Abstract
We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named “Double-Mix Merkle-Damgård (DMMD).” The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2291. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2257 queries, 2259 AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.
