Difference between revisions of "Groestl"

From The ECRYPT Hash Function Website
m (references updated)
m
 
(2 intermediate revisions by 2 users not shown)
Line 72: Line 72:
 
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference  
 
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference  
 
|-           
 
|-           
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]
+
| distinguisher || permutation || 256 || 9 rounds || 2<sup>368</sup> || 2<sup>64</sup> || [http://link.springer.com/chapter/10.1007%2F978-3-642-34047-5_7 Jean,Naya-Plasencia,Peyrin]
 +
|-       
 +
| distinguisher || permutation || 512 || 8 rounds || 2<sup>280</sup> || 2<sup>64</sup> || [http://link.springer.com/chapter/10.1007%2F978-3-642-34047-5_7 Jean,Naya-Plasencia,Peyrin]
 +
|-
 +
| distinguisher || permutation || 512 || 9 rounds || 2<sup>328</sup> || 2<sup>64</sup> || [http://link.springer.com/chapter/10.1007%2F978-3-642-34047-5_7 Jean,Naya-Plasencia,Peyrin]
 +
|-
 +
| distinguisher || permutation || 512 || 10 rounds || 2<sup>392</sup> || 2<sup>64</sup> || [http://link.springer.com/chapter/10.1007%2F978-3-642-34047-5_7 Jean,Naya-Plasencia,Peyrin]
 +
|-
 +
| preimage|| output transformation || 256 || 5 rounds || 2<sup>206</sup> || 2<sup>48</sup> || [http://eprint.iacr.org/2012/206.pdf Wu,Feng,Wu,Guo,Dong,Zou]
 +
|-
 +
| pseudo preimage|| hash function || 256 || 5 rounds || 2<sup>244.85</sup> || 2<sup>230.13</sup> || [http://eprint.iacr.org/2012/206.pdf Wu,Feng,Wu,Guo,Dong,Zou]
 +
|-
 +
| preimage|| output transformation || 512 || 8 rounds || 2<sup>495</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2012/206.pdf Wu,Feng,Wu,Guo,Dong,Zou]
 +
|-
 +
| pseudo preimage|| hash function || 512 || 8 rounds || 2<sup>507.32</sup> || 2<sup>507</sup> || [http://eprint.iacr.org/2012/206.pdf Wu,Feng,Wu,Guo,Dong,Zou]
 +
|-
 +
| preimage || output transformation || 256 || 6 rounds || 2<sup>251</sup> ||  || [http://eprint.iacr.org/2012/141.pdf Khovratovich]
 +
|-
 +
| preimage || compression function || 256 || 6 rounds || 2<sup>128</sup> ||  || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 6 rounds / 2<sup>64</sup> targets || 2<sup>64</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 6 rounds / 2<sup>8</sup> targets || 2<sup>120</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 7 rounds / 2<sup>80</sup> targets || 2<sup>64</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 7 rounds / 2<sup>24</sup> targets || 2<sup>120</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 8 rounds / 2<sup>192</sup> targets || 2<sup>64</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 8 rounds / 2<sup>136</sup> targets || 2<sup>120</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || compression function || 256 || 9 rounds / 2<sup>192</sup> targets || 2<sup>120</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || hash function || 256 || 5 rounds / 2<sup>64</sup> targets || 2<sup>80</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || hash function || 256 || 6 rounds / 2<sup>16</sup> targets || 2<sup>136</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || hash function || 256 || 6 rounds / 2<sup>64</sup> targets || 2<sup>64</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || hash function || 256 || 6 rounds / 2<sup>8</sup> targets || 2<sup>120</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || hash function || 256 || 7 rounds / 2<sup>80</sup> targets || 2<sup>64</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| chosen multitarget preimage || hash function || 256 || 7 rounds / 2<sup>24</sup> targets || 2<sup>120</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| preimage || hash function || 256 || 5 rounds || 2<sup>144</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| preimage || hash function || 256 || 6 rounds || 2<sup>144</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|-
 +
| pseudo preimage || hash function || 256 || 6 rounds || 2<sup>128</sup> || 2<sup>64</sup> || [http://web.science.mq.edu.au/~rons/preimageattack-final.pdf Emami,Guaravaram,Pieprzyk,Steinfeld]
 +
|- 
 +
| distinguisher  || permutation || 256 || 10 rounds || 2<sup>509</sup> || || [http://fse2011.mat.dtu.dk/slides/Higher-order%20differential%20properties%20of%20Keccak%20and%20Luffa.pdf Boura,Canteaut,DeCannière]
 +
|-         
 +
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]
 
|-
 
|-
 
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]
 
