Using carry-truncated addition to analyze add-rotate-xor hash algorithms

摘要

We introduce a truncated addition operation on pairs of N-bit binary numbers that interpolates between ordinary addition mod 2~N and bitwise addition in (Z/2Z)~N. We use truncated addition to analyze hash functions that are built from the bit operations add, rotate, and xor, such as Blake, Skein, and Cubehash. Any ARX algorithm can be approximated by replacing ordinary addition with truncated addition, and we define a metric on such algorithms which we call the sensitivity. This metric measures the smallest approximation agreeing with the full algorithm a statistically useful portion of the time (we use 0.1%). Because truncated addition greatly reduces the complexity of the nonlinear operation in ARX algorithms, the approximated algorithms are more susceptible to both collision and pre-image attacks, and we outline a potential collision attack explicitly. We particularize some of these observations to the Skein hash function.