https://ehash.iaik.tugraz.at/api.php?action=feedcontributions&user=Mschlaeffer&feedformat=atomThe ECRYPT Hash Function Website - User contributions [en]2024-03-29T10:10:52ZUser contributionsMediaWiki 1.31.3https://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&diff=3766The SHA-3 Zoo2013-01-28T14:32:00Z<p>Mschlaeffer: tables updated</p>
<hr />
<div>The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the [http://www.nist.gov/hash-competition SHA-3 contest] (see also [http://en.wikipedia.org/wiki/SHA-3 here]). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all [[SHA-3 submitters]] is also available. For a software performance related overview, see [http://bench.cr.yp.to/ebash.html eBASH]. At a separate page, we also collect [[SHA-3_Hardware_Implementations | hardware implementation results]] of the candidates. Another categorization of the SHA-3 submissions can be found [http://eprint.iacr.org/2008/511.pdf here].<br />
<br />
The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in [[Cryptanalysis Categories]].<br />
<br />
At this time, 56 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 submissions have advanced to [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/index.html round 1], 14 submissions have made it into [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/index.html round 2] and 5 candidates have been selected for the [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/index.html final].<br />
<br />
The following tables give a first impression on the cryptanalysis of the SHA-3 candidates. The tables only show the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given [[Cryptanalysis_Categories#Main_Cryptanalysis_Table | here]].<br />
<br />
[http://ehash.iaik.tugraz.at/index.php?title=Special:Recentchangeslinked&target=The_SHA-3_Zoo&days=7&limit=50&hideminor=1 Recent updates of the SHA-3 Zoo]<br />
(Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!)<br />
<br />
<br />
<br />
Keccak has been selected as the SHA-3 standard:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Keccak]] || The Keccak Team || ||<br />
|- <br />
|}<br />
<br />
<br />
<br />
<br />
The other 4 finalists of the SHA-3 competition are:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[BLAKE]] || Jean-Philippe Aumasson || ||<br />
|-<br />
| [[Groestl|Grøstl]] || Lars R. Knudsen || ||<br />
|-<br />
| [[JH]] || Hongjun Wu || style="background:greenyellow" | preimage ||<br />
|- <br />
| [[Skein]] || Bruce Schneier || ||<br />
|- <br />
|}<br />
<br />
<br />
<br />
<br />
The following SHA-3 candidates advanced to round 2 but did not get into the final:<br />
<br />
[http://ehash.iaik.tugraz.at/uploads/c/ce/20090922-2230_SHA-3_round2_tweaks.pdf Round 2 tweaks for all candidates]<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Blue Midnight Wish]] || Svein Johan Knapskog || ||<br />
|-<br />
| [[CubeHash]] || Daniel J. Bernstein || style="background:greenyellow" | preimage ||<br />
|-<br />
| [[ECHO]] || Henri Gilbert || ||<br />
|- <br />
| [[Fugue]] || Charanjit S. Jutla || ||<br />
|- <br />
| [[Hamsi]] || <nowiki>Özgül Kü&#231;ük</nowiki> || ||<br />
|-<br />
| [[Luffa]] || Dai Watanabe || ||<br />
|-<br />
| [[Shabal]] || <nowiki>Jean-Fran&#231;ois Misarsky</nowiki> || ||<br />
|-<br />
| [[SHAvite-3]] || Orr Dunkelman || ||<br />
|-<br />
| [[SIMD]] || <nowiki>Ga&#235;tan Leurent</nowiki> || ||<br />
|-<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
The following submitted hash functions have not advanced to round 2:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120" | Status !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Abacus]] || Neil Sholer || in round 1 || style="background:orange" | 2nd-preimage ||<br />
|-<br />
| [[ARIRANG]] || Jongin Lim || in round 1 || ||<br />
|- <br />
| [[AURORA]] || Masahiro Fujita || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Blender]] || Colin Bradbury || in round 1|| style="background:orange" | collision, preimage || near-collision<br />
|- <br />
| [[Boole]] || Greg Rose || in round 1 || style="background:red" | collision ||<br />
|- <br />
| [[Cheetah]] || Dmitry Khovratovich || in round 1|| || length-extension<br />
|-<br />
| [[CHI]] || Phillip Hawkes || in round 1|| ||<br />
|- <br />
| [[CRUNCH]] || Jacques Patarin || in round 1|| || length-extension<br />
|-<br />
| [[DCH]] || David A. Wilson || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Dynamic SHA]] || Xu Zijie || in round 1|| style="background:red"|collision || length-extension <br />
|-<br />
| [[Dynamic SHA2]] || Xu Zijie || in round 1|| style="background:orange"|collision || length-extension<br />
|-<br />
| [[ECOH]] || Daniel R. L. Brown || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Edon-R (SHA-3 submission)|Edon-R]] || Danilo Gligoroski || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[EnRUPT]] || Sean O'Neil || in round 1|| style="background:red" | collision ||<br />
|- <br />
| [[ESSENCE]] || Jason Worth Martin || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[FSB (SHA-3 submission) | FSB]] || Matthieu Finiasz || in round 1|| ||<br />
