• Author: Marc Stevens
• Website: http://code.google.com/p/hashclash/

This framework contains tools for the constructions of differential paths for MD5 and SHA-1, including chosen-prefix collisions for MD5.

• Author: Gaëtan Leurent
• Website: http://www.di.ens.fr/~leurent/arxtools.html

The ARX toolkit was presented at the SHA-3 conference in March 2012 in Washington, DC.

• Authors: ISD dev team
• Website: https://github.com/isd-dev/isd/downloads

This library, written in C++, is reasonably efficient at finding low weight codewords of a linear code using information set decoding.

• Authors: Nicky Mouha, Vesselin Velichkov, Christophe De Cannière, Bart Preneel
• Download: http://www.ecrypt.eu.org/tools/uploads/s-function_toolkit_v2.zip
• Documentation: http://www.cosic.esat.kuleuven.be/publications/article-1473.pdf

Note: v2 fixes a bug in the probability calculation. This bug does not affect the matrices that are output by the program.
An increasing number of cryptographic primitives use operations such as addition modulo 2ⁿ, multiplication by a constant and bitwise Boolean functions as a source of non-linearity. In NIST’s SHA-3 competition, this applies to 6 out of the 14 second-round candidates. We generalize such constructions by introducing the concept of S-functions. An S-function is a function that calculates the i-th output bit using only the inputs of the i-th bit position and a finite state S[i]. Although S-functions have been analyzed before, our toolkit is the first to present a fully general and efficient framework to determine their differential properties. A precursor of this framework was used in the cryptanalysis of SHA-1. We show how to calculate the probability that given input differences lead to given output differences, as well as how to count the number of output differences with non-zero probability. Our methods are rooted in graph theory, and the calculations can be efficiently performed using matrix multiplications. The toolkit also provides a general algorithm to efficiently list the output differences with the highest probability, for a given type of difference and operation.

• Authors: Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche
• Download: http://keccak.noekeon.org/KeccakTools-3.0.zip
• Documentation: http://keccak.noekeon.org/KeccakTools-doc/

KeccakTools is a set of C++ classes aimed at helping analyze the sponge function family Keccak. Version 3.0 has now been released.

• Authors: Paweł Morawiecki, Marian Srebrny, and Mateusz Srebrny
• Website: http://www.pawelmorawiecki.pl/cryptlogver

CryptLogVer is a toolkit that can be used to mount SAT-based attacks on cryptographic primitives (block ciphers, stream ciphers, hash functions). The main advantage of CryptLogVer is that it greatly simplifies the creation of CNF out of a given crypto primitive. CNF formulas coding crypto primitives are usually very challenging for a SAT solver. Therefore CryptLogVer could be also helpful for SAT community in providing hard CNF instances.

• Author: Bingsheng Zhang
• Download: http://www.ecrypt.eu.org/tools/uploads/present-linear-hull.zip
• Documentation: http://dx.doi.org/10.1007/978-3-642-10433-6_5

This tool computes linear hulls for the original PRESENT cipher. It confirms and even improves on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

• Author: Paul Stankovski
• Website: http://www.eit.lth.se/index.php?id=260&uhpuid=dhs.pas&hpuid=584&L=1

A simple tool for the automatic algebraic cryptanalysis of a large array of stream- and block ciphers. Three tests have been implemented and the best results have led to continued work on a computational cluster. Our best results show nonrandomness in Trivium up to 1070 rounds (out of 1152), and in the full Grain-128 with 256 rounds.

• Authors: Jian Guo and Søren S. Thomsen
• Website: http://www2.mat.dtu.dk/people/S.Thomsen/bmw/

This tool can be used to demonstrate non-randomness in the Blue Midnight Wish compression function. The implementation of the compression function is taken from the submission to the second round by the design team.