Structural Attacks on Two SHA-3 Candidates: Blender-n and DCH-n

The recently started SHA-3 competition in order to find a new secure hash standard and thus a replacement for SHA-1/SHA-2 has attracted a lot of interest in the academic world as well as in industry. There are 51 round one candidates building on sometimes very different principles. In this paper, we show how to attack two of the 51. round one hash functions. The attacks have in common that they exploit structural weaknesses in the design of the hash function and are independent of the underlying compression function. First, we present a preimage attack on the hash function Blender-n. It has a complexity of about n . 2(n/2) and negligible memory requirements. Secondly, we show practical collision and preimage attacks on DCH-n. To be more precise, we call trivially construct a (2(8) + 2)-block collision for DCH-n and a 1297-block preimage with only 521 compression function evaluations. The attacks on both hash functions work for all output sizes and render the hash functions broken.