|-<br />
| [[HASH 2X]] || Jason Lee || not in round 1 || style="background:red" | 2nd-preimage ||<br />
|-<br />
| [[Khichidi-1]] || M. Vidyasagar || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[LANE]] || Sebastiaan Indesteege || in round 1|| ||<br />
|- <br />
| [[Lesamnta]] || Hirotaka Yoshida || in round 1|| ||<br />
|-<br />
| [[LUX]] || <nowiki>Ivica Nikoli&#263;</nowiki> || in round 1|| style="background:orange" | collision, 2nd preimage || DRBG,HMAC<br />
|- <br />
| [[Maraca]] || Robert J. Jenkins || not in round 1 || style="background:red" | preimage ||<br />
|- <br />
| [[MCSSHA-3]] || Mikhail Maslennikov || in round 1|| style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[MD6]] || Ronald L. Rivest || in round 1|| ||<br />
|- <br />
| [[MeshHash]] || Björn Fay || in round 1 || style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[NaSHA]] || Smile Markovski || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[NKS2D]] || Geoffrey Park || not in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Ponic]] || Peter Schmidt-Nielsen || not in round 1 || style="background:yellow" | 2nd-preimage<br />
|-<br />
| [[SANDstorm]] || Rich Schroeppel || in round 1|| ||<br />
|-<br />
| [[Sarmal]] || <nowiki>Kerem Var&#305;c&#305;</nowiki> || in round 1|| style="background:yellow" | preimage ||<br />
|- <br />
| [[Sgàil]] || Peter Maxwell|| in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[SHAMATA]] || Orhun Kara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Spectral Hash]] || <nowiki>&#199;etin Kaya Ko&#231;</nowiki> || in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[StreamHash]] || Michal Trojnara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[SWIFFTX]] || Daniele Micciancio || in round 1|| ||<br />
|-<br />
| [[Tangle]] || Rafael Alvarez || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[TIB3]] || Daniel Penazzi || in round 1|| style="background:yellow" | collision ||<br />
|-<br />
| [[Twister]] || Michael Gorski || in round 1|| style="background:orange" | preimage ||<br />
|- <br />
| [[Vortex (SHA-3 submission)|Vortex]] || Michael Kounavis || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[WaMM]] || John Washburn || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Waterfall]] || Bob Hattersley || in round 1 || style="background:orange" | collision ||<br />
|-<br />
| [[ZK-Crypt]] || Carmi Gressel || not in round 1 || ||<br />
|}</div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3718Keccak2011-09-01T06:52:24Z<p>Mschlaeffer: cryptanalysis results updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** Round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** Round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSponge3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Cryptographic sponge functions},<br />
url = {http://sponge.noekeon.org/CSF-0.1.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>491.47</sup> || ? || [http://eprint.iacr.org/2011/420.pdf Duc,Guo,Peyrin,Wei]<br />
|- <br />
| collision || hash || 160 || r=1440, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Duc,Guo,Peyrin,Wei]<br />
|- <br />
| collision || hash || 160 || r={240,640,1440}, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Morawiecki]<br />
|- <br />
| preimage || hash || 80 || r={240,640,1440}, c=160, nr={1,2} || example || || [http://keccak.noekeon.org/crunchy_contest.html Morawiecki]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:420,<br />
author = {Alexandre Duc and Jian Guo and Thomas Peyrin and Lei Wei},<br />
title = {Unaligned Rebound Attack - Application to Keccak},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/420},<br />
year = {2011},<br />
url = {http://eprint.iacr.org/2011/420.pdf},<br />
abstract = {We analyze the internal permutations of Keccak, one of the NIST SHA-3 competition finalists, in regard to differential properties. By carefully studying the elements composing those permutations, we are able to derive most of the best known differential paths for up to 5 rounds. We use these differential paths in a rebound attack setting and adapt this powerful freedom degrees utilization in order to derive distinguishers for up to 8 rounds of the internal permutations of the submitted version of Keccak. The complexity of the 8 round distinguisher is $2^{491.47}$. Our results have been implemented and verified experimentally on a small version of Keccak. This is currently the best known differential attack against the internal permutations of Keccak.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakDucPW11,<br />
author = {Alexandre Duc and Jian Guo and Thomas Peyrin and Lei Wei},<br />
title = {Collisions for Keccak[r=1440,c=160,nr={1,2}]},<br />
url = {http://keccak.noekeon.org/crunchy_contest.html},<br />
howpublished = {Keccak website},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMorawiecki11,<br />
author = {Pawel Morawiecki},<br />
title = {Preimages and Collisions for Keccak[r={240,640,1440},c=160,nr={1,2}]},<br />
url = {http://keccak.noekeon.org/crunchy_contest.html},<br />
