Difference between revisions of "Groestl"

From The ECRYPT Hash Function Website
m (Cryptanalysis: moved semifreestart to second table)
(Building blocks: added Naya-Plasencia results)
Line 68: Line 68:
 
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference  
 
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference  
 
|-           
 
|-           
 
+
| distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 +
|-
 +
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 +
|-
 
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 
|-
 
|-
Line 113: Line 116:
 
|}
 
|}
  
 +
 +
== Cryptanalysis ==
 +
 +
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
 +
 +
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].
 +
 +
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)
 +
 +
=== Hash function ===
 +
 +
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
 +
 +
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center"                 
 +
|- style="background:#efefef;"                 
 +
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements ||  Reference
 +
|-                   
 +
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]
 +
|-                   
 +
|}                   
 +
 +
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.
 +
 +
 +
=== Building blocks ===
 +
 +
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
 +
 +
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
 +
 +
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center"                 
 +
|- style="background:#efefef;"                 
 +
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference
 +
|-
 +
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 +
|-
 +
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]
 +
|-                   
 +
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]
 +
|-
 +
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]
 +
|- 
 +
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 +
|-                 
 +
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 +
|-     
 +
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 +
|-                 
 +
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 +
|-               
 +
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
 +
|-                   
 +
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]
 +
|-                   
 +
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]
 +
|-                   
 +
|} 
 +
 +
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.
 +
 +
 +
<bibtex>
 +
@misc{cryptoeprint:2010:607,
 +
    author = {María Naya-Plasencia},
 +
    title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},
 +
    howpublished = {Cryptology ePrint Archive, Report 2010/607},
 +
    year = {2010},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
    url = {http://eprint.iacr.org/2010/607.pdf},
 +
    abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},
 +
}
 +
</bibtex>
  
 
<bibtex>
 
<bibtex>

Revision as of 16:10, 7 December 2010

1 The algorithm

  • Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
  • Website: http://www.groestl.info
  • NIST submission package:


Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2008
http://www.groestl.info/Groestl.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2008

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl Addendum

,2009
http://groestl.info/Groestl-addendum.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl Addendum
In : -
Address :
Date : 2009

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 10 rounds (n=224,256); 14 rounds (n=384,512)

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis Hash Size (n) Parameters Compression Function Calls Memory Requirements Reference
collision 224,256 5 rounds 248 232 Ideguchi,Tischhauser,Preneel
collision 256 6 rounds 2112 232 Ideguchi,Tischhauser,Preneel
collision 224,256 4 rounds 264 264 Mendel,Rechberger,Schläffer,Thomsen
collision 224,256 3 rounds 264 - Mendel,Rechberger,Schläffer,Thomsen
collision 384,512 5 rounds 2176 264 Mendel,Rechberger,Schläffer,Thomsen
collision 384,512 4 rounds 264 264 Mendel,Rechberger,Schläffer,Thomsen


2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
distinguisher compression function 256 10 rounds 2175 264 Naya-Plasencia
distinguisher compression function 512 11 rounds 2630 264 Naya-Plasencia
semi-free-start collision compression function 224,256 7 rounds 280 232 Ideguchi,Tischhauser,Preneel
semi-free-start collision compression function 224,256 8 rounds 2192 264 Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 7 rounds 219 - Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 8 rounds 264 264 Ideguchi,Tischhauser,Preneel
distinguisher compression function 256 10 rounds 2192 264 Peyrin
distinguisher compression function 256 9 rounds 280 264 Peyrin
distinguisher compression function 512 11 rounds 2640 264 Peyrin
semi-free-start collision compression function 256 7 rounds 2120 264 Gilbert,Peyrin
distinguisher compression function 256 8 rounds 2112 264 Gilbert,Peyrin
distinguisher permutation 256 8 rounds 2112 264 Gilbert,Peyrin
semi-free-start collision compression function 256 7 rounds 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 384,512 7 rounds 2152 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 6 rounds 264 264 Mendel,Peyrin,Rechberger,Schläffer
distinguisher output transformation 224,256 7 rounds 256 - Mendel,Peyrin,Rechberger,Schläffer
distinguisher permutation 224,256 7 rounds 255 - Mendel,Peyrin,Rechberger,Schläffer
semi-free-start collision compression function 256 6 rounds 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 5 rounds 264 - Mendel,Rechberger,Schläffer,Thomsen
observation hash all Kelsey
observation block cipher all Barreto
free-start collision compression function all any 22n/3 22n/3 submission document
pseudo-preimage compression function all any 2n - submission document


3 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 8 rounds (n=224,256); 10 rounds (n=384,512)

3.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis Hash Size (n) Parameters Compression Function Calls Memory Requirements Reference
collision(1) 256 5 rounds 2112 285.3 Schläffer

(1) In this attack some problems in the previous attacks (pointed out by Jean,Fouque) have been corrected.


3.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
distinguisher permutation 256 8 rounds 2151 267 Naya-Plasencia
distinguisher(1) (chosen salt) compression function 256 7 rounds 2160 2128 Schläffer
free-start collision(1) (chosen salt) compression function 256 6 rounds 2160 2128 Schläffer
semi-free-start collision compression function 256 4 rounds 252 216 Jean,Fouque
semi-free-start collision compression function 256 3 rounds 264 264 Peyrin
distinguisher compression function 256 4 rounds 264 264 Peyrin
semi-free-start collision compression function 512 3 rounds 296 264 Peyrin
distinguisher compression function 512 6 rounds 296 264 Peyrin
distinguisher permutation all 8 rounds 2768 2512 Gilbert,Peyrin
distinguisher permutation all 7 rounds 2384 264 Mendel,Peyrin,Rechberger,Schläffer
distinguisher permutation all 7 rounds 2896 - submission document

(1) In this attack some problems in the previous attacks (pointed out by Jean,Fouque) have been corrected.


María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities

,2010
http://eprint.iacr.org/2010/607.pdf
Bibtex
Author : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010

Kota Ideguchi, Elmar Tischhauser, Bart Preneel - Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

,2010
http://eprint.iacr.org/2010/375.pdf
Bibtex
Author : Kota Ideguchi, Elmar Tischhauser, Bart Preneel
Title : Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
In : -
Address :
Date : 2010

Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl

,2010
http://eprint.iacr.org/2010/223.pdf
Bibtex
Author : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : -
Address :
Date : 2010

Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations

FSE ,2010
http://eprint.iacr.org/2009/531.pdf
Bibtex
Author : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Rebound Attacks on the Reduced Grøstl Hash Function

CT-RSA 5985:350-365,2010
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Rebound Attacks on the Reduced Grøstl Hash Function
In : CT-RSA -
Address :
Date : 2010

Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher

SAC 5867:16-35,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
Bibtex
Author : Florian Mendel, Thomas Peyrin, Christian

Rechberger, Martin Schläffer
Title : Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher
In : SAC -
Address :
Date : 2009

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

FSE 5665:260-276,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009

John Kelsey - Some notes on Grøstl

,2009
http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf
Bibtex
Author : John Kelsey
Title : Some notes on Grøstl
In : -
Address :
Date : 2009

Paulo S. L. M. Barreto - An observation on Grøstl

,2008
http://www.larc.usp.br/~pbarreto/Grizzly.pdf
Bibtex
Author : Paulo S. L. M. Barreto
Title : An observation on Grøstl
In : -
Address :
Date : 2008