Difference between revisions of "Shabal"

From The ECRYPT Hash Function Website
m (added footnote)
(added eprint 2010/434)
 
(8 intermediate revisions by 5 users not shown)
Line 35: Line 35:
 
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].
 
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].
  
 +
Recommended security parameters: (p,r)='''(3,12)'''
  
 
=== Hash function ===
 
=== Hash function ===
  
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.
+
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
 
 
Recommended security parameters: (p,r)='''(3,12)'''
 
  
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center"                   
+
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center"                   
 
|- style="background:#efefef;"                   
 
|- style="background:#efefef;"                   
 
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements ||  Reference  
 
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements ||  Reference  
Line 48: Line 47:
 
| || || || || ||
 
| || || || || ||
 
|-                     
 
|-                     
|}                  
+
|}
 
 
  
 
=== Building blocks ===
 
=== Building blocks ===
Line 57: Line 55:
 
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).  
 
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).  
  
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center"                   
+
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center"                   
 
|- style="background:#efefef;"                   
 
|- style="background:#efefef;"                   
 
|  Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference  
 
|  Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements ||  Reference  
 +
|- 
 +
|  | pseudo collision || compression function || all || 45-bit difference || 2<sup>84</sup> ||  || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai]
 +
|-                                     
 +
|  | preimage || hash || all || (2,12),no final loop || 2<sup>497</sup> || 2<sup>400</sup> || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai]
 +
|- 
 +
|  | preimage || hash || all || (1.5,8) || 2<sup>497</sup> || 2<sup>272</sup> || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai]
 +
|- 
 +
|  | non-randomness || compression function || all || || 1 || || [http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt Aumasson]
 +
|-                                                                               
 +
|  | non-randomness || permutation || all || || 2<sup>21</sup> || || [http://eprint.iacr.org/2010/398.pdf Novotney]
 +
|- 
 +
|  | non-randomness || permutation || all || || 2<sup>159</sup> || || [http://gva.noekeon.org/papers/ShabalRotation.pdf Van Assche]
 +
|- 
 +
|  | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]
 
|-                                         
 
|-                                         
 +
|  | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]
 +
|-     
 
|  | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]
 
|  | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]
|-                                            
+
|-                                
|  | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]
 
|- 
 
|  | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]
 
|-                                         
 
 
|}                     
 
|}                     
 
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].
 
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].
  
  
 +
<bibtex>
 +
@misc{shabalIS10,
 +
    author = {Takanori Isobe and Taizo Shirai},
 +
    title = {Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512},
 +
    howpublished = {Cryptology ePrint Archive, Report 2010/434},
 +
    year = {2010},
 +
    url = {http://eprint.iacr.org/2010/434.pdf},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
  abstract = {This paper studies two types of attacks on the hash function Shabal. The first attack is a low-weight pseudo collision attack on Shabal. Since a pseudo collision attack is trivial for Shabal, we focus on a low-weight pseudo collision attack. It means that only low-weight difference in a chaining value is considered. By analyzing the difference propagation in the underlying permutation, we can construct a low-weight (45-bits) pseudo collision attack on the full compression function with complexity of 2^84. The second attack is a preimage attack on variants of Shabal-512. We utilize a guess-and-determine technique, which is originally developed for a cryptanalysis of stream ciphers, and customize the technique for a preimage attack on Shabal-512. As a result, for the weakened variant of Shabal-512 using security parameters (p; r) = (2; 12), a preimage can be found with complexity of 2^497 and memory of 2^400. Moreover, for the Shabal-512 using security parameters (p; r) = (1:5; 8), a preimage can be found with complexity of 2^497 and memory of 2^272. To the best of our knowledge, these are best preimage attacks on Shabal variants and the second result is a first preimage attack on Shabal-512 with reduced security parameters.},
 +
}
 +
</bibtex>
  
 
<bibtex>
 
<bibtex>
@misc{shabalAum09,
+
@misc{shabalAum10,
 
   author    = {Jean-Philippe Aumasson},
 
   author    = {Jean-Philippe Aumasson},
   title    = {On the pseudorandomness of Shabal's keyed permutation},
+
   title    = {Observation on Shabal},
   url        = {http://131002.net/data/papers/Aum09.pdf},
+
  url = {http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt},
 +
  howpublished = {NIST mailing list (local link)},
 +
  year = {2010},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@misc{shabalNov10,
 +
    author = {Peter Novotney},
 +
    title = {Distinguisher for Shabal's Permutation Function},
 +
    howpublished = {Cryptology ePrint Archive, Report 2010/398},
 +
    year = {2010},
 +
    url = {http://eprint.iacr.org/2010/398.pdf},
 +
    note = {\url{http://eprint.iacr.org/}},
 +
  abstract = {In this note we consider the Shabal permutation function $\mathcal{P}$ as a block cipher with input $A_p$,$B_p$ and key $C$,$M$ and describe a distinguisher with a data complexity of $2^{23}$ random inputs with a given difference. If the attacker can control one chosen bit of $B_p$, only $2^{21}$ inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Shabal construction.},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@misc{shabalVA10,
 +
  author    = {Gilles Van Assche},
 +
  title    = {A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs},
 +
   url        = {http://gva.noekeon.org/papers/ShabalRotation.pdf},
 
