Difference between revisions of "Groestl"

Revision as of 10:40, 21 March 2011

1 The algorithm

Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Website: http://www.groestl.info
NIST submission package:
- round 3: Groestl_FinalRnd.zip
- round 1/2: Grostl_Round2.zip (old version: Grostl.zip)

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2011

http://www.groestl.info/Groestl.pdf
Bibtex

Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2011

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl Addendum

,2009

http://groestl.info/Groestl-addendum.pdf
Bibtex

Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl Addendum
In : -
Address :
Date : 2009

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2008

http://groestl.info/Groestl-0.pdf
Bibtex

Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2008

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 10 rounds (n=224,256); 14 rounds (n=384,512)

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis	Hash Size (n)	Parameters	Compression Function Calls	Memory Requirements	Reference
collision	224,256	3 rounds	2⁶⁴	-	Schläffer
collision	512	4 rounds	2¹⁹²	-	Schläffer

2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis	Hash Function Part	Hash Size (n)	Parameters/Variants	Compression Function Calls	Memory Requirements	Reference
semi-free-start collision	compression function	256	6 rounds	2¹¹²	2⁶⁴	Schläffer
semi-free-start collision	compression function	384,512	6 rounds	2¹⁸⁰	2⁶⁴	Schläffer
collision	hash function	224,256	5 rounds (Round 1)	2⁴⁸	2³²	Ideguchi,Tischhauser,Preneel
collision	hash function	256	6 rounds (Round 1)	2¹¹²	2³²	Ideguchi,Tischhauser,Preneel
collision	hash function	224,256	4 rounds (Round 1)	2⁶⁴	2⁶⁴	Mendel,Rechberger,Schläffer,Thomsen
collision	hash function	224,256	3 rounds (Round 1)	2⁶⁴	-	Mendel,Rechberger,Schläffer,Thomsen
collision	hash function	384,512	5 rounds (Round 1)	2¹⁷⁶	2⁶⁴	Mendel,Rechberger,Schläffer,Thomsen
collision	hash function	384,512	4 rounds (Round 1)	2⁶⁴	2⁶⁴	Mendel,Rechberger,Schläffer,Thomsen
distinguisher	compression function	256	10 rounds (Round 1)	2¹⁷⁵	2⁶⁴	Naya-Plasencia
distinguisher	compression function	512	11 rounds (Round 1)	2⁶³⁰	2⁶⁴	Naya-Plasencia
distinguisher	permutation	256	8 rounds	2⁴⁸	2⁸	Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision	compression function	512	7 rounds (Round 1)	2¹⁵²	2⁵⁶	Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision	compression function	224,256	7 rounds (Round 1)	2⁸⁰	2³²	Ideguchi,Tischhauser,Preneel
semi-free-start collision	compression function	224,256	8 rounds (Round 1)	2¹⁹²	2⁶⁴	Ideguchi,Tischhauser,Preneel
distinguisher	permutation	224,256	7 rounds	2¹⁹	-	Ideguchi,Tischhauser,Preneel
distinguisher	permutation	224,256	8 rounds	2⁶⁴	2⁶⁴	Ideguchi,Tischhauser,Preneel
distinguisher	compression function	256	10 rounds (Round 1)	2¹⁹²	2⁶⁴	Peyrin
distinguisher	compression function	256	9 rounds (Round 1)	2⁸⁰	2⁶⁴	Peyrin
distinguisher	compression function	512	11 rounds (Round 1)	2⁶⁴⁰	2⁶⁴	Peyrin
semi-free-start collision	compression function	256	7 rounds (Round 1)	2¹²⁰	2⁶⁴	Gilbert,Peyrin
distinguisher	compression function	256	8 rounds (Round 1)	2¹¹²	2⁶⁴	Gilbert,Peyrin
distinguisher	permutation	256	8 rounds	2¹¹²	2⁶⁴	Gilbert,Peyrin
semi-free-start collision	compression function	256	7 rounds (Round 1)	2¹²⁰	2⁶⁴	Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision	compression function	384,512	7 rounds (Round 1)	2¹⁵²	2⁶⁴	Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision	compression function	224,256	6 rounds (Round 1)	2⁶⁴	2⁶⁴	Mendel,Peyrin,Rechberger,Schläffer
distinguisher	output transformation	224,256	7 rounds	2⁵⁶	-	Mendel,Peyrin,Rechberger,Schläffer
distinguisher	permutation	224,256	7 rounds	2⁵⁵	-	Mendel,Peyrin,Rechberger,Schläffer
semi-free-start collision	compression function	256	6 rounds (Round 1)	2¹²⁰	2⁶⁴	Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision	compression function	224,256	5 rounds (Round 1)	2⁶⁴	-	Mendel,Rechberger,Schläffer,Thomsen
observation	hash	all				Kelsey
observation	block cipher	all				Barreto
free-start collision	compression function	all	any	2^2n/3	2^2n/3	submission document
pseudo-preimage	compression function	all	any	2ⁿ	-	submission document

Martin Schläffer - Updated Differential Analysis of Grøstl

,2010

http://groestl.info/groestl-analysis.pdf
Bibtex

Author : Martin Schläffer
Title : Updated Differential Analysis of Grøstl
In : -
Address :
Date : 2010