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]
Line 140: Line 194:
 
|}
 
|}
  
 +
 +
<bibtex>
 +
@inproceedings{DBLP:dblp_conf/fse/JeanNP12,
 +
  author              = {Jérémy Jean and
 +
                          María Naya-Plasencia and
 +
                          Thomas Peyrin and
 +
                          Thomas Peyrin},
 +
  title              = {Improved Rebound Attack on the Finalist Grøstl.},
 +
  booktitle          = {FSE},
 +
  year                = {2012},
 +
  pages              = {110-126},
 +
  url                = {http://dx.doi.org/10.1007/978-3-642-34047-5_7},
 +
  crossref            = {2012},
 +
  abstract = {Grøstl is one of the five finalist hash functions of the SHA-3 competition. For entering this final phase, the designers have tweaked the submitted versions. This tweak renders inapplicable the best known distinguishers on the compression function presented by Peyrin [18] that exploited the internal permutation properties. Since the beginning of the final round, very few analysis have been published on Grøstl. Currently, the best known rebound-based results on the permutation and the compression function for the 256-bit version work up to 8 rounds, and up to 7 rounds for the 512-bit version. In this paper, we present new rebound distinguishers that work on a higher number of rounds for the permutations of both 256 and 512-bit versions of this finalist, that is 9 and 10 respectively. Our distinguishers make use of an algorithm that we propose for solving three fully active states in the middle of the differential characteristic, while the Super-Sbox technique only handles two.}
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@misc{cryptoeprint:2012:206,
 +
    author = {Shuang Wu and Dengguo Feng and Wenling Wu and Jian Guo and Le Dong and Jian Zou},
 +
    title = {(Pseudo) Preimage Attack on Round-Reduced Gr{\o}stl Hash Function and Others (Extended Version)},
 +
    howpublished = {Cryptology ePrint Archive, Report 2012/206},
 +
    year = {2012},
 +
    url = {http://eprint.iacr.org/2012/206.pdf},
 +
    abstract = {The Gr{\o}stl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Gr{\o}stl hash function. We propose pseudo preimage attacks on Gr{\o}stl hash function for both 256-bit and 512-bit versions, i.e. we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10)-round Gr{\o}stl-256 has a complexity of $(2^{244.85},2^{230.13})$ (in time and memory) and pseudo preimage attack on 8(out of 14)-round Gr{\o}stl-512 has a complexity of $(2^{507.32},2^{507.00})$. To the best of our knowledge, our attacks are the first (pseudo) preimage attacks on round-reduced Gr{\o}stl hash function, including its compression function and output transformation. These results are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki. We also improve the time complexities of the preimage attacks against 5-round Whirlpool and 7-round AES hashes by Sasaki in FSE~2011.}
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@misc{emami-multitarget,
 +
  author = {Sareh Emami and Praveen Gauravaram and Josef Pieprzyk and Ron Steinfeld},
 +
  title = {(Chosen-multi-target) preimage attacks on reduced Grøstl-0},
 +
  url = {http://web.science.mq.edu.au/~rons/preimageattack-final.pdf},
 +
  abstract = {The cryptographic hash function Grøstl is a finalist in the NIST’s SHA-3 hash function
 +
competition and it is a tweaked variant of its predecessor called Grøstl-0, a second round SHA-3 candidate.
 +
In this article, we consider 256-bit Grøstl-0 and its 512-bit compression function. We show that
 +
internal differential trails built between the two almost similar looking permutations of the compression
 +
function can be coverted to chosen-multi-target-preimage attacks, a variant of multi-target preimage
 +
attacks. Consequently, we show chosen-multi-target-preimage attacks for up to 9 out of 10 rounds of
 +
the compression function and up to 7 rounds of the hash function. Finally, we use these attacks as a
 +
tool to find preimages and pseudo preimages for 6 rounds of the 256-bit Grøstl-0 hash function.}
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@misc{cryptoeprint:2012:141,
 +
    author = {Dmitry Khovratovich},
 +
    title = {Bicliques for permutations: collision and preimage attacks in stronger settings},
 +
    howpublished = {Cryptology ePrint Archive, Report 2012/141},
 +
    year = {2012},
 +
    url = {http://eprint.iacr.org/2012/141.pdf},
 +
    abstract = {We extend and improve biclique attacks, which were recently introduced for the cryptanalysis of block ciphers and hash functions. While previous attacks required a primitive to have a key or a message schedule, we show how to mount attacks on the primitives with these parameters fixed, i.e. on permutations. We introduce the concept of sliced bicliques, which is a translation of regular bicliques to the framework with permutations.
 +
 +
The new framework allows to convert preimage attacks into collision attacks and derive the first collision attacks on the reduced SHA-3 finalist Skein in the hash function setting up to 11 rounds. We also demonstrate new preimage attacks on the reduced Skein and the output transformation of the reduced Gr{\o}stl. Finally, the sophisticated technique of message compensation gets a simple explanation with bicliques.}
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@inproceedings{fseBCD11,
 +
  author = {Christina Boura and Anne Canteaut and Christophe De Cannière},
 +
  title = {Higher-order differential properties of Keccak and Luffa},
 +
  url = {http://fse2011.mat.dtu.dk/slides/Higher-order%20differential%20properties%20of%20Keccak%20and%20Luffa.pdf},
 +
  booktitle  = {FSE},
 +
  year      = {2011},
 +
  series    = {LNCS},
 +
  pages    = {252-269},
 +
  publisher = {Springer},
 +
  volume    = {6733},
 +
  abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},
 +
</bibtex>
  