howpublished = {Keccak website},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:023,<br />
author = {Ming Duan and Xuajia Lai},<br />
title = {Improved zero-sum distinguisher for full round Keccak-f permutation},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/023},<br />
year = {2011},<br />
url = {http://eprint.iacr.org/2011/023.pdf},<br />
abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
pages = {1-17},<br />
publisher = {Springer},<br />
volume = {6544},<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&diff=3711The SHA-3 Zoo2011-05-03T13:52:34Z<p>Mschlaeffer: </p>
<hr />
<div>The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the [http://www.nist.gov/hash-competition SHA-3 contest] (see also [http://en.wikipedia.org/wiki/SHA-3 here]). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all [[SHA-3 submitters]] is also available. For a software performance related overview, see [http://bench.cr.yp.to/ebash.html eBASH]. At a separate page, we also collect [[SHA-3_Hardware_Implementations | hardware implementation results]] of the candidates. Another categorization of the SHA-3 submissions can be found [http://eprint.iacr.org/2008/511.pdf here].<br />
<br />
The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in [[Cryptanalysis Categories]].<br />
<br />
At this time, 56 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 submissions have advanced to [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/index.html round 1], 14 submissions have made it into [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/index.html round 2] and 5 candidates have been selected for the [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/index.html final].<br />
<br />
The following table should give a first impression on the remaining SHA-3 candidates. It shows only the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given [[Cryptanalysis_Categories#Main_Cryptanalysis_Table | here]].<br />
<br />
<br />
<br />
The 5 finalists of the SHA-3 competition are:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[BLAKE]] || Jean-Philippe Aumasson || ||<br />
|-<br />
| [[Groestl|Grøstl]] || Lars R. Knudsen || ||<br />
|-<br />
| [[JH]] || Hongjun Wu || style="background:greenyellow" | preimage ||<br />
|- <br />
| [[Keccak]] || The Keccak Team || ||<br />
|-<br />
| [[Skein]] || Bruce Schneier || ||<br />
|- <br />
|}<br />
<br />
<br />
[http://ehash.iaik.tugraz.at/index.php?title=Special:Recentchangeslinked&target=The_SHA-3_Zoo&days=7&limit=50&hideminor=1 Recent updates of the SHA-3 Zoo]<br />
<br />
<font color=red>new: </font>[[SHA-3 related events]]<br />
<br />
Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The following SHA-3 candidates advanced to round 2 but did not get into the final:<br />
<br />
[http://ehash.iaik.tugraz.at/uploads/c/ce/20090922-2230_SHA-3_round2_tweaks.pdf Round 2 tweaks for all candidates]<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Blue Midnight Wish]] || Svein Johan Knapskog || ||<br />
|-<br />
| [[CubeHash]] || Daniel J. Bernstein || style="background:greenyellow" | preimage ||<br />
|-<br />
| [[ECHO]] || Henri Gilbert || ||<br />
|- <br />
| [[Fugue]] || Charanjit S. Jutla || ||<br />
|- <br />
| [[Hamsi]] || <nowiki>Özgül Kü&#231;ük</nowiki> || ||<br />
|-<br />
| [[Luffa]] || Dai Watanabe || ||<br />
|-<br />
| [[Shabal]] || <nowiki>Jean-Fran&#231;ois Misarsky</nowiki> || ||<br />
|-<br />
| [[SHAvite-3]] || Orr Dunkelman || ||<br />
|-<br />
| [[SIMD]] || <nowiki>Ga&#235;tan Leurent</nowiki> || ||<br />
|-<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
The following submitted hash functions have not advanced to round 2:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120" | Status !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Abacus]] || Neil Sholer || in round 1 || style="background:orange" | 2nd-preimage ||<br />
|-<br />
| [[ARIRANG]] || Jongin Lim || in round 1 || ||<br />
|- <br />
| [[AURORA]] || Masahiro Fujita || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Blender]] || Colin Bradbury || in round 1|| style="background:orange" | collision, preimage || near-collision<br />
|- <br />
| [[Boole]] || Greg Rose || in round 1 || style="background:red" | collision ||<br />
|- <br />
| [[Cheetah]] || Dmitry Khovratovich || in round 1|| || length-extension<br />
|-<br />
| [[CHI]] || Phillip Hawkes || in round 1|| ||<br />
|- <br />
| [[CRUNCH]] || Jacques Patarin || in round 1|| || length-extension<br />
|-<br />
| [[DCH]] || David A. Wilson || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Dynamic SHA]] || Xu Zijie || in round 1|| style="background:red"|collision || length-extension <br />
|-<br />
| [[Dynamic SHA2]] || Xu Zijie || in round 1|| style="background:orange"|collision || length-extension<br />
|-<br />
| [[ECOH]] || Daniel R. L. Brown || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Edon-R (SHA-3 submission)|Edon-R]] || Danilo Gligoroski || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[EnRUPT]] || Sean O'Neil || in round 1|| style="background:red" | collision ||<br />
|- <br />
