## Practical near-collisions on the compression function of BMW

Publication: Research - peer-review › Article in proceedings – Annual report year: 2011

### Standard

**Practical near-collisions on the compression function of BMW.** / Leurent, Gaëtan; Thomsen, Søren Steffen.

Publication: Research - peer-review › Article in proceedings – Annual report year: 2011

### Harvard

*Lecture Notes in Computer Science.*vol. 6733, Springer, pp. 238-251.

### APA

*Lecture Notes in Computer Science.*(Vol. 6733, pp. 238-251). Springer.

### CBE

### MLA

*Lecture Notes in Computer Science.*Springer. 2011. 238-251.

### Vancouver

### Author

### Bibtex

}

### RIS

TY - GEN

T1 - Practical near-collisions on the compression function of BMW

AU - Leurent,Gaëtan

AU - Thomsen,Søren Steffen

PY - 2011

Y1 - 2011

N2 - Blue Midnight Wish (BMW) is one of the fastest SHA-3 candidates in the second round of the competition. In this paper we study the compression function of BMW and we obtain practical partial collisions in the case of BMW-256: we show a pair of inputs so that 300 pre-specified bits of the outputs collide (out of 512 bits). Our attack requires about 232 evaluations of the compression function. The attack can also be considered as a near-collision attack: we give an input pair with only 122 active bits in the output, while generic algorithm would require 255 operations for the same result. A similar attack can be developed for BMW-512, which will gives message pairs with around 600 colliding bits for a cost of 264. This analysis does not affect the security of the iterated hash function, but it shows that the compression function is far from ideal. We also describe some tools for the analysis of systems of additions and rotations, which are used in our attack, and which can be useful for the analysis of other systems.

AB - Blue Midnight Wish (BMW) is one of the fastest SHA-3 candidates in the second round of the competition. In this paper we study the compression function of BMW and we obtain practical partial collisions in the case of BMW-256: we show a pair of inputs so that 300 pre-specified bits of the outputs collide (out of 512 bits). Our attack requires about 232 evaluations of the compression function. The attack can also be considered as a near-collision attack: we give an input pair with only 122 active bits in the output, while generic algorithm would require 255 operations for the same result. A similar attack can be developed for BMW-512, which will gives message pairs with around 600 colliding bits for a cost of 264. This analysis does not affect the security of the iterated hash function, but it shows that the compression function is far from ideal. We also describe some tools for the analysis of systems of additions and rotations, which are used in our attack, and which can be useful for the analysis of other systems.

M3 - Article in proceedings

VL - 6733

SP - 238

EP - 251

BT - Lecture Notes in Computer Science

PB - Springer

ER -