Difference between revisions of "Groestl"
From The ECRYPT Hash Function Website
m (→Cryptanalysis: moved semifreestart to second table) |
(→Building blocks: added Naya-Plasencia results) |
||
| Line 68: | Line 68: | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
|- | |- | ||
| − | + | | distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia] | |
| + | |- | ||
| + | | distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia] | ||
| + | |- | ||
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel] | | semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel] | ||
|- | |- | ||
| Line 113: | Line 116: | ||
|} | |} | ||
| + | |||
| + | == Cryptanalysis == | ||
| + | |||
| + | We distinguish between two cases: results on the complete hash function, and results on underlying building blocks. | ||
| + | |||
| + | A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | ||
| + | |||
| + | Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512) | ||
| + | |||
| + | === Hash function === | ||
| + | |||
| + | Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter. | ||
| + | |||
| + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" | ||
| + | |- style="background:#efefef;" | ||
| + | | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | ||
| + | |- | ||
| + | | collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer] | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | <sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected. | ||
| + | |||
| + | |||
| + | === Building blocks === | ||
| + | |||
| + | Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter. | ||
| + | |||
| + | Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | ||
| + | |||
| + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" | ||
| + | |- style="background:#efefef;" | ||
| + | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
| + | |- | ||
| + | | distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia] | ||
| + | |- | ||
| + | | distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer] | ||
| + | |- | ||
| + | | free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer] | ||
| + | |- | ||
| + | | semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque] | ||
| + | |- | ||
| + | | semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin] | ||
| + | |- | ||
| + | | distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin] | ||
| + | |- | ||
| + | | semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin] | ||
| + | |- | ||
| + | | distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin] | ||
| + | |- | ||
| + | | distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin] | ||
| + | |- | ||
| + | | distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer] | ||
| + | |- | ||
| + | | distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document] | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | <sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected. | ||
| + | |||
| + | |||
| + | <bibtex> | ||
| + | @misc{cryptoeprint:2010:607, | ||
| + | author = {María Naya-Plasencia}, | ||
| + | title = {Scrutinizing rebound attacks: new algorithms for improving the complexities}, | ||
| + | howpublished = {Cryptology ePrint Archive, Report 2010/607}, | ||
| + | year = {2010}, | ||
| + | note = {\url{http://eprint.iacr.org/}}, | ||
| + | url = {http://eprint.iacr.org/2010/607.pdf}, | ||
| + | abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).}, | ||
| + | } | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
Revision as of 16:10, 7 December 2010
Contents
1 The algorithm
- Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
- Website: http://www.groestl.info
- NIST submission package:
- round 1/2: Grostl_Round2.zip (old version: Grostl.zip)
Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate
- ,2008
- http://www.groestl.info/Groestl.pdf
BibtexAuthor : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2008
Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl Addendum
- ,2009
- http://groestl.info/Groestl-addendum.pdf
BibtexAuthor : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl Addendum
In : -
Address :
Date : 2009
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 10 rounds (n=224,256); 14 rounds (n=384,512)
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| collision | 224,256 | 5 rounds | 248 | 232 | Ideguchi,Tischhauser,Preneel |
| collision | 256 | 6 rounds | 2112 | 232 | Ideguchi,Tischhauser,Preneel |
| collision | 224,256 | 4 rounds | 264 | 264 | Mendel,Rechberger,Schläffer,Thomsen |
| collision | 224,256 | 3 rounds | 264 | - | Mendel,Rechberger,Schläffer,Thomsen |
| collision | 384,512 | 5 rounds | 2176 | 264 | Mendel,Rechberger,Schläffer,Thomsen |
| collision | 384,512 | 4 rounds | 264 | 264 | Mendel,Rechberger,Schläffer,Thomsen |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | compression function | 256 | 10 rounds | 2175 | 264 | Naya-Plasencia |
| distinguisher | compression function | 512 | 11 rounds | 2630 | 264 | Naya-Plasencia |
| semi-free-start collision | compression function | 224,256 | 7 rounds | 280 | 232 | Ideguchi,Tischhauser,Preneel |
| semi-free-start collision | compression function | 224,256 | 8 rounds | 2192 | 264 | Ideguchi,Tischhauser,Preneel |
