Using carry-truncated addition to analyze add-rotate-xor hash algorithms

TL;DR

This paper introduces a truncated addition operation to analyze ARX-based hash functions, demonstrating that approximations using this method reveal vulnerabilities and susceptibility to collision and pre-image attacks.

Contribution

The paper presents a novel truncated addition operation and a sensitivity metric for analyzing ARX hash functions, enabling simplified approximations that expose security weaknesses.

Findings

Truncated addition simplifies analysis of ARX hash functions.

Approximate algorithms are more vulnerable to collision attacks.

Sensitivity metric quantifies approximation accuracy.

Abstract

We introduce a truncated addition operation on pairs of N-bit binary numbers that interpolates between ordinary addition mod 2^N and bitwise addition in (Z/2Z)^N. We use truncated addition to analyze hash functions that are built from the bit operations add, rotate, and xor, such as Blake, Skein, and Cubehash. Any ARX algorithm can be approximated by replacing ordinary addition with truncated addition, and we define a metric on such algorithms which we call the {\bf sensitivity}. This metric measures the smallest approximation agreeing with the full algorithm a statistically useful portion of the time (we use 0.1%). Because truncated addition greatly reduces the complexity of the non-linear operation in ARX algorithms, the approximated algorithms are more susceptible to both collision and pre-image attacks, and we outline a potential collision attack explicitly. We particularize some of these observations to the Skein hash function.