Difference between revisions of "Grindahl-256"

From The ECRYPT Hash Function Website
(Best Known Results)
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Specification ==
 
== Specification ==
  
<!--  
+
* Specification: [http://www2.mat.dtu.dk/people/Lars.R.Knudsen/grindahl/ Web page of the Grindahl hash functions]
* digest size: 160 bits
+
 
 +
 
 +
'''Grindahl-256'''
 +
* digest size: 256 bits
 
* max. message length: < 2<sup>64</sup> bits
 
* max. message length: < 2<sup>64</sup> bits
* compression function: 512-bit message block, 160-bit chaining variable
+
* compression function: 32-bit message block, 52 byte state
* Specification:  
+
 
-->
+
 
 +
<bibtex>
 +
@inproceedings{fseKnudsenRT07,
 +
  author    = {Lars R. Knudsen and Christian Rechberger and S&oslash;ren S. Thomsen},
 +
  title    = {The Grindahl Hash Functions},
 +
  pages    = {39-57},
 +
  url        = {http://dx.doi.org/10.1007/978-3-540-74619-5_3},
 +
  editor    = {Alex Biryukov},
 +
  booktitle = {FSE},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {4593},
 +
  year      = {2007},
 +
  isbn      = {978-3-540-74617-1},
 +
  abstract  = {In this paper we propose the Grindahl hash functions,
 +
which are based on components of the Rijndael algorithm. To make collision
 +
search sufficiently difficult, this design has the important feature that
 +
no low-weight characteristics form collisions, and at the same time it limits
 +
access to the state. We propose two concrete hash functions, Grindahl-256
 +
and Grindahl-512 with claimed security levels with respect to collision,
 +
preimage and second preimage attacks of 2<sup>128</sup> and 2<sup>256</sup>, respectively. Both
 +
proposals have lower memory requirements than other hash functions at comparable speeds and security levels.},
 +
}
 +
</bibtex>
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 12: Line 38:
  
 
=== Best Known Results ===
 
=== Best Known Results ===
The best collision attack on Grindahl was published by Peyrin. It has complexity of 2<sup>112</sup> hash evaluations.  
+
The best collision attack on Grindahl-256 was published by Peyrin. It has complexity of about 2<sup>112</sup> hash evaluations. There are no known preimage-style attacks.
 
 
 
----
 
----
  
 
=== Generic Attacks ===
 
=== Generic Attacks ===
* [[GenericAttacksMerkleDamgaard| Generic Attacks on the Merkle-Damgaard Construction ]]
+
* Grindahl is not a design follwing the Merkle-Damgaard construction principle. [[GenericAttacksHash| Generic Attacks on Hash Functions]]
 +
 
  
 
----
 
----

Latest revision as of 21:32, 16 March 2008

1 Specification


Grindahl-256

  • digest size: 256 bits
  • max. message length: < 264 bits
  • compression function: 32-bit message block, 52 byte state


Lars R. Knudsen, Christian Rechberger, Søren S. Thomsen - The Grindahl Hash Functions

FSE 4593:39-57,2007
http://dx.doi.org/10.1007/978-3-540-74619-5_3
Bibtex
Author : Lars R. Knudsen, Christian Rechberger, Søren S. Thomsen
Title : The Grindahl Hash Functions
In : FSE -
Address :
Date : 2007

2 Cryptanalysis

2.1 Best Known Results

The best collision attack on Grindahl-256 was published by Peyrin. It has complexity of about 2112 hash evaluations. There are no known preimage-style attacks.


2.2 Generic Attacks



2.3 Collision Attacks

Thomas Peyrin - Cryptanalysis of Grindahl

ASIACRYPT 4833:551-567,2007
http://dx.doi.org/10.1007/978-3-540-76900-2_34
Bibtex
Author : Thomas Peyrin
Title : Cryptanalysis of Grindahl
In : ASIACRYPT -
Address :
Date : 2007

2.4 Second Preimage Attacks


2.5 Preimage Attacks


2.6 Others