María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities

,2010

http://eprint.iacr.org/2010/607.pdf
Bibtex

Author : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010

Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta - New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl

,2010

http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf
Bibtex

Author : Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta
Title : New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
In : -
Address :
Date : 2010

Kota Ideguchi, Elmar Tischhauser, Bart Preneel - Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

,2010

http://eprint.iacr.org/2010/375.pdf
Bibtex

Author : Kota Ideguchi, Elmar Tischhauser, Bart Preneel
Title : Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
In : -
Address :
Date : 2010

Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl

,2010

http://eprint.iacr.org/2010/223.pdf
Bibtex

Author : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : -
Address :
Date : 2010

Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations

FSE ,2010

http://eprint.iacr.org/2009/531.pdf
Bibtex

Author : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Rebound Attacks on the Reduced Grøstl Hash Function

CT-RSA 5985:350-365,2010

http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053
Bibtex

Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Rebound Attacks on the Reduced Grøstl Hash Function
In : CT-RSA -
Address :
Date : 2010

Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher

SAC 5867:16-35,2009

http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
Bibtex

Author : Florian Mendel, Thomas Peyrin, Christian

Rechberger, Martin Schläffer
Title : Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher
In : SAC -
Address :
Date : 2009

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

FSE 5665:260-276,2009

http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943
Bibtex

Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009

John Kelsey - Some notes on Grøstl

,2009

http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf
Bibtex

Author : John Kelsey
Title : Some notes on Grøstl
In : -
Address :
Date : 2009

Paulo S. L. M. Barreto - An observation on Grøstl

,2008

http://www.larc.usp.br/~pbarreto/Grizzly.pdf
Bibtex

Author : Paulo S. L. M. Barreto
Title : An observation on Grøstl
In : -
Address :
Date : 2008

@@ Line 4: / Line 4: @@
 * Website: [http://www.groestl.info http://www.groestl.info]
 * NIST submission package:
+** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]
 ** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])
@@ Line 12: / Line 13: @@
    title     = {Grøstl -- a SHA-3 candidate},
    url        = {http://www.groestl.info/Groestl.pdf},
-   howpublished = {Submission to NIST},
+   howpublished = {Submission to NIST (Round 3)},
-   year      = {2008},
+   year      = {2011},
 }
 </bibtex>
@@ Line 26: / Line 27: @@
 }
 </bibtex>
+<bibtex>
+@misc{sha3groestl,
+  author    = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},
+  title     = {Grøstl -- a SHA-3 candidate},
+  url        = {http://groestl.info/Groestl-0.pdf},
+  howpublished = {Submission to NIST (Round 1/2)},
+  year      = {2008},
+}
+</bibtex>
 == Cryptanalysis ==
@@ Line 43: / Line 55: @@
 | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements ||   Reference
 |-
-| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
+| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]
 |-
-| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
+| collision || 512 || 4 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]
 |-
-| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
-|-
-| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
-|-
-| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
-|-
-| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
-|-
 |}
@@ Line 68: / Line 72: @@
 | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||   Reference
 |-
-| distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
+| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]
+|-
+| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]
+|-
+| collision || hash function || 224,256 || 5 rounds (Round 1) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 |-
-| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
+| collision || hash function || 256 || 6 rounds (Round 1) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
+|-
+| collision || hash function || 224,256 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
+|-
+| collision || hash function || 224,256 || 3 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
+|-
+| collision || hash function || 384,512 || 5 rounds (Round 1) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
+|-
+| collision || hash function || 384,512 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
+|-
+| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
+|-
+| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]
 |-
 | distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]
 |-
-| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]
+| semi-free-start collision || compression function || 512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]
 |-
-| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
+| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 |-
-| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
+| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 |-
 | distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
@@ Line 84: / Line 104: @@
 | distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]
 |-
-| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 |-
-| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+| distinguisher || compression function || 256 || 9 rounds (Round 1) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 |-
-| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
+| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]
 |-
-| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
+| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
 |-
-| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
+| distinguisher || compression function || 256 || 8 rounds (Round 1) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
 |-
 | distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]
 |-
-| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
+| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
 |-
-| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
+| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]
 |-
-| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]
+| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]
 |-
 | distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]
@@ Line 106: / Line 126: @@
 | distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]
 |-
-| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]
+| semi-free-start collision || compression function || 256 || 6 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]
 |-
-| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]
+| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]
 |-
 | observation || hash  || all  ||  ||  ||  || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]
@@ Line 121: / Line 141: @@
+<bibtex>
+@misc{groestlSchlaeffer11,
+    author = {Martin Schläffer},
+    title = {Updated Differential Analysis of Grøstl},
+    howpublished = {Available online},
+    year = {2010},
+    note = {\url{http://eprint.iacr.org/}},
+    url = {http://groestl.info/groestl-analysis.pdf},
+    abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},
+}
+</bibtex>
 <bibtex>

Difference between revisions of "Groestl"

Revision as of 10:40, 21 March 2011

Contents

1 The algorithm

2 Cryptanalysis

2.1 Hash function

2.2 Building blocks

Navigation menu

Views

Personal tools

Navigation

Search

Tools