 
<bibtex>
 
<bibtex>

Latest revision as of 11:12, 1 August 2013

1 The algorithm


Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2011
http://www.groestl.info/Groestl.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2011

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl Addendum

,2009
http://groestl.info/Groestl-addendum.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl Addendum
In : -
Address :
Date : 2009

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2008
http://groestl.info/Groestl-0.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2008

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 10 rounds (n=224,256); 14 rounds (n=384,512)


2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis Hash Size (n) Parameters Compression Function Calls Memory Requirements Reference
collision 224,256 3 rounds 264 - Schläffer
collision 512 3 rounds 2192 - Schläffer


2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
distinguisher permutation 256 9 rounds 2368 264 Jean,Naya-Plasencia,Peyrin
distinguisher permutation 512 8 rounds 2280 264 Jean,Naya-Plasencia,Peyrin
distinguisher permutation 512 9 rounds 2328 264 Jean,Naya-Plasencia,Peyrin
distinguisher permutation 512 10 rounds 2392 264 Jean,Naya-Plasencia,Peyrin
preimage output transformation 256 5 rounds 2206 248 Wu,Feng,Wu,Guo,Dong,Zou
pseudo preimage hash function 256 5 rounds 2244.85 2230.13 Wu,Feng,Wu,Guo,Dong,Zou
preimage output transformation 512 8 rounds 2495 216 Wu,Feng,Wu,Guo,Dong,Zou
pseudo preimage hash function 512 8 rounds 2507.32 2507 Wu,Feng,Wu,Guo,Dong,Zou
preimage output transformation 256 6 rounds 2251 Khovratovich
preimage compression function 256 6 rounds 2128 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 6 rounds / 264 targets 264 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 6 rounds / 28 targets 2120 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 7 rounds / 280 targets 264 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 7 rounds / 224 targets 2120 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 8 rounds / 2192 targets 264 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 8 rounds / 2136 targets 2120 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage compression function 256 9 rounds / 2192 targets 2120 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage hash function 256 5 rounds / 264 targets 280 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage hash function 256 6 rounds / 216 targets 2136 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage hash function 256 6 rounds / 264 targets 264 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage hash function 256 6 rounds / 28 targets 2120 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage hash function 256 7 rounds / 280 targets 264 264 Emami,Guaravaram,Pieprzyk,Steinfeld
chosen multitarget preimage hash function 256 7 rounds / 224 targets 2120 264 Emami,Guaravaram,Pieprzyk,Steinfeld
preimage hash function 256 5 rounds 2144 264 Emami,Guaravaram,Pieprzyk,Steinfeld
preimage hash function 256 6 rounds 2144 264 Emami,Guaravaram,Pieprzyk,Steinfeld
