Difference between revisions of "ECHO"

Revision as of 08:54, 29 April 2010

1 The algorithm

Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Website: http://crypto.rd.francetelecom.com/echo/
NIST submission package:
- round 1/2: ECHO_Round2.zip (old version ECHO.zip)

Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin - SHA-3 Proposal: ECHO

,2009

http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf
Bibtex

Author : Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Title : SHA-3 Proposal: ECHO
In : -
Address :
Date : 2009

Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin - SHA-3 Proposal: ECHO

,2008

http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf
Bibtex

Author : Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Title : SHA-3 Proposal: ECHO
In : -
Address :
Date : 2008

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Recommended security parameters: 8 rounds (n=224,256); 10 rounds (n=384,512)

Type of Analysis	Hash Size (n)	Parameters	Compression Function Calls	Memory Requirements	Reference

2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis	Hash Function Part	Hash Size (n)	Parameters/Variants	Compression Function Calls	Memory Requirements	Reference
semi-free-start collision	compression function	256	3 rounds	2⁶⁴	2⁶⁴	Peyrin
distinguisher	compression function	256	4 rounds	2⁶⁴	2⁶⁴	Peyrin
semi-free-start collision	compression function	512	3 rounds	2⁹⁶	2⁶⁴	Peyrin
distinguisher	compression function	512	6 rounds	2⁹⁶	2⁶⁴	Peyrin
distinguisher	permutation	all	8 rounds	2⁷⁶⁸	2⁵¹²	Gilbert,Peyrin
distinguisher	permutation	all	7 rounds	2³⁸⁴	2⁶⁴	Mendel,Peyrin,Rechberger,Schläffer
distinguisher	permutation	all	7 rounds	2⁸⁹⁶	-	submission document

Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl

,2010

Bibtex

Author : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : -
Address :
Date : 2010

Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations

FSE ,2010

http://eprint.iacr.org/2009/531.pdf
Bibtex

Author : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010

Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher

SAC 5867:16-35,2009

http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
Bibtex

Author : Florian Mendel, Thomas Peyrin, Christian

Rechberger, Martin Schläffer
Title : Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher
In : SAC -
Address :
Date : 2009

@@ Line 59: / Line 59: @@
 |- style="background:#efefef;"
 | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||   Reference
 |-
+| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+|-
+| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+|-
+| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+|-
+| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+|-
 | distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
 |-
@@ Line 68: / Line 76: @@
 |}
+<bibtex>
+@misc{Pey10,
+    author = {Thomas Peyrin},
+    title = {Improved Differential Attacks for ECHO and Grostl},
+    howpublished = {Cryptology ePrint Archive, Report 2010/223},
+    year = {2010},
+    note = {\url{http://eprint.iacr.org/}},
+    abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},
+}
+</bibtex>
 <bibtex>

Difference between revisions of "ECHO"

Revision as of 08:54, 29 April 2010

Contents

1 The algorithm

2 Cryptanalysis

2.1 Hash function

2.2 Building blocks

Navigation menu

Views

Personal tools

Navigation

Search

Tools