Abstract: As one of SHA-3 candidate algorithms for the second round competition, BLAKE adopts local wide-pipe technology and improved MD iteration structure. Its core is the core of Chacha cipher algorithm and its security has not been proved. By analyzing the structure and the characteristics of message permutation, three rounds free-starting preimage attack could be applied to BLAKE by using splice-and-subsection technology. The result shows that the designing deficiency of message permutation affects the security of BLAKE algorithm.

Key words: message digest, security, splice-and-subsection, free-starting preimage attack

摘要： SHA-3第二轮候选算法BLAKE采用局部宽管道技术和改进的MD迭代结构，其内核为Chacha密码算法的内核，该算法的安全性还未得到证明。通过分析BLAKE算法的结构及其消息置换特征，首次采用分段—连接技术对其进行了3轮的自由起始原象攻击。结果表明，消息置换的设计存在缺陷，而且这一设计缺陷影响了BLAKE算法的安全性。

关键词: 消息摘要, 安全性, 分段—连接, 自由起始原象攻击