Sistematización de prácticas:

Given a hash outputH on an inputP, the problem of finding another inputP′ which is different from P, such that the hash output on P′ is also H, is called the problem of finding a second pre-image.

One possibility is to ignore the given inputP, on whichH was computed, and directly trying to find a pre-image of H. However, the possibility exists that the inputP and the evolution of the internal state on the inputP, can be used as a guide to compute a second pre-image. In fact, if at all this is possible, then it is better for the adversary to start with a same internal state S

(i.e. before the final roundG starts) for the two inputsP and P′_{, and work backwards towards}

the same initial state, diverging somewhere in the middle (so as to make P′ different different from P), and then converging back to the same state.

Thus, this can be seen as a differential attack, where one of the inputs and hence the whole state development is already fixed, and we start with a zero difference in the full 30 column state, and evolve the state backwards to a non-zero difference in the state, and then back again to a zero difference in the state. We focus on this latter part of the evolution of the state difference.

So, suppose that the rounds are numbered 0,1,2,... starting from the initial state. Further, suppose that the adversary has decided to work backwards from a common state at the end of

roundj. Thus, the difference in state Sat the end of round j is zero. While working backwards, suppose the adversary introduces a difference in the state for the first time in roundj1 (0< j1< j), and then manages to get back to a zero difference in state in roundj2 ( 0≤j2< j1).

We now re-number the rounds, and call round j2 itself as round 0, and rename round j1 to be round j1−j2, and round j as round j−j2. Thus, at the end of round 1, there is a non-zero difference in state S. This, implies that the input difference in round 1 must be non-zero. The situation is depicted in Table 14, where we start with this input difference ofa1 in round 1, and calculate what must have been the state difference at the start of round 2 to get back a state difference of zero at the start of round 1. This evolution of the state difference is continued on to round 2, 3, etc. The adversary now tries to choose the value in column 0 which is truncated, and not the value that is input into column 0. Thus, from Table 14, the adversary tries to choose a value according to differencez10 for round 1.

Now there are two different ways the adversary can try to achieve this zero difference in state at the start of round 1.

1. If the adversary tries to fix the differential in state at the start of round 2 (remember, the adversary is working backwards, i.e. from state 2 to 1 to 0), then, since one of the inputs (and hence its corresponding state) is already fixed, the other input and its state also gets fixed. Then, there is no choice for the adversary to choose the (second) value in column 0 which is truncated in this round. In particular, z10 is already fixed, as it is required to be same as column 10 difference at the start of round 2. Thus, in this case the adversary is forced to already require all the variables a2, z11,z12 etc. to be such that they satisfy the constraints of theSMIXsteps in round 1.

However, the situation is similar in round 2 as well, as there again, the choicez20 is already forced by the difference of column 10 and column 21, at the start of round 3. In other words, the difference in state at the start of round 3 is y′₁₁ which is same as y11+z20, and y11 is also required to be the difference in column 21. A similar situation holds in round 3 as well. It is only in round 4, that the difference z40 is not pre-determined, and there is a choice for z40, even if the difference at the start of round 5 is fixed. However, the choice of z20 is constrained by a complicated set of non-linear equations of high polynomial degree over GF2.

To elaborate, any choice ofz40 must satisfy the following. Once,z40is chosen, it forces y31, asy₃₁′ =y31+z40. Then, y31 along with all other differential values in columns 1 to 29 at the start of round 5, can be used to calculate ˆz11, ˆz12, ˆa11, and hence to evaluate a value back for z40, using the specification of SMIX. This value must equal the value already chosen. Thus, choosingz40strategically so that the above constraints are satisfied seems to be an intractable problem, especially given that the problem gets more difficult in the next round, as there are many more similar constraints on the other variables in that round. 2. The adversary may not require the differentials to be fixed to a specific value, and try to

satisfy constraints in each round by dynamically choosing the value truncated in column 0 in each round. However, we already saw in the previous case, that for the first 4 rounds,

the adversary has no choice for even choosing this value, as it is already determined by the difference in state at the start of the next round. Now, e.g., the probability of

SMIX(h0,0,0, a1i) =hy10, y11, y12, y13i

where the probability is over random a1, y10,y11,y12, is (28)4/(28)5×4 = 2−128, as SMIX is invertible. If we consider the twoSMIXes of round 1, we get a probability of 2−256. Thus, it seems no easier to obtain a second pre-image of Fugue-256(P) than just inverting Fugue-256 directly without using P.