Difference between revisions of "Shabal"
m (→The algorithm) |
(added eprint 2010/434) |
||
(24 intermediate revisions by 7 users not shown) | |||
Line 3: | Line 3: | ||
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau | * Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau | ||
* Website: http://www.shabal.com/ | * Website: http://www.shabal.com/ | ||
− | * NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip] | + | * NIST submission package: |
+ | ** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip]) | ||
<bibtex> | <bibtex> | ||
@misc{sha3CanteautCGPP08, | @misc{sha3CanteautCGPP08, | ||
− | author = {Emmanuel Bresson | + | author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau}, |
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition}, | title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition}, | ||
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf}, | url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf}, | ||
Line 15: | Line 16: | ||
} | } | ||
</bibtex> | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{cryptoeprint:2009:199, | ||
+ | author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau}, | ||
+ | title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2009/199}, | ||
+ | year = {2009}, | ||
+ | url = {http://eprint.iacr.org/2009/199.pdf}, | ||
+ | abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
== Cryptanalysis == | == Cryptanalysis == | ||
− | + | We distinguish between two cases: results on the complete hash function, and results on underlying building blocks. | |
+ | |||
+ | A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here]. | ||
+ | |||
+ | Recommended security parameters: (p,r)='''(3,12)''' | ||
+ | |||
+ | === Hash function === | ||
+ | |||
+ | Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter. | ||
+ | |||
+ | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" | ||
+ | |- style="background:#efefef;" | ||
+ | | Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference | ||
+ | |- | ||
+ | | || || || || || | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | === Building blocks === | ||
+ | |||
+ | Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter. | ||
+ | |||
+ | Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). | ||
+ | |||
+ | {| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" | ||
+ | |- style="background:#efefef;" | ||
+ | | Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference | ||
+ | |- | ||
+ | | | pseudo collision || compression function || all || 45-bit difference || 2<sup>84</sup> || || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai] | ||
+ | |- | ||
+ | | | preimage || hash || all || (2,12),no final loop || 2<sup>497</sup> || 2<sup>400</sup> || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai] | ||
+ | |- | ||
+ | | | preimage || hash || all || (1.5,8) || 2<sup>497</sup> || 2<sup>272</sup> || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai] | ||
+ | |- | ||
+ | | | non-randomness || compression function || all || || 1 || || [http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt Aumasson] | ||
+ | |- | ||
+ | | | non-randomness || permutation || all || || 2<sup>21</sup> || || [http://eprint.iacr.org/2010/398.pdf Novotney] | ||
+ | |- | ||
+ | | | non-randomness || permutation || all || || 2<sup>159</sup> || || [http://gva.noekeon.org/papers/ShabalRotation.pdf Van Assche] | ||
+ | |- | ||
+ | | | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier] | ||
+ | |- | ||
+ | | | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen] | ||
+ | |- | ||
+ | | | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson] | ||
+ | |- | ||
+ | |} | ||
+ | <sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note]. | ||
+ | |||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalIS10, | ||
+ | author = {Takanori Isobe and Taizo Shirai}, | ||
+ | title = {Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2010/434}, | ||
+ | year = {2010}, | ||
+ | url = {http://eprint.iacr.org/2010/434.pdf}, | ||
+ | note = {\url{http://eprint.iacr.org/}}, | ||
+ | abstract = {This paper studies two types of attacks on the hash function Shabal. The first attack is a low-weight pseudo collision attack on Shabal. Since a pseudo collision attack is trivial for Shabal, we focus on a low-weight pseudo collision attack. It means that only low-weight difference in a chaining value is considered. By analyzing the difference propagation in the underlying permutation, we can construct a low-weight (45-bits) pseudo collision attack on the full compression function with complexity of 2^84. The second attack is a preimage attack on variants of Shabal-512. We utilize a guess-and-determine technique, which is originally developed for a cryptanalysis of stream ciphers, and customize the technique for a preimage attack on Shabal-512. As a result, for the weakened variant of Shabal-512 using security parameters (p; r) = (2; 12), a preimage can be found with complexity of 2^497 and memory of 2^400. Moreover, for the Shabal-512 using security parameters (p; r) = (1:5; 8), a preimage can be found with complexity of 2^497 and memory of 2^272. To the best of our knowledge, these are best preimage attacks on Shabal variants and the second result is a first preimage attack on Shabal-512 with reduced security parameters.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalAum10, | ||
+ | author = {Jean-Philippe Aumasson}, | ||
+ | title = {Observation on Shabal}, | ||
+ | url = {http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt}, | ||
+ | howpublished = {NIST mailing list (local link)}, | ||
+ | year = {2010}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalNov10, | ||
+ | author = {Peter Novotney}, | ||
+ | title = {Distinguisher for Shabal's Permutation Function}, | ||
+ | howpublished = {Cryptology ePrint Archive, Report 2010/398}, | ||
+ | year = {2010}, | ||
+ | url = {http://eprint.iacr.org/2010/398.pdf}, | ||
+ | note = {\url{http://eprint.iacr.org/}}, | ||
