| « ïrRUPT64x2/H | EnRUPT Cryptanalysis » |
ïrRUPT Collision Resistance
Collisions have been found in ïrRUPT64x2-256/4 with its default parameters.
We have taken the risk of submitting the least researched but the most convenient stream hashing mode of EnRUPT to the SHA-3 competition to encourage its cryptanalysis and to learn if there are any hidden security problems with stream hashing.
It looks like we have overestimated the total cost of linearization in regard to stream hashing. While EnRUPT itself and its ïrRUPT stream hashing mode do not require any structural changes, the recommended default parameters are insufficient to resist linearization-based collision searches.
Most probably, ïrRUPT-256 must be simply slowed down 2 times by setting s=8. It would still remain reasonably competitive at 10 CPB on 64-bit CPUs and at 26 CPB on 32-bit CPUs, much faster than most submissions. We will have to wait for Sebastiaan to publish his paper to see what parameters he can recommend for ïrRUPT as collision resistant.
It is still hard to find ïrRUPT preimages, which is the same as finding the secret key for EnRUPT stream cipher modes RUPT and aeRUPT. By increasing the number of rounds, ïrRUPT preimage resistance will also be increased.
Comment feed for this post