| [[ESSENCE]] || Jason Worth Martin || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[FSB (SHA-3 submission) | FSB]] || Matthieu Finiasz || in round 1|| ||<br />
|-<br />
| [[HASH 2X]] || Jason Lee || not in round 1 || style="background:red" | 2nd-preimage ||<br />
|-<br />
| [[Khichidi-1]] || M. Vidyasagar || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[LANE]] || Sebastiaan Indesteege || in round 1|| ||<br />
|- <br />
| [[Lesamnta]] || Hirotaka Yoshida || in round 1|| ||<br />
|-<br />
| [[LUX]] || <nowiki>Ivica Nikoli&#263;</nowiki> || in round 1|| style="background:orange" | collision, 2nd preimage || DRBG,HMAC<br />
|- <br />
| [[Maraca]] || Robert J. Jenkins || not in round 1 || style="background:red" | preimage ||<br />
|- <br />
| [[MCSSHA-3]] || Mikhail Maslennikov || in round 1|| style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[MD6]] || Ronald L. Rivest || in round 1|| ||<br />
|- <br />
| [[MeshHash]] || Björn Fay || in round 1 || style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[NaSHA]] || Smile Markovski || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[NKS2D]] || Geoffrey Park || not in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Ponic]] || Peter Schmidt-Nielsen || not in round 1 || style="background:yellow" | 2nd-preimage<br />
|-<br />
| [[SANDstorm]] || Rich Schroeppel || in round 1|| ||<br />
|-<br />
| [[Sarmal]] || <nowiki>Kerem Var&#305;c&#305;</nowiki> || in round 1|| style="background:yellow" | preimage ||<br />
|- <br />
| [[Sgàil]] || Peter Maxwell|| in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[SHAMATA]] || Orhun Kara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Spectral Hash]] || <nowiki>&#199;etin Kaya Ko&#231;</nowiki> || in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[StreamHash]] || Michal Trojnara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[SWIFFTX]] || Daniele Micciancio || in round 1|| ||<br />
|-<br />
| [[Tangle]] || Rafael Alvarez || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[TIB3]] || Daniel Penazzi || in round 1|| style="background:yellow" | collision ||<br />
|-<br />
| [[Twister]] || Michael Gorski || in round 1|| style="background:orange" | preimage ||<br />
|- <br />
| [[Vortex (SHA-3 submission)|Vortex]] || Michael Kounavis || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[WaMM]] || John Washburn || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Waterfall]] || Bob Hattersley || in round 1 || style="background:orange" | collision ||<br />
|-<br />
| [[ZK-Crypt]] || Carmi Gressel || not in round 1 || ||<br />
|}</div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3707BLAKE2011-04-22T08:26:05Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Blake_FinalRnd.zip Blake_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP10,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/06/Blake.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''14''' rounds (n=224,256); '''16''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
url = {http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
volume = {110},<br />
issue = {14-15},<br />
month = {July},<br />
year = {2010},<br />
pages = {585--590},<br />
publisher = {Elsevier North-Holland, Inc.},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
booktitle = {CANS},<br />
year = {2010},<br />
pages = {124-139},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6467},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST hash function mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE},<br />
booktitle = {FSE},<br />
year = {2010},<br />
pages = {318-332},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6147},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
howpublished = {Accepted for presentation at WEWoRC 2009},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3706Skein2011-04-22T08:22:03Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Skein_FinalRnd.zip Skein_FinalRnd.zip]<br />
** Round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
** Round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+10,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.1.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || compression function || all || 57 rounds (Round 2) || 2<sup>503</sup> || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| distinguisher || compression function || 256 || 53 rounds (Round 2) || 2<sup>251</sup>, Skein-256 || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@inproceedings{skeinKNR10,<br />
author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},<br />
title = {Rotational Rebound Attacks on Reduced Skein},<br />
booktitle = {ASIACRYPT},<br />
year = {2010},<br />
pages = {1-19},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6477},<br />
url = {http://eprint.iacr.org/2010/538.pdf},<br />
abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.<br />
<br />
The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
booktitle = {CANS},<br />
year = {2010},<br />
pages = {124-139},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6467},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
