Difference between revisions of "Groestl"

From The ECRYPT Hash Function Website
m
m (references updated)
Line 145: Line 145:
 
     author = {Martin Schläffer},
 
     author = {Martin Schläffer},
 
     title = {Updated Differential Analysis of Grøstl},
 
     title = {Updated Differential Analysis of Grøstl},
     howpublished = {Available online},
+
     howpublished = {Grøstl website},
     year = {2010},
+
     month = {January},
     note = {\url{http://eprint.iacr.org/}},
+
     year = {2011},
 
     url = {http://groestl.info/groestl-analysis.pdf},
 
     url = {http://groestl.info/groestl-analysis.pdf},
 
     abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},
 
     abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},
Line 159: Line 159:
 
     howpublished = {Cryptology ePrint Archive, Report 2010/607},
 
     howpublished = {Cryptology ePrint Archive, Report 2010/607},
 
     year = {2010},
 
     year = {2010},
    note = {\url{http://eprint.iacr.org/}},
 
 
     url = {http://eprint.iacr.org/2010/607.pdf},
 
     url = {http://eprint.iacr.org/2010/607.pdf},
 
     abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},
 
     abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},
Line 166: Line 165:
  
 
<bibtex>
 
<bibtex>
@misc{groestlechoSLWSO10,
+
@inproceedings{groestlechoSLWSO10,
 
   author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},
 
   author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},
   title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
+
   title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl},
},
+
  booktitle = {ASIACRYPT},
   howpublished = {Second SHA-3 Candidate Conference},
+
  year      = {2010},
   year = {2010},
+
   pages    = {38-55},
 +
   publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {6477},
 
   url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},
 
   url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},
 
   abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal
 
   abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal
Line 188: Line 190:
  
 
<bibtex>
 
<bibtex>
@misc{ITP10,
+
@inproceedings{ITP10,
 
     author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},
 
     author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},
 
     title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},
 
     title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},
 
     howpublished = {Cryptology ePrint Archive, Report 2010/375},
 
     howpublished = {Cryptology ePrint Archive, Report 2010/375},
    year = {2010},
+
  booktitle = {ISC},
     note = {\url{http://eprint.iacr.org/}},
+
  year     = {2010},
 +
  pages     = {1-16},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {6531},
 
     url = {http://eprint.iacr.org/2010/375.pdf},
 
     url = {http://eprint.iacr.org/2010/375.pdf},
 
     abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},
 
     abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},
Line 200: Line 206:
  
 
<bibtex>           
 
<bibtex>           
@misc{Pey10,
+
@inproceedings{Pey10,
 
     author = {Thomas Peyrin},
 
     author = {Thomas Peyrin},
 
     title = {Improved Differential Attacks for ECHO and Grostl},
 
     title = {Improved Differential Attacks for ECHO and Grostl},
    howpublished = {Cryptology ePrint Archive, Report 2010/223},
+
  booktitle = {CRYPTO},
    year = {2010},
+
  year     = {2010},
     note = {\url{http://eprint.iacr.org/}},
+
  pages     = {370-392},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {6223},
 
     url = {http://eprint.iacr.org/2010/223.pdf},
 
     url = {http://eprint.iacr.org/2010/223.pdf},
 
     abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},
 
     abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},
Line 215: Line 224:
 
   author    = {Henri Gilbert and Thomas Peyrin},
 
   author    = {Henri Gilbert and Thomas Peyrin},
 
   title    = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},
 
   title    = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},
  url = {http://eprint.iacr.org/2009/531.pdf},
 
 
   booktitle  = {FSE},
 
   booktitle  = {FSE},
 
   year      = {2010},
 
   year      = {2010},
 
   series    = {LNCS},
 
   series    = {LNCS},
 +
  volume    = {6147},
 
   publisher  = {Springer},
 
   publisher  = {Springer},
   note = {To appear}
+
   pages    = {365-383},
 +
  url = {http://eprint.iacr.org/2009/531.pdf},
 
   abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}
 
   abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}
 
</bibtex>
 
</bibtex>
Line 311: Line 321:
 
   title    = {Some notes on Grøstl},
 
   title    = {Some notes on Grøstl},
 
   url        = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},
 
   url        = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},
   howpublished = {Available online},
+
   howpublished = {NIST hash function mailing list},
 +
  month    = {April},
 
   year      = {2009},
 
   year      = {2009},
 
   abstract  = {These are some quick notes on some properties and
 
   abstract  = {These are some quick notes on some properties and
Line 326: Line 337:
 
   title    = {An observation on Grøstl},
 
   title    = {An observation on Grøstl},
 
   url        = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},
 
   url        = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},
   howpublished = {Available online},
+
   howpublished = {NIST hash function mailing list},
 +
  month    = {November},
 
   year      = {2008},
 
   year      = {2008},
 
   abstract  = {An alternative view of the Groestl SHA-3 submission is
 
   abstract  = {An alternative view of the Groestl SHA-3 submission is

Revision as of 10:04, 22 April 2011

1 The algorithm


Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2011
http://www.groestl.info/Groestl.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2011

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl Addendum

,2009
http://groestl.info/Groestl-addendum.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl Addendum
In : -
Address :
Date : 2009

Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Grøstl -- a SHA-3 candidate

,2008
http://groestl.info/Groestl-0.pdf
Bibtex
Author : Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Grøstl -- a SHA-3 candidate
In : -
Address :
Date : 2008

2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameter: 10 rounds (n=224,256); 14 rounds (n=384,512)


