Difference between revisions of "BLAKE"
(Added eprint 2010/043 results) |
m (fixed bibtex entry) |
||
| Line 99: | Line 99: | ||
howpublished = {Cryptology ePrint Archive, Report 2010/043}, | howpublished = {Cryptology ePrint Archive, Report 2010/043}, | ||
year = {2010}, | year = {2010}, | ||
| − | url = {http://eprint.iacr.org/}, | + | url = {http://eprint.iacr.org/2010/043.pdf}, |
| − | abstract = {BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1.5 rounds we present an algorithm that finds preimages faster than in previous attacks. Discovered properties lead us to describe large classes of impossible differentials for two rounds of BLAKE’s internal permutation, and particular impossible differentials for five and six rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear and rotation-free model, we describe near-collisions for four rounds of the compression function. Finally, we discuss the problem of establishing upper bounds on the probability of differential characteristics for BLAKE. }, | + | abstract = {BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1.5 rounds we present an algorithm that finds preimages faster than in previous attacks. Discovered properties lead us to describe large classes of impossible differentials for two rounds of BLAKE’s internal permutation, and particular impossible differentials for five and six rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear and rotation-free model, we describe near-collisions for four rounds of the compression function. Finally, we discuss the problem of establishing upper bounds on the probability of differential characteristics for BLAKE.}, |
} | } | ||
</bibtex> | </bibtex> | ||
Revision as of 16:56, 4 February 2010
1 The algorithm
- Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan
- Website: http://131002.net/blake/
- NIST submission package:
- round 1/2: BLAKE_Round2.zip (old versions: BLAKE.zip, BLAKEUpdate.zip)
Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan - SHA-3 proposal BLAKE
- ,2008
- http://131002.net/blake/blake.pdf
BibtexAuthor : Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan
Title : SHA-3 proposal BLAKE
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
2.1 Hash function
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.
Recommended security parameters: 10 rounds (n=224,256); 14 rounds (n=384,512)
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| preimage | 224,256 | 2.5 rounds | 2n-15 | - | Ji,Liangyu |
| preimage | 384 | 2.5 rounds | 2355 | - | Ji,Liangyu |
| preimage | 512 | 2.5 rounds | 2481 | - | Ji,Liangyu |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| free-start collision | hash | 224,256 | 2.5 rounds | 2n/2-16 | - | Ji,Liangyu |
| free-start collision | hash | 384,512 | 2.5 rounds | 2n/2-32 | - | Ji,Liangyu |
| near-collision | compression function | 256 | 4 rounds (nb. 6-9) | 242 | - | Guo,Matusiewicz |
| impossible differential | permutation | 224,256 | 5 rounds | - | - | Aumasson,Guo,Knellwolf,Matusiewicz,Meier |
| impossible differential | permutation | 384,512 | 6 rounds | - | - | Aumasson,Guo,Knellwolf,Matusiewicz,Meier |
Li Ji, Xu Liangyu - Attacks on Round-Reduced BLAKE
- ,2009
- http://eprint.iacr.org/2009/238.pdf
BibtexAuthor : Li Ji, Xu Liangyu
Title : Attacks on Round-Reduced BLAKE
In : -
Address :
Date : 2009
Jian Guo, Krystian Matusiewicz - Round-Reduced Near-Collisions of BLAKE-32
- ,2009
- http://www.jguo.org/docs/blake-col.pdf
BibtexAuthor : Jian Guo, Krystian Matusiewicz
Title : Round-Reduced Near-Collisions of BLAKE-32
In : -
Address :
Date : 2009
Jean-Philippe Aumasson, Jian Guo, Simon Knellwolf, Krystian Matusiewicz, Willi Meier - Differential and invertibility properties of BLAKE (full version)