+ | abstract = {In this note we consider the Shabal permutation function $\mathcal{P}$ as a block cipher with input $A_p$,$B_p$ and key $C$,$M$ and describe a distinguisher with a data complexity of $2^{23}$ random inputs with a given difference. If the attacker can control one chosen bit of $B_p$, only $2^{21}$ inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Shabal construction.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalVA10, | ||
+ | author = {Gilles Van Assche}, | ||
+ | title = {A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs}, | ||
+ | url = {http://gva.noekeon.org/papers/ShabalRotation.pdf}, | ||
+ | howpublished = {Available online}, | ||
+ | year = {2010}, | ||
+ | abstract = {In this short note, we apply a rotational distinguisher to the keyed permutation of the SHA-3 candidate Shabal. We then discuss its applicability in the scope of Shabal's mode of operation and its impact on the security proofs.}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalAum09a, | ||
+ | author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier}, | ||
+ | title = {More on Shabal's permutation}, | ||
+ | url = {http://131002.net/data/papers/AMM09.pdf}, | ||
+ | howpublished = {OFFICIAL COMMENT}, | ||
+ | year = {2009}, | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalKMT09, | ||
+ | author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen}, | ||
+ | title = {Observations on the Shabal keyed permutation}, | ||
+ | url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf }, | ||
+ | howpublished = {OFFICIAL COMMENT}, | ||
+ | year = {2009}, | ||
+ | abstract = { | ||
+ | In this note we show that the permutation P used in the Shabal hash function, which is | ||
+ | a candidate in the SHA-3 competition, has some non-random properties. As an example, | ||
+ | it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions | ||
+ | can be easily found; these are multi-collisions where only the key input contains | ||
+ | a difference. All observations are easily verified, and most of them are independent of the | ||
+ | choice of security parameters. Our observations, on the other hand, do not seem extensible | ||
+ | to the full hash function. | ||
+ | } | ||
+ | </bibtex> | ||
+ | |||
+ | <bibtex> | ||
+ | @misc{shabalAum09, | ||
+ | author = {Jean-Philippe Aumasson}, | ||
+ | title = {On the pseudorandomness of Shabal's keyed permutation}, | ||
+ | url = {http://131002.net/data/papers/Aum09.pdf}, | ||
+ | howpublished = {Available online}, | ||
+ | year = {2009}, | ||
+ | abstract = { | ||
+ | We report observations suggesting that the permutation used in | ||
+ | Shabal does not behave pseudorandomly. This does not affect the | ||
+ | security of Shabal as submitted to the NIST Hash Competition.}, | ||
+ | } | ||
+ | </bibtex> |
Latest revision as of 17:46, 8 November 2010
1 The algorithm
- Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau
- Website: http://www.shabal.com/
- NIST submission package:
- round 1/2: Shabal_Round2.zip (old version: Shabal.zip)
Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau - Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition
- ,2008
- http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf
BibtexAuthor : Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau
Title : Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition
In : -
Address :
Date : 2008
Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau - Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers
- ,2009
- http://eprint.iacr.org/2009/199.pdf
BibtexAuthor : Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau
Title : Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers
In : -
Address :
Date : 2009
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameters: (p,r)=(3,12)
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
pseudo collision | compression function | all | 45-bit difference | 284 | Isobe,Shirai | |
preimage | hash | all | (2,12),no final loop | 2497 | 2400 | Isobe,Shirai |
preimage | hash | all | (1.5,8) | 2497 | 2272 | Isobe,Shirai |
non-randomness | compression function | all | 1 | Aumasson | ||
non-randomness | permutation | all | 221 | Novotney | ||
non-randomness | permutation | all | 2159 | Van Assche | ||
non-randomness(1) | permutation | all | 2 | Aumasson,Mashatan,Meier | ||
non-randomness(1) | permutation | all | 1 | Knudsen,Matusiewicz,Thomsen | ||
non-randomness(1) | permutation | all | 212 | Aumasson |
(1)The Shabal team commented on these analyses and provide an update of their security proofs in this note.
Takanori Isobe, Taizo Shirai - Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
- ,2010
- http://eprint.iacr.org/2010/434.pdf
BibtexAuthor : Takanori Isobe, Taizo Shirai
Title : Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
In : -
Address :
Date : 2010
Jean-Philippe Aumasson - Observation on Shabal
- ,2010
- http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt
BibtexAuthor : Jean-Philippe Aumasson
Title : Observation on Shabal
In : -
Address :
Date : 2010
Peter Novotney - Distinguisher for Shabal's Permutation Function
- ,2010
- http://eprint.iacr.org/2010/398.pdf
BibtexAuthor : Peter Novotney
Title : Distinguisher for Shabal's Permutation Function
In : -
Address :
Date : 2010
Gilles Van Assche - A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs
- ,2010
- http://gva.noekeon.org/papers/ShabalRotation.pdf
BibtexAuthor : Gilles Van Assche
Title : A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs
In : -
Address :
Date : 2010
Jean-Philippe Aumasson, Atefeh Mashatan, Willi Meier - More on Shabal's permutation
- ,2009
- http://131002.net/data/papers/AMM09.pdf
BibtexAuthor : Jean-Philippe Aumasson, Atefeh Mashatan, Willi Meier
Title : More on Shabal's permutation
In : -
Address :
Date : 2009
Lars R. Knudsen, Krystian Matusiewicz, Søren S. Thomsen - Observations on the Shabal keyed permutation
- ,2009
- http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf
BibtexAuthor : Lars R. Knudsen, Krystian Matusiewicz, Søren S. Thomsen
Title : Observations on the Shabal keyed permutation
In : -
Address :
Date : 2009
Jean-Philippe Aumasson - On the pseudorandomness of Shabal's keyed permutation