pseudo preimage hash function 256 6 rounds 2128 264 Emami,Guaravaram,Pieprzyk,Steinfeld
distinguisher permutation 256 10 rounds 2509 Boura,Canteaut,DeCannière
semi-free-start collision compression function 256 6 rounds 2120 264 Schläffer
semi-free-start collision compression function 384,512 6 rounds 2180 264 Schläffer
collision hash function 224,256 5 rounds (Round 1/2) 248 232 Ideguchi,Tischhauser,Preneel
collision hash function 256 6 rounds (Round 1/2) 2112 232 Ideguchi,Tischhauser,Preneel
collision hash function 224,256 4 rounds (Round 1/2) 264 264 Mendel,Rechberger,Schläffer,Thomsen
collision hash function 224,256 3 rounds (Round 1/2) 264 - Mendel,Rechberger,Schläffer,Thomsen
collision hash function 384,512 5 rounds (Round 1/2) 2176 264 Mendel,Rechberger,Schläffer,Thomsen
collision hash function 384,512 4 rounds (Round 1/2) 264 264 Mendel,Rechberger,Schläffer,Thomsen
distinguisher compression function 256 10 rounds (Round 1/2) 2175 264 Naya-Plasencia
distinguisher compression function 512 11 rounds (Round 1/2) 2630 264 Naya-Plasencia
distinguisher permutation 256 8 rounds 248 28 Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision compression function 512 7 rounds 2152 256 Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision compression function 224,256 7 rounds (Round 1/2) 280 232 Ideguchi,Tischhauser,Preneel
semi-free-start collision compression function 224,256 8 rounds (Round 1/2) 2192 264 Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 7 rounds 219 - Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 8 rounds 264 264 Ideguchi,Tischhauser,Preneel
distinguisher compression function 256 10 rounds (Round 1/2) 2192 264 Peyrin
distinguisher compression function 256 9 rounds (Round 1/2) 280 264 Peyrin
distinguisher compression function 512 11 rounds (Round 1/2) 2640 264 Peyrin
semi-free-start collision compression function 256 7 rounds (Round 1/2) 2120 264 Gilbert,Peyrin
distinguisher compression function 256 8 rounds (Round 1/2) 2112 264 Gilbert,Peyrin
distinguisher permutation 256 8 rounds 2112 264 Gilbert,Peyrin
semi-free-start collision compression function 256 7 rounds (Round 1/2) 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 384,512 7 rounds (Round 1/2) 2152 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 6 rounds (Round 1/2) 264 264 Mendel,Peyrin,Rechberger,Schläffer
distinguisher output transformation 224,256 7 rounds 256 - Mendel,Peyrin,Rechberger,Schläffer
distinguisher permutation 224,256 7 rounds 255 - Mendel,Peyrin,Rechberger,Schläffer
semi-free-start collision compression function 256 6 rounds (Round 1/2) 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 5 rounds (Round 1/2) 264 - Mendel,Rechberger,Schläffer,Thomsen
observation hash all Kelsey
observation block cipher all Barreto
free-start collision compression function all any 22n/3 22n/3 submission document
pseudo-preimage compression function all any 2n - submission document


Jérémy Jean, María Naya-Plasencia, Thomas Peyrin, Thomas Peyrin - Improved Rebound Attack on the Finalist Grøstl.

