

on SM3 is low compared to other hash function standards.

The design of SM3 is very similar to the MD4 family, in particular to SHA-256.

Since new collision attacks on SHA-256 and similar hash functions have been

shown recently, a revaluation of the security of similar hash functions such as

SM3 seems to be necessary. The attacks are based on a the concept of generalized

conditions and an automatic search algorithm. Recently, Mendel et al. improved

and extended the technique such that it can be applied on more complex ARX

based hash function. In this paper we develop the methods by Mendel et al. for

SHA-256 [7] further and apply them on SM3. We show how the technique can

be eﬀectively applied to SM3. Furthermore, we present a collision for 20 steps

and a free-start collision for 24 steps of SM3. These are the ﬁrst collision attacks

on step-reduced SM3 and both attacks have practical complexity.

Acknowledgments. Part of this work was done while Florian Mendel was with

KU Leuven. The work has been supported in part by the Austrian Science Fund

184 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

(FWF), project P21936-N23 and by the European Commission under contract

ICT-2007-216646 (ECRYPT II).

References

1. Speciﬁcation of SM3 cryptographic hash function (In Chinese). http://www.

oscca.gov.cn/UpFile/20101222141857786.pdf.

2. C. De Canni`ere and C. Rechberger. Finding SHA-1 Characteristics: General Re-

sults and Applications. In X. Lai and K. Chen, editors, ASIACRYPT, volume 4284

of LNCS, pages 1–20. Springer, 2006.

3. J. Gu, P. W. Purdom, J. Franco, and B. W. Wah. Algorithms for the Satisﬁ-

ability (SAT) Problem: A Survey. In DIMACS Series in Discrete Mathematics

and Theoretical Computer Science, pages 19–152. American Mathematical Society,

1996.

4. A. Kircanski, Y. Shen, G. Wang, and A. Youssef. Boomerang and Slide-Rotational

Analysis of the SM3 Hash Function. In L. R. Knudsen and H. Wu, editors, Selected

Areas in Cryptography, LNCS. Springer, 2012. to appear.

5. F. Mendel, T. Nad, S. Scherz, and M. Schl¨aﬀer. Diﬀerential Attacks on Reduced

RIPEMD-160. In D. Gollmann and F. C. Freiling, editors, ISC, volume 7483 of

LNCS, pages 23–38. Springer, 2012.

6. F. Mendel, T. Nad, and M. Schl¨aﬀer. Cryptanalysis of Round-Reduced HAS-160.

In H. Kim, editor, ICISC, volume 7259 of LNCS, pages 33–47. Springer, 2011.

7. F. Mendel, T. Nad, and M. Schl¨aﬀer. Finding SHA-2 Characteristics: Searching

through a Mineﬁeld of Contradictions. In D. H. Lee and X. Wang, editors, ASI-

ACRYPT, volume 7073 of LNCS, pages 288–307. Springer, 2011.

8. F. Mendel, T. Nad, and M. Schl¨aﬀer. Collision Attacks on the Reduced Dual-

Stream Hash Function RIPEMD-128. In A. Canteaut, editor, FSE, volume 7549

of LNCS, pages 226–243. Springer, 2012.

9. National Institute of Standards and Technology. Announcing Request for Candi-

date Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3)

Family. Federal Register, 27(212):62212–62220, November 2007. Available online:

http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf.

10. P. Rogaway and T. Shrimpton. Cryptographic Hash-Function Basics: Deﬁnitions,

Implications, and Separations for Preimage Resistance, Second-Preimage Resis-

tance, and Collision Resistance. In B. K. Roy and W. Meier, editors, FSE, volume

3017 of LNCS, pages 371–388. Springer, 2004.

11. D. R. Stinson. Some Observations on the Theory of Cryptographic Hash Functions.

Des. Codes Cryptography, 38(2):259–277, 2006.

12. X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu. Cryptanalysis of the Hash Functions

MD4 and RIPEMD. In R. Cramer, editor, EUROCRYPT, volume 3494 of LNCS,

pages 1–18. Springer, 2005.

13. X. Wang, Y. L. Yin, and H. Yu. Finding Collisions in the Full SHA-1. In V. Shoup,

editor, CRYPTO, volume 3621 of LNCS, pages 17–36. Springer, 2005.

14. X. Wang and H. Yu. How to Break MD5 and Other Hash Functions. In R. Cramer,

editor, EUROCRYPT, volume 3494 of LNCS, pages 19–35. Springer, 2005.

