Difference between revisions of "Groestl"

From The ECRYPT Hash Function Website
(Undo revision 3660 by JAumasson (Talk))
(added Sasaki et al)
Line 71: Line 71:
 
|-
 
|-
 
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 +
|-
 +
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]
 +
|-
 +
| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]
 
|-
 
|-
 
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
Line 116: Line 120:
 
|}
 
|}
  
 
== Cryptanalysis ==
 
 
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
 
 
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].
 
 
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)
 
 
=== Hash function ===
 
 
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
 
 
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center"                 
 
|- style="background:#efefef;"                 
 
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements ||  Reference
 
|-                   
 
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]
 
|-                   
 
|}                   
 
 
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.
 
 
 
=== Building blocks ===
 
 
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
 
 
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
 
 
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center"                 
 
|- style="background:#efefef;"                 
 
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference
 
|-
 
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 
|-
 
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]
 
|-                   
 
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]
 
|-
 
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]
 
|- 
 
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 
|-                 
 
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 
|-     
 
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 
|-                 
 
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 
|-               
 
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
 
|-                   
 
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]
 
|-                   
 
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]
 
|-                   
 
|} 
 
 
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.
 
  
  
Line 186: Line 131:
 
     url = {http://eprint.iacr.org/2010/607.pdf},
 
     url = {http://eprint.iacr.org/2010/607.pdf},
 
     abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},
 
     abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@misc{groestlechoSLWSO10,
 +
  author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},
 +
  title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
 +
},
 +
  howpublished = {Second SHA-3 Candidate Conference},
 +
  year = {2010},
 +
  url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},
 +
  abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal
 +
properties of a class of AES-based permutations with a low complexity. We apply this framework
 +
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)
 +
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several
 +
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182
 +
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,
 +
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads
 +
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.
 +
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and
 +
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active
 +
states.}
 
}
 
}
 
</bibtex>
 
</bibtex>

Revision as of 14:39, 8 December 2010

1 The algorithm

  • Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
  • Website: http://www.groestl.info
  • NIST submission package:


Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2008
http://www.groestl.info/Groestl.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2008

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl Addendum

,2009
http://groestl.info/Groestl-addendum.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl Addendum
In : -
Address :
Date : 2009

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 10 rounds (n=224,256); 14 rounds (n=384,512)

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis Hash Size (n) Parameters Compression Function Calls Memory Requirements Reference
collision 224,256 5 rounds 248 232 Ideguchi,Tischhauser,Preneel
collision 256 6 rounds 2112 232 Ideguchi,Tischhauser,Preneel
collision 224,256 4 rounds 264 264 Mendel,Rechberger,Schläffer,Thomsen
collision 224,256 3 rounds 264 - Mendel,Rechberger,Schläffer,Thomsen
collision 384,512 5 rounds 2176 264 Mendel,Rechberger,Schläffer,Thomsen
collision 384,512 4 rounds 264 264 Mendel,Rechberger,Schläffer,Thomsen


2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
distinguisher compression function 256 10 rounds 2175 264 Naya-Plasencia
distinguisher compression function 512 11 rounds 2630 264 Naya-Plasencia
distinguisher permutation 256 8 rounds 248 28 Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision compression function 512 7 rounds 2152 256 Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision compression function 224,256 7 rounds 280 232 Ideguchi,Tischhauser,Preneel
semi-free-start collision compression function 224,256 8 rounds 2192 264 Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 7 rounds 219 - Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 8 rounds 264 264 Ideguchi,Tischhauser,Preneel
distinguisher compression function 256 10 rounds 2192 264 Peyrin
distinguisher compression function 256 9 rounds 280 264 Peyrin
distinguisher compression function 512 11 rounds 2640 264 Peyrin
semi-free-start collision compression function 256 7 rounds 2120 264 Gilbert,Peyrin
distinguisher compression function 256 8 rounds 2112 264 Gilbert,Peyrin
distinguisher permutation 256 8 rounds 2112 264 Gilbert,Peyrin
semi-free-start collision compression function 256 7 rounds 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 384,512 7 rounds 2152 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 6 rounds 264 264 Mendel,Peyrin,Rechberger,Schläffer
distinguisher output transformation 224,256 7 rounds 256 - Mendel,Peyrin,Rechberger,Schläffer
distinguisher permutation 224,256 7 rounds 255 - Mendel,Peyrin,Rechberger,Schläffer
semi-free-start collision compression function 256 6 rounds 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 5 rounds 264 - Mendel,Rechberger,Schläffer,Thomsen
observation hash all Kelsey
observation block cipher all Barreto
free-start collision compression function all any 22n/3 22n/3 submission document
pseudo-preimage compression function all any 2n - submission document


María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities

,2010
http://eprint.iacr.org/2010/607.pdf
Bibtex
Author : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010

Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta - New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl

,2010
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf
Bibtex
Author : Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta
Title : New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
In : -
Address :
Date : 2010

Kota Ideguchi, Elmar Tischhauser, Bart Preneel - Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

,2010
http://eprint.iacr.org/2010/375.pdf
Bibtex
Author : Kota Ideguchi, Elmar Tischhauser, Bart Preneel
Title : Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
In : -
Address :
Date : 2010

Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl

,2010
http://eprint.iacr.org/2010/223.pdf
Bibtex
Author : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : -
Address :
Date : 2010

Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations

FSE ,2010
http://eprint.iacr.org/2009/531.pdf
Bibtex
Author : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Rebound Attacks on the Reduced Grøstl Hash Function

CT-RSA 5985:350-365,2010
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Rebound Attacks on the Reduced Grøstl Hash Function
In : CT-RSA -
Address :
Date : 2010

Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher

SAC 5867:16-35,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
Bibtex
Author : Florian Mendel, Thomas Peyrin, Christian

Rechberger, Martin Schläffer
Title : Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher
In : SAC -
Address :
Date : 2009

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

FSE 5665:260-276,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009

John Kelsey - Some notes on Grøstl

,2009
http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf
Bibtex
Author : John Kelsey
Title : Some notes on Grøstl
In : -
Address :
Date : 2009

Paulo S. L. M. Barreto - An observation on Grøstl

,2008
http://www.larc.usp.br/~pbarreto/Grizzly.pdf
Bibtex
Author : Paulo S. L. M. Barreto
Title : An observation on Grøstl
In : -
Address :
Date : 2008
Retrieved from "https://ehash.iaik.tugraz.at/index.php?title=Groestl&oldid=3662"