Preimage and pseudo-collision attacks on step-reduced SM3 hash function

SM3 [12] is the Chinese cryptographic hash standard which was announced in 2010 and designed by Wang et al. It is based on the Merkle–Damgård design and its compression function can be seen as a block cipher used in Davies–Meyer mode. It uses message block of length 512 bits and outputs hash value of length 256 bits.This letter studies the security of SM3 hash function against preimage attack and pseudo-collision attack by using the weakness of diffusion process and linear message expansion. We propose preimage attacks on 29-step and 30-step SM3, and pseudo-preimage attacks on 31-step and 32-step SM3 out of 64 steps. The complexities of these attacks are 2245 29-step operations, 2251.1 30-step operations, 2245 31-step operations and 2251.1 32-step operations, respectively. These (pseudo-)preimage attacks are all from the 1-st step of the reduced SM3. Furthermore, these (pseudo-)preimage attacks can be converted into pseudo-collision attacks on SM3 reduced to 29 steps, 30 steps, 31 steps and 32 steps with complexities of 2122, 2125.1, 2122 and 2125.1 respectively. As far as we know, the previously best known preimage attacks on SM3 cover 28 steps (from the 1-st step) and 30 steps (from the 7-th step).

► Construct truncated differentials of SM3 with high probability. ► Construct bicliques covering 2-step SM3. ► Present preimage attacks on 29/30-step SM3 and pseudo-preimage attacks on 31/32-step SM3. ► Present pseudo-collision attacks on 29/30/31/32-step SM3.