pages = {333-346},<br />
booktitle = {FSE},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6147},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
booktitle = {ASIACRYPT},<br />
year = {2009},<br />
pages = {542-559},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5912},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3705Keccak2011-04-22T08:14:45Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** Round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** Round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSponge3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Cryptographic sponge functions},<br />
url = {http://sponge.noekeon.org/CSF-0.1.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:023,<br />
author = {Ming Duan and Xuajia Lai},<br />
title = {Improved zero-sum distinguisher for full round Keccak-f permutation},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/023},<br />
year = {2011},<br />
url = {http://eprint.iacr.org/2011/023.pdf},<br />
abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
pages = {1-17},<br />
publisher = {Springer},<br />
volume = {6544},<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3704JH2011-04-22T08:12:07Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/JH_FinalRnd.zip JH_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf},<br />
howpublished = {Submission to NIST (round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09a,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''42''' rounds<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
pages = {168-191},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6147},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
pages = {286-303},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6147},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3703BLAKE2011-04-22T08:09:10Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Blake_FinalRnd.zip Blake_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP10,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/06/Blake.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''14''' rounds (n=224,256); '''16''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
url = {http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
volume = {110},<br />
issue = {14-15},<br />
month = {July},<br />
year = {2010},<br />
pages = {585--590},<br />
publisher = {Elsevier North-Holland, Inc.},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST hash function mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
howpublished = {Accepted for presentation at WEWoRC 2009},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3702Groestl2011-04-22T08:04:57Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 3 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1/2) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1/2) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1/2) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1/2) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1/2) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1/2) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1/2) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1/2) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1/2) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1/2) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1/2) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1/2) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1/2) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1/2) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Grøstl website},<br />
month = {January},<br />
year = {2011},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl},<br />
booktitle = {ASIACRYPT},<br />
year = {2010},<br />
pages = {38-55},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6477},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
booktitle = {ISC},<br />
year = {2010},<br />
pages = {1-16},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6531},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@inproceedings{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
booktitle = {CRYPTO},<br />
year = {2010},<br />
pages = {370-392},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {6223},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
volume = {6147},<br />
publisher = {Springer},<br />
pages = {365-383},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {NIST hash function mailing list},<br />
month = {April},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {NIST hash function mailing list},<br />
month = {November},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3700BLAKE2011-04-22T07:32:08Z<p>Mschlaeffer: references updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Blake_FinalRnd.zip Blake_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP10,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/06/Blake.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''14''' rounds (n=224,256); '''16''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
