Cryptanalysis of the ESSENCE Family of Hash Functions

Nicky Mouha, Gautham Sekar, Jean-Philippe Aumasson, Thomas Peyrin, Søren Steffen Thomsen, Meltem Sönmez Turan, Bart Preneel

    Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


    ESSENCE is a family of cryptographic hash functions, accepted to the first round of NIST's SHA-3 competition. This paper presents the first known attacks on ESSENCE. We present a semi-free-start collision attack on 31 out of 32 rounds of ESSENCE-512, invalidating the design claim that at least 24 rounds of ESSENCE are secure against differential cryptanalysis. We develop a novel technique to satisfy the first nine rounds of the differential characteristic. Non-randomness in the outputs of the feedback function F is used to construct several distinguishers on a 14-round ESSENCE block cipher and the corresponding compression function, each requiring only 2^17 output bits. This observation is extended to key-recovery attacks on the block cipher. Next, we show that the omission of round constants allows slid pairs and fixed points to be found. These attacks are independent of the number of rounds. Finally, we suggest several countermeasures against these attacks, while still keeping the design simple and easy to analyze.
    Original languageEnglish
    Title of host publicationInformation Security and Cryptology : 5th International Conference, Inscrypt 2009, Beijing, China, December 12-15, 2009. Revised Selected Papers
    Publication date2010
    Publication statusPublished - 2010
    EventInternational Conference of Information Security and Cryptology - Beijing, China
    Duration: 1 Jan 2009 → …
    Conference number: 5th


    ConferenceInternational Conference of Information Security and Cryptology
    CityBeijing, China
    Period01/01/2009 → …
    SeriesLecture Notes in Computer Science

    Fingerprint Dive into the research topics of 'Cryptanalysis of the ESSENCE Family of Hash Functions'. Together they form a unique fingerprint.

    Cite this