2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis Hash Size (n) Parameters Compression Function Calls Memory Requirements Reference
collision 224,256 3 rounds 264 - Schläffer
collision 512 3 rounds 2192 - Schläffer


2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
semi-free-start collision compression function 256 6 rounds 2112 264 Schläffer
semi-free-start collision compression function 384,512 6 rounds 2180 264 Schläffer
collision hash function 224,256 5 rounds (Round 1/2) 248 232 Ideguchi,Tischhauser,Preneel
collision hash function 256 6 rounds (Round 1/2) 2112 232 Ideguchi,Tischhauser,Preneel
collision hash function 224,256 4 rounds (Round 1/2) 264 264 Mendel,Rechberger,Schläffer,Thomsen
collision hash function 224,256 3 rounds (Round 1/2) 264 - Mendel,Rechberger,Schläffer,Thomsen
collision hash function 384,512 5 rounds (Round 1/2) 2176 264 Mendel,Rechberger,Schläffer,Thomsen
collision hash function 384,512 4 rounds (Round 1/2) 264 264 Mendel,Rechberger,Schläffer,Thomsen
distinguisher compression function 256 10 rounds (Round 1/2) 2175 264 Naya-Plasencia
distinguisher compression function 512 11 rounds (Round 1/2) 2630 264 Naya-Plasencia
distinguisher permutation 256 8 rounds 248 28 Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision compression function 512 7 rounds 2152 256 Sasaki,Li,Wang,Sakiyama,Ohta
semi-free-start collision compression function 224,256 7 rounds (Round 1/2) 280 232 Ideguchi,Tischhauser,Preneel
semi-free-start collision compression function 224,256 8 rounds (Round 1/2) 2192 264 Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 7 rounds 219 - Ideguchi,Tischhauser,Preneel
distinguisher permutation 224,256 8 rounds 264 264 Ideguchi,Tischhauser,Preneel
distinguisher compression function 256 10 rounds (Round 1/2) 2192 264 Peyrin
distinguisher compression function 256 9 rounds (Round 1/2) 280 264 Peyrin
distinguisher compression function 512 11 rounds (Round 1/2) 2640 264 Peyrin
semi-free-start collision compression function 256 7 rounds (Round 1/2) 2120 264 Gilbert,Peyrin
distinguisher compression function 256 8 rounds (Round 1/2) 2112 264 Gilbert,Peyrin
distinguisher permutation 256 8 rounds 2112 264 Gilbert,Peyrin
semi-free-start collision compression function 256 7 rounds (Round 1/2) 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 384,512 7 rounds (Round 1/2) 2152 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 6 rounds (Round 1/2) 264 264 Mendel,Peyrin,Rechberger,Schläffer
distinguisher output transformation 224,256 7 rounds 256 - Mendel,Peyrin,Rechberger,Schläffer
distinguisher permutation 224,256 7 rounds 255 - Mendel,Peyrin,Rechberger,Schläffer
semi-free-start collision compression function 256 6 rounds (Round 1/2) 2120 264 Mendel,Rechberger,Schläffer,Thomsen
semi-free-start collision compression function 224,256 5 rounds (Round 1/2) 264 - Mendel,Rechberger,Schläffer,Thomsen
observation hash all Kelsey
observation block cipher all Barreto
free-start collision compression function all any 22n/3 22n/3 submission document
pseudo-preimage compression function all any 2n - submission document


Martin Schläffer - Updated Differential Analysis of Grøstl

, January 2011
http://groestl.info/groestl-analysis.pdf
Bibtex
Author : Martin Schläffer
Title : Updated Differential Analysis of Grøstl
In : -
Address :
Date : January 2011

María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities

,2010
http://eprint.iacr.org/2010/607.pdf
Bibtex
Author : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010

Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta - New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl

ASIACRYPT 6477:38-55,2010
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf
Bibtex
Author : Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta
Title : New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
In : ASIACRYPT -
Address :
Date : 2010

Kota Ideguchi, Elmar Tischhauser, Bart Preneel - Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

ISC 6531:1-16,2010
http://eprint.iacr.org/2010/375.pdf
Bibtex
Author : Kota Ideguchi, Elmar Tischhauser, Bart Preneel
Title : Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
In : ISC -
Address :
Date : 2010

Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl

CRYPTO 6223:370-392,2010
http://eprint.iacr.org/2010/223.pdf
Bibtex
Author : Thomas Peyrin
Title : Improved Differential Attacks for ECHO and Grostl
In : CRYPTO -
Address :
Date : 2010

Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations

FSE 6147:365-383,2010
http://eprint.iacr.org/2009/531.pdf
Bibtex
Author : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - Rebound Attacks on the Reduced Grøstl Hash Function

CT-RSA 5985:350-365,2010
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : Rebound Attacks on the Reduced Grøstl Hash Function
In : CT-RSA -
Address :
Date : 2010

Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher

SAC 5867:16-35,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
Bibtex
Author : Florian Mendel, Thomas Peyrin, Christian

Rechberger, Martin Schläffer
Title : Improved Cryptanalysis of the Reduced Grøstl

Compression Function, ECHO Permutation and AES Block Cipher
In : SAC -
Address :
Date : 2009

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

FSE 5665:260-276,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009

John Kelsey - Some notes on Grøstl

, April 2009
http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf
Bibtex
Author : John Kelsey
Title : Some notes on Grøstl
In : -
Address :
Date : April 2009

Paulo S. L. M. Barreto - An observation on Grøstl

, November 2008
http://www.larc.usp.br/~pbarreto/Grizzly.pdf
Bibtex
Author : Paulo S. L. M. Barreto
Title : An observation on Grøstl
In : -
Address :
Date : November 2008