   howpublished = {Available online},
 
   howpublished = {Available online},
 +
  year      = {2010},
 +
  abstract = {In this short note, we apply a rotational distinguisher to the keyed permutation of the SHA-3 candidate Shabal. We then discuss its applicability in the scope of Shabal's mode of operation and its impact on the security proofs.},
 +
}
 +
</bibtex>
 +
 +
<bibtex>
 +
@misc{shabalAum09a,
 +
  author    = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},
 +
  title    = {More on Shabal's permutation},
 +
  url        = {http://131002.net/data/papers/AMM09.pdf},
 +
  howpublished = {OFFICIAL COMMENT},
 
   year      = {2009},
 
   year      = {2009},
  abstract = {
 
  We report observations suggesting that the permutation used in
 
  Shabal does not behave pseudorandomly. This does not affect the
 
  security of Shabal as submitted to the NIST Hash Competition.},
 
 
}
 
}
 
</bibtex>
 
</bibtex>
Line 105: Line 155:
  
 
<bibtex>
 
<bibtex>
@misc{shabalAum09a,
+
@misc{shabalAum09,
   author    = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},
+
   author    = {Jean-Philippe Aumasson},
   title    = {More on Shabal's permutation},
+
   title    = {On the pseudorandomness of Shabal's keyed permutation},
   url        = {http://131002.net/data/papers/AMM09.pdf},
+
   url        = {http://131002.net/data/papers/Aum09.pdf},
   howpublished = {OFFICIAL COMMENT},
+
   howpublished = {Available online},
 
   year      = {2009},
 
   year      = {2009},
 +
  abstract = {
 +
  We report observations suggesting that the permutation used in
 +
  Shabal does not behave pseudorandomly. This does not affect the
 +
  security of Shabal as submitted to the NIST Hash Competition.},
 
}
 
}
 
</bibtex>
 
</bibtex>

Latest revision as of 17:46, 8 November 2010

1 The algorithm

  • Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau
  • Website: http://www.shabal.com/
  • NIST submission package:


Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau - Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition

,2008
http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf
Bibtex
Author : Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau
Title : Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition
In : -
Address :
Date : 2008

Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau - Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers

,2009
http://eprint.iacr.org/2009/199.pdf
Bibtex
Author : Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau
Title : Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers
In : -
Address :
Date : 2009


2 Cryptanalysis

We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.

A description of the tables is given here.

Recommended security parameters: (p,r)=(3,12)

2.1 Hash function

Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.

Type of Analysis Hash Size (n) Parameters Compression Function Calls Memory Requirements Reference

2.2 Building blocks

Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.

Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).

Type of Analysis Hash Function Part Hash Size (n) Parameters/Variants Compression Function Calls Memory Requirements Reference
pseudo collision compression function all 45-bit difference 284 Isobe,Shirai
preimage hash all (2,12),no final loop 2497 2400 Isobe,Shirai
preimage hash all (1.5,8) 2497 2272 Isobe,Shirai
non-randomness compression function all 1 Aumasson
non-randomness permutation all 221 Novotney
non-randomness permutation all 2159 Van Assche
non-randomness(1) permutation all 2 Aumasson,Mashatan,Meier
non-randomness(1) permutation all 1 Knudsen,Matusiewicz,Thomsen
non-randomness(1) permutation all 212 Aumasson

(1)The Shabal team commented on these analyses and provide an update of their security proofs in this note.


Takanori Isobe, Taizo Shirai - Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

,2010
http://eprint.iacr.org/2010/434.pdf
Bibtex
Author : Takanori Isobe, Taizo Shirai
Title : Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
In : -
Address :
Date : 2010

Jean-Philippe Aumasson - Observation on Shabal

,2010
http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt
Bibtex
Author : Jean-Philippe Aumasson
Title : Observation on Shabal
In : -
Address :
Date : 2010

Peter Novotney - Distinguisher for Shabal's Permutation Function

,2010
http://eprint.iacr.org/2010/398.pdf
Bibtex
Author : Peter Novotney
Title : Distinguisher for Shabal's Permutation Function
In : -
Address :
Date : 2010

Gilles Van Assche - A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs

,2010
http://gva.noekeon.org/papers/ShabalRotation.pdf
Bibtex
Author : Gilles Van Assche
Title : A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs
In : -
Address :
Date : 2010

Jean-Philippe Aumasson, Atefeh Mashatan, Willi Meier - More on Shabal's permutation

,2009
http://131002.net/data/papers/AMM09.pdf
Bibtex
Author : Jean-Philippe Aumasson, Atefeh Mashatan, Willi Meier
Title : More on Shabal's permutation
In : -
Address :
Date : 2009

Lars R. Knudsen, Krystian Matusiewicz, Søren S. Thomsen - Observations on the Shabal keyed permutation

,2009
http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf
Bibtex
Author : Lars R. Knudsen, Krystian Matusiewicz, Søren S. Thomsen
Title : Observations on the Shabal keyed permutation
In : -
Address :
Date : 2009

Jean-Philippe Aumasson - On the pseudorandomness of Shabal's keyed permutation

,2009
http://131002.net/data/papers/Aum09.pdf
Bibtex
Author : Jean-Philippe Aumasson
Title : On the pseudorandomness of Shabal's keyed permutation
In : -
Address :
Date : 2009