1. JHReview Group 3

2. Outline Why we choose JH Description of JH Comments of NIST and MIT students Preimage Attack by Mendel and Thomsen Analysis of Author in Round1 and Round2 Compare with CubeHash Reference

3. Why we choose JH ECHO... Preimage Attack Simplicity

4. Description of JH Normal Padding Split to 512-bit-long M_i (1 <= i <= n) Init H_0 H_i = f(M_i, H_{i-1}) (1 <= i <= n)  f = f_8 = F8 in our descripions Truncate H_n to get Hash Value

5. Description of JH (Jump this) 我们的描述 1 JH 算法首先将 Message 用课上的加一个 1 ，若干个 0 ，再加上一 个表示长度的二进制数得到一个 512n 位的初始信息，然后分成 n 个 512 位的段，进行 HASH 。 HASH 过程非常简单，主要就用到 了一个 F8 函数，将 512 位的信息段和一个 1024 位的 HASH 值计算 得到一个 1024 位的新 HASH 值。算法开始时首先通过长度生成 一个初始值 H0 ，然后对 n 个 512 位的信息段 M1, M2 等分别用 F8 函 数获得 H1 ， H2... 最后得到的 Hn 就是结果。如果最终需要得到的 HASH 值应该是 m 位，那么就将 Hn 的最后 m 位提取出来即可。

6. Description of JH (Jump this) Our Description 2 The main hash first pad the message to be a multiple of 512 bits, in which the length of the message is padded to the message. After padding, the message is split into blocks of 512 bits. Then, starting from an initial hash value H (0) (1024-bit), the algorithm itera- tively uses a compression function F8 to compress each block, resulting in a final hash value H (N ). Finally H (N ) is truncated into message digest of designated length.

7. Description of JH (Jump this) 我们的描述 3 JH 算法中所使用的函数都是一些常见的用于 Hash 的处理过程。 JH 通过两个 S-boxes 、若干 Permutation 及线性变换来完成对定 长数据的压缩（ F_d ）。给定一个输入后， JH 先进行 一般的 Padding 和分块处理，然后根据数据摘要的长度计算出一个初始 的 H^(0) ，然后用 F_d 函数进行若干轮计算后得到最终的 Hash 值 。 总的来说， JH 的算法比较简单和常见。我认为， JH 在数据处 理方面并没有什么创新，它的安全性主要是通过合理地设计各个 子过程的执行步骤以及增加块长度和增加加密轮数来实现的。但 是，正因为 JH 所使用的算法非常 “ 大众化 “ ，所以恰好方便了我们 对其安全性和运行效率进行分析。

8. Compression Function E is a permutation of 1024 elements

9. Comments of NIST “JH uses a novel construction, somewhat reminiscent of a sponge construction, to build a hash algorithm out of a single, large, fixed permutation. The fixed permutation is an SP network, combining two 4-bit S-boxes with a set of linear mixing operations and bit permutations. All nonlinearity in this design is derived from the S-boxes. The most innovative part of this design is the compression function construction, which XORs a 512-bit message block into the left half of the input of the fixed permutation, and then XORs the same message block into the right half of the output of the fixed permutation. The design of the fixed permutation is also new.”

10. Comments of NIST JH’s performance is good, and has modest memory requirements. Unlike most second-round candidates, all output sizes of JH use the same function, but with different initial hash values and different amounts of truncation at the end. The most serious cryptanalytic result on JH is a theoretical preimage attack on the 512-bit version, which is barely cheaper than a brute force attack. As this attack does not appear to threaten the design, it does not concern us. However, the compression function construction of JH is not well-understood, and the submitter did not provide a great deal of analysis of this construction.

11. Comments of MIT Students (?) “We found that in terms of quality and depth of proofs, Lesamnta o ff ered the best security analysis. The authors o ff ered extensive analysis of the security features of all parts of the Lesamnta algorithm, including the modes of operation and the underlying compression function. In addition, they showed that Lesamnta was provably secure against both common and emerging attacks against hash functions. Particularly impressive was that Lesamnta was shown to be provably secure against known key distinguisher attacks, something that we did not even see mentioned in other papers.”

12. Comments of MIT Students (?) “Among the other submissions, SHAvite-3 was a close second in terms of security analysis. Though they too o ff ered a good number of proofs against many common attacks, their analysis was not quite as in depth as that of Lesamnta. The other algorithms, FSB and JH, were often very simplistic in their assumptions and limited in the types of attacks that they were able to prove security against.”

13. Keywords Compression Function  New, not well understood Security Analysis  Not enough Simplicity and Performance  Good

14. Preimage Attack by Mendel and Thomsen “we present a generic preimage attack on JH-512. We do not claim that our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting properties in the design principles of JH- 512 which do not exist in other hash functions, e.g., the SHA-2 family.” Compression Function

15. Observations

16. Attack Detail Given H_4 (final hash value), use M_4 to get H_3(Obs.1) where M_4 is arbitrary block satisfying padding scheme. Enumerate M_3 to get enough pairs of (H_2, M_3) where f(H_2, M_3) = H_3 Find multiple collisions H_1^k (0 <= k < r), preparing for Obs.2 Using Obs.2 to enumerate M_2^k satisfying f(H_1^k, M_2^k) = (H_2, M_3)

17. Attack Analysis Suppose that f satisfies POISSON distribution => multiple collission Use Obs.2 to skip some Compression Function calculation. However, very poor: 2^510.3 => (2^510.3) * 51 The reason of 51 and 510.3 : the balance of the complexity of finding multiple collission

18. Attack Result No effect on JH's security (So we ignore Author's defence) Just some interesting things about Compression Function “Nevertheless, we think that the attack shows some interesting properties of JH-512, which do not exist in other hash functions. Maybe these properties can be combined with a dedicated preimage attack on JH-512 in the future. At the moment, our attack does not compromise the security claims of JH-512.”

19. Author's Analysis Paullznand Chimney Liu's Reports (click the hyperlink above to see the report)

20. Compare With CubeHash What is Cube Hash? A very SIMPLE cryptographic hash function. Algorithm introduction in 2 pages. Process  Initialization  Padding & Blocking  Identical rounds to change states.  Finalization Ten steps per round with only xor, add, and rotate “That's it”

21. Compare With CubeHash JHCubeHash PerformanceHardware optimized (Bit-Slice) SSE2 optimized Modest memory requirements SIMD optimized SecurityMost serious result barely cheaper than brute force. Lack of analysis on compression function. Best-understood candidate. Semi-free-start collision and the symmetry properties the mose troubling. Variants (Performance & security trade-off) Relatively fixed (Algorithm limitation) Variable (2 tunable parameters) Easy to choose parameters for different requirements A little bit hard to design proper combination of parameters InnovationCompression function construction

22. Reference JH ： http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ NIST 官方评价： http://csrc.nist.gov/groups/ST/hash/sha- 3/Round1/documents/sha3_NISTIR7620.pdf MIT Students Summary ： http://courses.csail.mit.edu/6.857/2009/sha3/group7.pdf http://courses.csail.mit.edu/6.857/2009/sha3/group7.pdf Preimage Attack by Mendel and Thomsen ： http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Author's defence of Preimage Attack ： http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity. pdf