15. J. Zou, W. Wu, S. Wu, B. Su, and L. Dong. Preimage Attacks on Step-Reduced

SM3 Hash Function. In H. Kim, editor, ICISC, volume 7259 of LNCS, pages

375–390. Springer, 2011.

Finding Collisions for Round-Reduced SM3 185

Table 5. Starting point for a collision for 20 steps of SM3.

i∇Ai∇Ei∇Wi∇W0

i

-4 -------------------------------- --------------------------------

-3 -------------------------------- --------------------------------

-2 -------------------------------- --------------------------------

-1 -------------------------------- --------------------------------

0-------------------------------- -------------------------------- -------------------------------- --------------------------------

1???????????????????????????????? ???????????????????????????????? ---------x-x---------------x---- --x------x---------x-------x----

2???????????????????????????????? ???????????????????????????????? ---------------------------x---- ---------------------------x----

3???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------

4???????????????????????????????? ???????????????????????????????? -------------------------------- ---------x-x---------------x----

5-------------------------------- -------------------------------- --x--------x-------x------------ --x--------x-------x------------

6-------------------------------- -------------------------------- -------------------------------- --------------------------------

7-------------------------------- -------------------------------- -------------------------------- --------------------------------

8-------------------------------- -------------------------------- ---------x-x---------------x---- ---------x-x---------------x----

9-------------------------------- -------------------------------- -------------------------------- --------------------------------

10 -------------------------------- -------------------------------- -------------------------------- --------------------------------

11 -------------------------------- -------------------------------- -------------------------------- --------------------------------

12 -------------------------------- -------------------------------- -------------------------------- --------------------------------

13 -------------------------------- -------------------------------- -------------------------------- --------------------------------

14 -------------------------------- -------------------------------- -------------------------------- --------------------------------

15 -------------------------------- -------------------------------- -------------------------------- --------------------------------

16 -------------------------------- -------------------------------- -------------------------------- --------------------------------

17 -------------------------------- -------------------------------- -------------------------------- --------------------------------

18 -------------------------------- -------------------------------- -------------------------------- --------------------------------

19 -------------------------------- -------------------------------- -------------------------------- --------------------------------

186 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

Table 6. Diﬀerential characteristic for a collision for 20 steps of SM3.

i∇Ai∇Ei∇Wi∇W0

i

-4 -------------------------------- --------------------------------

-3 -------------------------------- --------------------------------

-2 -------------------------------- --------------------------------

-1 -------------------------------- --------------------------------

0-------1------------------------ -------------------------------- -------------------------------- --------------------------------

1xxx-----xx----------xxxxxxxx--1- x-x----xxxxx------x-10xxx-xx--xx --0------x-x-------1-------x---- --x------x-1-------x-------x----

2-xx-x---xx-xx--xxx--x--------xxx ---x0xxxx----xx-x-xxx-x--x----xx ---------------------------x---- ---------------------------x----

3x-x-x--------xxxxxxxx-------x-x- xx-x--x1x-xxx-x-----------xxx--- -------------------------------- --------------------------------

4xxxxx--------------xx--------xxx xxxxxxxxxxxxxxx-------------x-xx ---------0-1---------------0---- ---------x-x---------------x----

5-------------------------------- -------------------------------- --x------0-x-------x-------1---- --x--------x-------x------------

6-------------------------------- -------------------------------- ---------------------------0---- --------------------------------

7-------------------------------- -------------------------------- -------------------------------- --------------------------------

8-------------------------------- -------------------------------- ---------x-x---------------x---- ---------x-x---------------x----

9-------------------------------- -------------------------------- --0--------1-------1------------ --------------------------------

10 -------------------------------- -------------------------------- -------------------------------- --------------------------------

11 -------------------------------- -------------------------------- -------------------------------- --------------------------------

12 -------------------------------- -------------------------------- ---------1-0---------------0---- --------------------------------

13 -------------------------------- -------------------------------- -------------------------------- --------------------------------

14 -------------------------------- -------------------------------- -------------------------------- --------------------------------

15 -------------------------------- -------------------------------- -------------------------------- --------------------------------

16 -------------------------------- -------------------------------- -------------------------------- --------------------------------

17 -------------------------------- -------------------------------- -------------------------------- --------------------------------

18 -------------------------------- -------------------------------- -------------------------------- --------------------------------

19 -------------------------------- -------------------------------- -------------------------------- --------------------------------

Finding Collisions for Round-Reduced SM3 187

Table 7. Starting point for a free-start collision for 24 steps of SM3.