| distinguisher | permutation | 224,256 | 7 rounds | 219 | - | Ideguchi,Tischhauser,Preneel |
| distinguisher | permutation | 224,256 | 8 rounds | 264 | 264 | Ideguchi,Tischhauser,Preneel |
| distinguisher | compression function | 256 | 10 rounds | 2192 | 264 | Peyrin |
| distinguisher | compression function | 256 | 9 rounds | 280 | 264 | Peyrin |
| distinguisher | compression function | 512 | 11 rounds | 2640 | 264 | Peyrin |
| semi-free-start collision | compression function | 256 | 7 rounds | 2120 | 264 | Gilbert,Peyrin |
| distinguisher | compression function | 256 | 8 rounds | 2112 | 264 | Gilbert,Peyrin |
| distinguisher | permutation | 256 | 8 rounds | 2112 | 264 | Gilbert,Peyrin |
| semi-free-start collision | compression function | 256 | 7 rounds | 2120 | 264 | Mendel,Rechberger,Schläffer,Thomsen |
| semi-free-start collision | compression function | 384,512 | 7 rounds | 2152 | 264 | Mendel,Rechberger,Schläffer,Thomsen |
| semi-free-start collision | compression function | 224,256 | 6 rounds | 264 | 264 | Mendel,Peyrin,Rechberger,Schläffer |
| distinguisher | output transformation | 224,256 | 7 rounds | 256 | - | Mendel,Peyrin,Rechberger,Schläffer |
| distinguisher | permutation | 224,256 | 7 rounds | 255 | - | Mendel,Peyrin,Rechberger,Schläffer |
| semi-free-start collision | compression function | 256 | 6 rounds | 2120 | 264 | Mendel,Rechberger,Schläffer,Thomsen |
| semi-free-start collision | compression function | 224,256 | 5 rounds | 264 | - | Mendel,Rechberger,Schläffer,Thomsen |
| observation | hash | all | Kelsey | |||
| observation | block cipher | all | Barreto | |||
| free-start collision | compression function | all | any | 22n/3 | 22n/3 | submission document |
| pseudo-preimage | compression function | all | any | 2n | - | submission document |
3 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 8 rounds (n=224,256); 10 rounds (n=384,512)
3.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| collision(1) | 256 | 5 rounds | 2112 | 285.3 | Schläffer |
(1) In this attack some problems in the previous attacks (pointed out by Jean,Fouque) have been corrected.
3.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| distinguisher | permutation | 256 | 8 rounds | 2151 | 267 | Naya-Plasencia |
| distinguisher(1) (chosen salt) | compression function | 256 | 7 rounds | 2160 | 2128 | Schläffer |
| free-start collision(1) (chosen salt) | compression function | 256 | 6 rounds | 2160 | 2128 | Schläffer |
| semi-free-start collision | compression function | 256 | 4 rounds | 252 | 216 | Jean,Fouque |
| semi-free-start collision | compression function | 256 | 3 rounds | 264 | 264 | Peyrin |
| distinguisher | compression function | 256 | 4 rounds | 264 | 264 | Peyrin |
| semi-free-start collision | compression function | 512 | 3 rounds | 296 | 264 | Peyrin |
| distinguisher | compression function | 512 | 6 rounds | 296 | 264 | Peyrin |
| distinguisher | permutation | all | 8 rounds | 2768 | 2512 | Gilbert,Peyrin |
| distinguisher | permutation | all | 7 rounds | 2384 | 264 | Mendel,Peyrin,Rechberger,Schläffer |
| distinguisher | permutation | all | 7 rounds | 2896 | - | submission document |
(1) In this attack some problems in the previous attacks (pointed out by Jean,Fouque) have been corrected.
María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities
- ,2010
- http://eprint.iacr.org/2010/607.pdf
BibtexAuthor : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010
Kota Ideguchi, Elmar Tischhauser, Bart Preneel - Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
- ,2010
- http://eprint.iacr.org/2010/375.pdf
BibtexAuthor : Kota Ideguchi, Elmar Tischhauser, Bart Preneel
Title : Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
In : -
Address :
Date : 2010
Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl
- ,2010
- http://eprint.iacr.org/2010/223.pdf
BibtexAuthor : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : -
Address :
Date : 2010
Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
- FSE ,2010
- http://eprint.iacr.org/2009/531.pdf
BibtexAuthor : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010
Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Rebound Attacks on the Reduced Grøstl Hash Function
- CT-RSA 5985:350-365,2010
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053
BibtexAuthor : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Rebound Attacks on the Reduced Grøstl Hash Function
In : CT-RSA -
Address :
Date : 2010
Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl
Compression Function, ECHO Permutation and AES Block Cipher
- SAC 5867:16-35,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
BibtexAuthor : Florian Mendel, Thomas Peyrin, ChristianRechberger, Martin Schläffer
Compression Function, ECHO Permutation and AES Block Cipher
Title : Improved Cryptanalysis of the Reduced Grøstl
In : SAC -
Address :
Date : 2009
Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
- FSE 5665:260-276,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943
BibtexAuthor : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009
John Kelsey - Some notes on Grøstl
- ,2009
- http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf
BibtexAuthor : John Kelsey
Title : Some notes on Grøstl
In : -
Address :
Date : 2009
Paulo S. L. M. Barreto - An observation on Grøstl
