Distinguisher for Full Final Round of Fugue-256 Jean-Philippe Aumasson and Raphael C.-W. Phan 1 Nagravision SA, Cheseaux, Switzerland 2 Loughborough Uni, UK Abstract. Fugue-256 is the 256-bit version of the hash function Fugue submitted to NIST’s SHA-3 competition, and selected as one of the 14 second-round candidates. Fugue-256 updates a state S =(S0,...,S29) of 30×32=960 bits with a transform R that depends on a 32-bit message block and that calls once a double-AES-like round function. R admits trivial distinguishers, and to obtain unpredictable and pseudorandom digests, Fugue-256 only relies on a final round G, which maps a 960-bit state to a 256-bit digest through 18 double-AES-like rounds. The main result of this paper is an efficient distinguisher for the full 18-round G, building on a probability-1 differential characteristic covering 15 of those rounds. Our distinguisher finds with negligible computation pairs of inputs (S, S ' ) that differ on 66 bits in average, and such that G(S) and G(S ' ) remain constant for all pairs found. We also show that even if the number of rounds is increased from 18 to 30, nonrandomness remains in the final internal state of G. In a complete black-box setting, we furthermore show an efficient integral distinguisher for a slightly modified version of the full G. Keywords: hash functions, cryptanalysis, SHA-3 1 Introduction Among the 14 second-round candidates in NIST’s SHA-3 competition [1], Fugue is the algorithm with the least third-party analysis published 3 . Submitted by Halevi, Hall and Jutla, Fugue allows formal security arguments against collision attacks and distinguishing attacks on a dedicated PRF mode. However, no formal argument is given in favor of its “random” behavior when the function is unkeyed, as in many hash function applications. Fugue-256 (the version of Fugue with 256-bit digests) updates a state S = (S 0 ,...,S 29 ) of 30×32=960 bits with a transform R parametrized by a 32-bit message block. R essentially consists of two AES-like transforms (called SMIX) applied to 128-bit windows of S, and thus can be easily distinguished from a random transform (for example, any difference in S 5 always propagates through R to S 11 ). This, plus the fact that internal collisions have been found on multiple rounds of R [2], indicates that R is weak. To achieve notions as unpredictability and indistinguishability Fugue-256 re- lies instead on a much stronger transform, called the final round G, computed 3 See the SHA-3 Zoo wiki: http://ehash.iaik.tugraz.at/wiki/The SHA-3 Zoo.