note = {Available online: http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
note = {Available online: http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
volume = {110},<br />
issue = {14-15},<br />
month = {July},<br />
year = {2010},<br />
pages = {585--590},<br />
publisher = {Elsevier North-Holland, Inc.},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
note = {Available online: http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
note = {Available online: http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST hash function mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
note = {Available online: http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
howpublished = {Accepted for presentation at WEWoRC 2009},<br />
note = {Available online: http://www.jguo.org/docs/blake-col.pdf},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {Available online: \url{http://eprint.iacr.org/2009/238.pdf}},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3699Skein2011-04-04T08:35:04Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Skein_FinalRnd.zip Skein_FinalRnd.zip]<br />
** Round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
** Round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+10,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.1.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || compression function || all || 57 rounds (Round 2) || 2<sup>503</sup> || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| distinguisher || compression function || 256 || 53 rounds (Round 2) || 2<sup>251</sup>, Skein-256 || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinKNR10,<br />
author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},<br />
title = {Rotational Rebound Attacks on Reduced Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/538},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/538.pdf},<br />
abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.<br />
<br />
The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3698Keccak2011-04-04T08:34:38Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** Round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** Round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSponge3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Cryptographic sponge functions},<br />
url = {http://sponge.noekeon.org/CSF-0.1.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:023,<br />
author = {Ming Duan and Xuajia Lai},<br />
title = {Improved zero-sum distinguisher for full round Keccak-f permutation},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/023},<br />
year = {2011},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2011/023.pdf},<br />
abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3697JH2011-04-04T08:34:16Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/JH_FinalRnd.zip JH_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf},<br />
howpublished = {Submission to NIST (round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09a,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''42''' rounds<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3696BLAKE2011-04-04T08:34:00Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Blake_FinalRnd.zip Blake_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP10,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/06/Blake.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''14''' rounds (n=224,256); '''16''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
url = {http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
year = {2010},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
howpublished = {Available online},<br />
note = {Accepted for presentation at WEWoRC 2009},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3695Groestl2011-04-04T08:33:40Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** Round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** Round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 3 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1/2) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1/2) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1/2) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1/2) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1/2) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1/2) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1/2) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1/2) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1/2) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1/2) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1/2) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1/2) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1/2) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1/2) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Available online},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3694Groestl2011-04-04T08:32:34Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 3 