FSE pp. 110-126,2012
http://dx.doi.org/10.1007/978-3-642-34047-5_7
Bibtex
Author : Jérémy Jean, María Naya-Plasencia, Thomas Peyrin, Thomas Peyrin
Title : Improved Rebound Attack on the Finalist Grøstl.
In : FSE -
Address :
Date : 2012

Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou - (Pseudo) Preimage Attack on Round-Reduced Gr{\o}stl Hash Function and Others (Extended Version)

,2012
http://eprint.iacr.org/2012/206.pdf
Bibtex
Author : Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou
Title : (Pseudo) Preimage Attack on Round-Reduced Gr{\o}stl Hash Function and Others (Extended Version)
In : -
Address :
Date : 2012

Sareh Emami, Praveen Gauravaram, Josef Pieprzyk, Ron Steinfeld - (Chosen-multi-target) preimage attacks on reduced Grøstl-0

http://web.science.mq.edu.au/~rons/preimageattack-final.pdf
Bibtex
Author : Sareh Emami, Praveen Gauravaram, Josef Pieprzyk, Ron Steinfeld
Title : (Chosen-multi-target) preimage attacks on reduced Grøstl-0
In : -
Address :
Date :

Dmitry Khovratovich - Bicliques for permutations: collision and preimage attacks in stronger settings

,2012
http://eprint.iacr.org/2012/141.pdf
Bibtex
Author : Dmitry Khovratovich
Title : Bicliques for permutations: collision and preimage attacks in stronger settings
In : -
Address :
Date : 2012

Christina Boura, Anne Canteaut, Christophe De Cannière - Higher-order differential properties of Keccak and Luffa

FSE 6733:252-269,2011
http://fse2011.mat.dtu.dk/slides/Higher-order%20differential%20properties%20of%20Keccak%20and%20Luffa.pdf
Bibtex
Author : Christina Boura, Anne Canteaut, Christophe De Cannière
Title : Higher-order differential properties of Keccak and Luffa
In : FSE -
Address :
Date : 2011

Martin Schläffer - Updated Differential Analysis of Grøstl

, January 2011
http://groestl.info/groestl-analysis.pdf
Bibtex
Author : Martin Schläffer
Title : Updated Differential Analysis of Grøstl
In : -
Address :
Date : January 2011

María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities

,2010
http://eprint.iacr.org/2010/607.pdf
Bibtex
Author : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010

Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta - New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl

ASIACRYPT 6477:38-55,2010
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf
Bibtex
Author : Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta
Title : New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
In : ASIACRYPT -
Address :
Date : 2010

Kota Ideguchi, Elmar Tischhauser, Bart Preneel - Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

ISC 6531:1-16,2010
http://eprint.iacr.org/2010/375.pdf
Bibtex
Author : Kota Ideguchi, Elmar Tischhauser, Bart Preneel
Title : Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
In : ISC -
Address :
Date : 2010

Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl

CRYPTO 6223:370-392,2010
http://eprint.iacr.org/2010/223.pdf
Bibtex
Author : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : CRYPTO -
Address :
Date : 2010

Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations

FSE 6147:365-383,2010
http://eprint.iacr.org/2009/531.pdf
Bibtex
Author : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Rebound Attacks on the Reduced Grøstl Hash Function

CT-RSA 5985:350-365,2010
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Rebound Attacks on the Reduced Grøstl Hash Function
In : CT-RSA -
Address :
Date : 2010

Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher

SAC 5867:16-35,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
Bibtex
Author : Florian Mendel, Thomas Peyrin, Christian

Rechberger, Martin Schläffer
Title : Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher
In : SAC -
Address :
Date : 2009

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

FSE 5665:260-276,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009

John Kelsey - Some notes on Grøstl

, April 2009
http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf
Bibtex
Author : John Kelsey
Title : Some notes on Grøstl
In : -
Address :
Date : April 2009

Paulo S. L. M. Barreto - An observation on Grøstl

, November 2008
http://www.larc.usp.br/~pbarreto/Grizzly.pdf
Bibtex
Author : Paulo S. L. M. Barreto
Title : An observation on Grøstl
In : -
Address :
Date : November 2008
Retrieved from "https://ehash.iaik.tugraz.at/index.php?title=Groestl&oldid=3770"