i∇Ai∇Ei∇Wi∇W0

i

-4 ---------x--------x------------- ------x------------x------------

-3 ---------x---------------------- -------------------x------------

-2 ---------x---------------------- -------------------x------------

-1 -------------------------------- --------------------------------

0-------------------------------- -------------------------------- -------------------------------- --------------------------------

1-------------------------------- -------------------------------- -------------------------------- --------------------------------

2-------------------------------- -------------------------------- x------------------------------- x-------------------------------

3-------------------------------- -------------------------------- -------------------------------- --------------------------------

4-------------------------------- -------------------------------- -------------------------------- --------------------------------

5-------------------------------- -------------------------------- -------------------------------- --------------------------------

6-------------------------------- -------------------------------- -------------------------------- --------------------------------

7-------------------------------- -------------------------------- -------------------------------- --------------------------------

8-------------------------------- -------------------------------- -------------------------------- --------------------------------

9-------------------------------- -------------------------------- -------------------------------- --------------------------------

10 -------------------------------- -------------------------------- -------------------------------- --------------------------------

11 -------------------------------- -------------------------------- -------------------------------- --------------------------------

12 -------------------------------- -------------------------------- -------------------------------- --------------------------------

13 -------------------------------- -------------------------------- -------------------------------- --------------------------------

14 x--------x-------x-------------- -------------------------------- -------------------------------- x--------x-------x--------------

15 ???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------

16 ???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------

17 ???????????????????????????????? ???????????????????????????????? -------------------------------- ---x-------------x-x------------

18 ???????????????????????????????? ???????????????????????????????? x--------x-------x-------------- x--------x-------x--------------

19 ???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------

20 ---------x--------x------------- ------x------------x------------ -------------------------------- x-x-xx---x-x-x---x-xxx-------x--

21 ---------x---------------------- -------------------x------------ ---x-------------x-x------------ ---x-------------x-x------------

22 ---------x---------------------- -------------------x------------ -------------------------------- --------------------------------

23 -------------------------------- -------------------------------- -------------------------------- x-x---------------xx------------

188 Florian Mendel, Tomislav Nad, and Martin Schl¨aﬀer

Table 8. Diﬀerential characteristic for a free-start collision for 24 steps of SM3.

i∇Ai∇Ei∇Wi∇W0

i

-4 ---------x--------x------------- ------x------------x------------

-3 ---------x---------------------- -------------------x------------

-2 ---------x---------------------- -------------------x------------

-1 -------------------------------- --------------------------------

0-------------------------------- -------------------------------- -------------------------------- --------------------------------

1-------------------------------- -------------------------------- -------------------------------- --------------------------------

2-------------------------------- -------------------------------- x------------------------------- x-------------------------------

3-------------------------------- -------------------------------- -------------------------------- --------------------------------

4-------------------------------- -------------------------------- -------------------------------- --------------------------------

5-------------------------------- -------------------------------- -------------------------------- --------------------------------

6-------------------------------- -------------------------------- 1------------------------------- --------------------------------

8-------------------------------- -------------------------------- -------------------------------- --------------------------------

9-------------------------------- -------------------------------- -------------------------------- --------------------------------

12 -------------------------------- -------------------------------- -------------------------------- --------------------------------

14 x--------x-------x-------------- -------------------------------- 0--------0-------0-------------- x--------x-------x--------------

15 x----x--xx-xx-xxx-xx--x-------x- ----xx-------x-------xx-----x-x- -------------------------------- --------------------------------

16 -xx-x--x-x---x---x---x-x--xx---- ----x--x--x-x------x--1x-------- -------------------------------- --------------------------------

17 x--x----------x----xx-----x----x ---------x-x------x-x-x0------x- ---0-------------0-1------------ ---x-------------x-x------------

18 xx----------------xx-x---------- ----x------x-------xxx----xx--xx x--------x-------x-------------- x--------x-------x--------------

19 xxxxxxx--xxx------x--x----x-x-x- -------xxx---------x-00-------xx -------------------------------- --------------------------------

20 ---------x--------x------------- ------x------------x----------11 -------------------------------- x-x-xx---x-x-x---x-xxx-------x--

21 ---------x---------------------- -------------------x--0--------- ---x-------------x-x------------ ---x-------------x-x------------

22 ---------x---------------------- -------------------x------------ 1--------1-------0-------------- --------------------------------

23 -------------------------------- -------------------------------- -------------------------------- x-x---------------xx------------