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1/2) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1/2) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1/2) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1/2) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1/2) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1/2) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1/2) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1/2) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1/2) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1/2) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1/2) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1/2) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1/2) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1/2) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1/2) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1/2) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Available online},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3693Keccak2011-03-30T08:16:15Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSponge3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Cryptographic sponge functions},<br />
url = {http://sponge.noekeon.org/CSF-0.1.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:023,<br />
author = {Ming Duan and Xuajia Lai},<br />
title = {Improved zero-sum distinguisher for full round Keccak-f permutation},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/023},<br />
year = {2011},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2011/023.pdf},<br />
abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&diff=3692The SHA-3 Zoo2011-03-30T08:08:58Z<p>Mschlaeffer: </p>
<hr />
<div>The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the [http://www.nist.gov/hash-competition SHA-3 contest] (see also [http://en.wikipedia.org/wiki/SHA-3 here]). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all [[SHA-3 submitters]] is also available. For a software performance related overview, see [http://bench.cr.yp.to/ebash.html eBASH]. At a separate page, we also collect [[SHA-3_Hardware_Implementations | hardware implementation results]] of the candidates. Another categorization of the SHA-3 submissions can be found [http://eprint.iacr.org/2008/511.pdf here].<br />
<br />
The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in [[Cryptanalysis Categories]].<br />
<br />
At this time, 56 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 submissions have advanced to [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/index.html round 1], 14 submissions have made it into [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/index.html round 2] and 5 candidates have been selected for the [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/index.html final].<br />
<br />
The following table should give a first impression on the remaining SHA-3 candidates. It shows only the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given [[Cryptanalysis_Categories#Main_Cryptanalysis_Table | here]].<br />
<br />
<br />
<br />
The 5 finalists of the SHA-3 competition are:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[BLAKE]] || Jean-Philippe Aumasson || ||<br />
|-<br />
| [[Groestl|Grøstl]] || Lars R. Knudsen || ||<br />
|-<br />
| [[JH]] || Hongjun Wu || style="background:greenyellow" | preimage ||<br />
|- <br />
| [[Keccak]] || The Keccak Team || ||<br />
|-<br />
| [[Skein]] || Bruce Schneier || ||<br />
|- <br />
|}<br />
<br />
<br />
[http://ehash.iaik.tugraz.at/index.php?title=Special:Recentchangeslinked&target=The_SHA-3_Zoo&days=7&limit=50&hideminor=1 Recent updates of the SHA-3 Zoo]<br />
<br />
Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!<br />
<br />
<font color=red>Call for contribution:</font><br />
A subgroup of STVL in ECRYPT2 started working on an Ecrypt report on the status of the SHA-3 finalists. The report will contain a survey of the results published on the finalists. If you recently obtained new results, which are not public yet and you want to see them included in the report, please contact vincent.rijmen@iaik.tugraz.at .<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The following SHA-3 candidates advanced to round 2 but did not get into the final:<br />
<br />
[http://ehash.iaik.tugraz.at/uploads/c/ce/20090922-2230_SHA-3_round2_tweaks.pdf Round 2 tweaks for all candidates]<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Blue Midnight Wish]] || Svein Johan Knapskog || ||<br />
|-<br />
| [[CubeHash]] || Daniel J. Bernstein || style="background:greenyellow" | preimage ||<br />
|-<br />
| [[ECHO]] || Henri Gilbert || ||<br />
|- <br />
| [[Fugue]] || Charanjit S. Jutla || ||<br />
|- <br />
| [[Hamsi]] || <nowiki>Özgül Kü&#231;ük</nowiki> || ||<br />
|-<br />
| [[Luffa]] || Dai Watanabe || ||<br />
|-<br />
| [[Shabal]] || <nowiki>Jean-Fran&#231;ois Misarsky</nowiki> || ||<br />
|-<br />
| [[SHAvite-3]] || Orr Dunkelman || ||<br />
|-<br />
| [[SIMD]] || <nowiki>Ga&#235;tan Leurent</nowiki> || ||<br />
|-<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
