Difference between revisions of "SHAvite-3"
From The ECRYPT Hash Function Website
(Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3) |
Mschlaeffer (talk | contribs) m |
||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 35: | Line 35: | ||
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | ||
| + | Recommended security parameter: '''12''' rounds (n=224,256); '''14''' rounds (n=384,512) | ||
=== Hash function === | === Hash function === | ||
| − | Here we list results on the | + | Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter. |
| − | |||
| − | |||
| − | {| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" |
|- style="background:#efefef;" | |- style="background:#efefef;" | ||
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | ||
| + | |- | ||
| + | | second preimage || 512 || 10 rounds || 2<sup>497</sup> || 2<sup>16</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.] | ||
|- | |- | ||
| second preimage || 512 || 9 rounds || 2<sup>496</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2009/634.pdf Bouillaguet et al.] | | second preimage || 512 || 9 rounds || 2<sup>496</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2009/634.pdf Bouillaguet et al.] | ||
| Line 57: | Line 58: | ||
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | ||
| − | {| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" | + | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" |
|- style="background:#efefef;" | |- style="background:#efefef;" | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
|- | |- | ||
| + | | observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski] | ||
| + | |- | ||
| + | | pseudo-preimage || compression || 512 || 14 rounds || 2<sup>384+s</sup> || 2<sup>128-s</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.] | ||
| + | |- | ||
| + | | pseudo-collision || compression || 512 || 14 rounds || 2<sup>192</sup> || 2<sup>128</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.] | ||
| + | |- | ||
| pseudo-collision || compression || all || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt Peyrin] | | pseudo-collision || compression || all || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt Peyrin] | ||
|- | |- | ||
| Line 71: | Line 78: | ||
|} | |} | ||
| + | |||
| + | <bibtex> | ||
| + | @misc{shaviteGli10, | ||
| + | author = {Danilo Gligoroski}, | ||
| + | title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains}, | ||
| + | url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf}, | ||
| + | howpublished = {NIST mailing list}, | ||
| + | year = {2010}, | ||
| + | } | ||
| + | </bibtex> | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{africacryptGauravaramLMNPRS10, | ||
| + | author = {Praveen Gauravaram and Gaëtan Leurent and Florian Mendel and Maria Naya-Plasencia and Thomas Peyrin and Christian Rechberger and Martin Schläffer}, | ||
| + | title = {Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512}, | ||
| + | booktitle = {Africacrypt}, | ||
| + | year = {2010}, | ||
| + | editor = {Daniel J. Bernstein and Tanja Lange}, | ||
| + | volume = {6055}, | ||
| + | series = {LNCS}, | ||
| + | pages = {419 - 436}, | ||
| + | publisher = {Springer}, | ||
| + | url= {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974}, | ||
| + | abstract = {In this paper, we analyze the SHAvite-3-512 hash function, as proposed and tweaked for round 2 of the SHA-3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite-3-512, and on the full 14 round compression function of SHAvite-3-512. We show a second preimage attack on the hash function reduced to 10 rounds with a complexity of $2^{497}$ compression function evaluations and $2^{16}$ memory. For the full 14-round compression function, we give a chosen counter, chosen salt preimage attack with $2^{384}$ compression function evaluations and $2^{128}$ memory (or complexity $2^{448}$ without memory), and a collision attack with $2^{192}$ compression function evaluations and $2^{128}$ memory.}, | ||
| + | } | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
@misc{cryptoeprint:2009:634, | @misc{cryptoeprint:2009:634, | ||
| − | author = {Charles Bouillaguet and Orr Dunkelman and | + | author = {Charles Bouillaguet and Orr Dunkelman and Gaëtan Leurent and Pierre-Alain Fouque}, |
title = {Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}}, | title = {Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}}, | ||
howpublished = {Cryptology ePrint Archive, Report 2009/634}, | howpublished = {Cryptology ePrint Archive, Report 2009/634}, | ||
Latest revision as of 14:54, 5 July 2010
1 The algorithm
- Author(s): Eli Biham and Orr Dunkelman
- Website: http://www.cs.technion.ac.il/~orrd/SHAvite-3/
- NIST submission package:
- round 1: SHAvite3Update.zip (old version: SHAvite-3.zip)
- round 2: SHAvite-3_Round2.zip
Eli Biham, Orr Dunkelman - The SHAvite-3 Hash Function
- ,2009
- http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf
BibtexAuthor : Eli Biham, Orr Dunkelman
Title : The SHAvite-3 Hash Function
In : -
Address :
Date : 2009
Eli Biham, Orr Dunkelman - The SHAvite-3 Hash Function
- ,2008
- http://ehash.iaik.tugraz.at/uploads/f/f5/Shavite.pdf
BibtexAuthor : Eli Biham, Orr Dunkelman
Title : The SHAvite-3 Hash Function
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 12 rounds (n=224,256); 14 rounds (n=384,512)
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| second preimage | 512 | 10 rounds | 2497 | 216 | Gauravaram et al. |
| second preimage | 512 | 9 rounds | 2496 | 216 | Bouillaguet et al. |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| observations | hash | all | Gligoroski | |||
| pseudo-preimage | compression | 512 | 14 rounds | 2384+s | 2128-s | Gauravaram et al. |
| pseudo-collision | compression | 512 | 14 rounds | 2192 | 2128 | Gauravaram et al. |
| pseudo-collision | compression | all | full (Round 1) | Peyrin | ||
| pseudo-collision | compression | 256 | full (Round 1) | Nandi,Paul | ||
| impossible differential | block cipher | 224,256 | 5 rounds | - | - | submission document |
| impossible differential | block cipher | 384,512 | 9 rounds | - | - | submission document |
Danilo Gligoroski - Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains
- ,2010
- http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf
BibtexAuthor : Danilo Gligoroski
Title : Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains
In : -
Address :
Date : 2010
Praveen Gauravaram, Gaëtan Leurent, Florian Mendel, Maria Naya-Plasencia, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512
- Africacrypt 6055:419 - 436,2010
- http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974
BibtexAuthor : Praveen Gauravaram, Gaëtan Leurent, Florian Mendel, Maria Naya-Plasencia, Thomas Peyrin, Christian Rechberger, Martin Schläffer
Title : Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512
In : Africacrypt -
Address :
Date : 2010
Charles Bouillaguet, Orr Dunkelman, Gaëtan Leurent, Pierre-Alain Fouque - Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}
- ,2009
- http://eprint.iacr.org/2009/634.pdf
BibtexAuthor : Charles Bouillaguet, Orr Dunkelman, Gaëtan Leurent, Pierre-Alain Fouque
Title : Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}
In : -
Address :
Date : 2009
Thomas Peyrin - Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function
- ,2009
- http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt
BibtexAuthor : Thomas Peyrin
Title : Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function
In : -
Address :
Date : 2009
Mridul Nandi, Souradyuti Paul - OFFICIAL COMMENT: SHAvite-3
