Difference between revisions of "SHAvite-3"
From The ECRYPT Hash Function Website
m |
(Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3) |
||
| Line 46: | Line 46: | ||
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | ||
|- | |- | ||
| − | | || || || || || | + | | second preimage || 512 || 9 rounds || 2<sup>496</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2009/634.pdf Bouillaguet et al.] |
|- | |- | ||
|} | |} | ||
| Line 60: | Line 60: | ||
|- style="background:#efefef;" | |- style="background:#efefef;" | ||
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
| − | |- | + | |- |
| − | + | | pseudo-collision || compression || all || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt Peyrin] | |
|- | |- | ||
| − | + | | pseudo-collision || compression || 256 || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/5/5c/NandiP-SHAvite-3.txt Nandi,Paul] | |
|- | |- | ||
| impossible differential || block cipher || 224,256 || 5 rounds || - || - || [http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf submission document] | | impossible differential || block cipher || 224,256 || 5 rounds || - || - || [http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf submission document] | ||
| Line 72: | Line 72: | ||
| + | <bibtex> | ||
| + | @misc{cryptoeprint:2009:634, | ||
| + | author = {Charles Bouillaguet and Orr Dunkelman and Ga\"etan Leurent and Pierre-Alain Fouque}, | ||
| + | title = {Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}}, | ||
| + | howpublished = {Cryptology ePrint Archive, Report 2009/634}, | ||
| + | year = {2009}, | ||
| + | url= {http://eprint.iacr.org/2009/634.pdf}, | ||
| + | abstract = {In this paper we study the strength of two hash functions which are based on Generalized Feistels. Our proposed attacks themselves are mostly independent of the round function in use, and can be applied to similar hash functions which share the same structure but have different round functions. | ||
| + | We start with a 22-round generic attack on the structure of Lesamnta, and adapt it to the actual round function to attack 24-round Lesamnta. We then show a generic integral attack on 20-round Lesamnta (which can be used against the block cipher itself). We follow with an attack on 9-round SHAvite-3_{512} which is the first cryptanalytic result on the hash function (which also works for the tweaked version of SHAvite-3_{512}).}, | ||
| + | } | ||
| + | </bibtex> | ||
<bibtex> | <bibtex> | ||
Revision as of 12:19, 15 February 2010
1 The algorithm
- Author(s): Eli Biham and Orr Dunkelman
- Website: http://www.cs.technion.ac.il/~orrd/SHAvite-3/
- NIST submission package:
- round 1: SHAvite3Update.zip (old version: SHAvite-3.zip)
- round 2: SHAvite-3_Round2.zip
Eli Biham, Orr Dunkelman - The SHAvite-3 Hash Function
- ,2009
- http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf
BibtexAuthor : Eli Biham, Orr Dunkelman
Title : The SHAvite-3 Hash Function
In : -
Address :
Date : 2009
Eli Biham, Orr Dunkelman - The SHAvite-3 Hash Function
- ,2008
- http://ehash.iaik.tugraz.at/uploads/f/f5/Shavite.pdf
BibtexAuthor : Eli Biham, Orr Dunkelman
Title : The SHAvite-3 Hash Function
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
2.1 Hash function
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.
Recommended security parameter: 12 rounds (n=224,256); 14 rounds (n=384,512)
| Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
| second preimage | 512 | 9 rounds | 2496 | 216 | Bouillaguet et al. |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
| Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
| pseudo-collision | compression | all | full (Round 1) | Peyrin | ||
| pseudo-collision | compression | 256 | full (Round 1) | Nandi,Paul | ||
| impossible differential | block cipher | 224,256 | 5 rounds | - | - | submission document |
| impossible differential | block cipher | 384,512 | 9 rounds | - | - | submission document |
Charles Bouillaguet, Orr Dunkelman, Ga\"etan Leurent, Pierre-Alain Fouque - Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}
- ,2009
- http://eprint.iacr.org/2009/634.pdf
BibtexAuthor : Charles Bouillaguet, Orr Dunkelman, Ga\"etan Leurent, Pierre-Alain Fouque
Title : Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}
In : -
Address :
Date : 2009
Thomas Peyrin - Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function
- ,2009
- http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt
BibtexAuthor : Thomas Peyrin
Title : Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function
In : -
Address :
Date : 2009
Mridul Nandi, Souradyuti Paul - OFFICIAL COMMENT: SHAvite-3
