Difference between revisions of "ECHO"
From The ECRYPT Hash Function Website
Mschlaeffer (talk | contribs) m |
Mschlaeffer (talk | contribs) (Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations) |
||
| Line 37: | Line 37: | ||
=== Hash function === | === Hash function === | ||
| − | Here we list results on the | + | Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter. |
Recommended security parameters: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512) | Recommended security parameters: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512) | ||
| Line 55: | Line 55: | ||
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | ||
| + | |||
| + | Recommended security parameters: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512) | ||
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | {| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | ||
|- style="background:#efefef;" | |- style="background:#efefef;" | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
| + | |- | ||
| + | | distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Henri,Peyrin] | ||
|- | |- | ||
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer] | | distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer] | ||
|- | |- | ||
|} | |} | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{fseGP10, | ||
| + | author = {Henri Gilbert and Thomas Peyrin}, | ||
| + | title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations}, | ||
| + | url = {http://eprint.iacr.org/2009/531.pdf}, | ||
| + | booktitle = {FSE}, | ||
| + | year = {2010}, | ||
| + | series = {LNCS}, | ||
| + | note = {To appear} | ||
| + | abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.} | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
@inproceedings{sacMPRS09, | @inproceedings{sacMPRS09, | ||
| − | author = {Florian Mendel and Thomas Peyrin and Christian Rechberger and Martin Schläffer}, | + | author = {Florian Mendel and Thomas Peyrin and Christian |
| − | title = {Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher}, | + | Rechberger and Martin Schläffer}, |
| − | url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr= | + | title = {Improved Cryptanalysis of the Reduced Grøstl |
| + | Compression Function, ECHO Permutation and AES Block Cipher}, | ||
| + | url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420}, | ||
booktitle = {SAC}, | booktitle = {SAC}, | ||
year = {2009}, | year = {2009}, | ||
| − | + | volume = {5867}, | |
| − | abstract = {In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Gr{o}stl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Gr{o}stl-256 output transformation and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO.} | + | pages = {16-35}, |
| + | abstract = {In this paper, we propose two new ways to mount attacks | ||
| + | on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks | ||
| + | also to the AES. Our results improve upon and extend the rebound | ||
| + | attack. Using the new techniques, we are able to extend the number of | ||
| + | rounds in which available degrees of freedom can be used. As a result, | ||
| + | we present the first attack on 7 rounds for the Gr{\o}stl-256 output | ||
| + | transformation and improve the semi-free-start collision attack on 6 | ||
| + | rounds. Further, we present an improved known-key distinguisher for 7 | ||
| + | rounds of the AES block cipher and the internal permutation used in | ||
| + | ECHO.} | ||
</bibtex> | </bibtex> | ||
Revision as of 17:16, 15 February 2010
1 The algorithm
- Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
- Website: http://crypto.rd.francetelecom.com/echo/
- NIST submission package:
- round 1/2: ECHO_Round2.zip (old version ECHO.zip)
Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin - SHA-3 Proposal: ECHO
- ,2009
- http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf
BibtexAuthor : Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Title : SHA-3 Proposal: ECHO
In : -
Address :
Date : 2009
Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin - SHA-3 Proposal: ECHO
- ,2008
- http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf
BibtexAuthor : Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Title : SHA-3 Proposal: ECHO
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
Recommended security parameters: 8 rounds (n=224,256); 10 rounds (n=384,512)
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
Recommended security parameters: 8 rounds (n=224,256); 10 rounds (n=384,512)
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | permutation | all | 8 rounds | 2768 | 2512 | Henri,Peyrin |
| distinguisher | permutation | all | 7 rounds | 2384 | 264 | Mendel,Peyrin,Rechberger,Schläffer |
Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
- FSE ,2010
- http://eprint.iacr.org/2009/531.pdf
BibtexAuthor : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010
Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl
Compression Function, ECHO Permutation and AES Block Cipher
- SAC 5867:16-35,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
BibtexAuthor : Florian Mendel, Thomas Peyrin, ChristianRechberger, Martin Schläffer
Compression Function, ECHO Permutation and AES Block Cipher
Title : Improved Cryptanalysis of the Reduced Grøstl
In : SAC -
Address :
Date : 2009