The following submitted hash functions have not advanced to round 2:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120" | Status !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Abacus]] || Neil Sholer || in round 1 || style="background:orange" | 2nd-preimage ||<br />
|-<br />
| [[ARIRANG]] || Jongin Lim || in round 1 || ||<br />
|- <br />
| [[AURORA]] || Masahiro Fujita || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Blender]] || Colin Bradbury || in round 1|| style="background:orange" | collision, preimage || near-collision<br />
|- <br />
| [[Boole]] || Greg Rose || in round 1 || style="background:red" | collision ||<br />
|- <br />
| [[Cheetah]] || Dmitry Khovratovich || in round 1|| || length-extension<br />
|-<br />
| [[CHI]] || Phillip Hawkes || in round 1|| ||<br />
|- <br />
| [[CRUNCH]] || Jacques Patarin || in round 1|| || length-extension<br />
|-<br />
| [[DCH]] || David A. Wilson || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Dynamic SHA]] || Xu Zijie || in round 1|| style="background:red"|collision || length-extension <br />
|-<br />
| [[Dynamic SHA2]] || Xu Zijie || in round 1|| style="background:orange"|collision || length-extension<br />
|-<br />
| [[ECOH]] || Daniel R. L. Brown || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Edon-R (SHA-3 submission)|Edon-R]] || Danilo Gligoroski || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[EnRUPT]] || Sean O'Neil || in round 1|| style="background:red" | collision ||<br />
|- <br />
| [[ESSENCE]] || Jason Worth Martin || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[FSB (SHA-3 submission) | FSB]] || Matthieu Finiasz || in round 1|| ||<br />
|-<br />
| [[HASH 2X]] || Jason Lee || not in round 1 || style="background:red" | 2nd-preimage ||<br />
|-<br />
| [[Khichidi-1]] || M. Vidyasagar || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[LANE]] || Sebastiaan Indesteege || in round 1|| ||<br />
|- <br />
| [[Lesamnta]] || Hirotaka Yoshida || in round 1|| ||<br />
|-<br />
| [[LUX]] || <nowiki>Ivica Nikoli&#263;</nowiki> || in round 1|| style="background:orange" | collision, 2nd preimage || DRBG,HMAC<br />
|- <br />
| [[Maraca]] || Robert J. Jenkins || not in round 1 || style="background:red" | preimage ||<br />
|- <br />
| [[MCSSHA-3]] || Mikhail Maslennikov || in round 1|| style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[MD6]] || Ronald L. Rivest || in round 1|| ||<br />
|- <br />
| [[MeshHash]] || Björn Fay || in round 1 || style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[NaSHA]] || Smile Markovski || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[NKS2D]] || Geoffrey Park || not in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Ponic]] || Peter Schmidt-Nielsen || not in round 1 || style="background:yellow" | 2nd-preimage<br />
|-<br />
| [[SANDstorm]] || Rich Schroeppel || in round 1|| ||<br />
|-<br />
| [[Sarmal]] || <nowiki>Kerem Var&#305;c&#305;</nowiki> || in round 1|| style="background:yellow" | preimage ||<br />
|- <br />
| [[Sgàil]] || Peter Maxwell|| in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[SHAMATA]] || Orhun Kara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Spectral Hash]] || <nowiki>&#199;etin Kaya Ko&#231;</nowiki> || in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[StreamHash]] || Michal Trojnara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[SWIFFTX]] || Daniele Micciancio || in round 1|| ||<br />
|-<br />
| [[Tangle]] || Rafael Alvarez || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[TIB3]] || Daniel Penazzi || in round 1|| style="background:yellow" | collision ||<br />
|-<br />
| [[Twister]] || Michael Gorski || in round 1|| style="background:orange" | preimage ||<br />
|- <br />
| [[Vortex (SHA-3 submission)|Vortex]] || Michael Kounavis || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[WaMM]] || John Washburn || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Waterfall]] || Bob Hattersley || in round 1 || style="background:orange" | collision ||<br />
|-<br />
| [[ZK-Crypt]] || Carmi Gressel || not in round 1 || ||<br />
|}</div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3691Groestl2011-03-28T13:11:36Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 3 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Available online},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3690Groestl2011-03-28T13:09:32Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 3 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Available online},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3688Skein2011-03-21T09:27:35Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Skein_FinalRnd.zip Skein_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+10,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.1.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || compression function || all || 57 rounds || 2<sup>503</sup> || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| distinguisher || compression function || 256 || 53 rounds || 2<sup>251</sup>, Skein-256 || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinKNR10,<br />
author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},<br />
title = {Rotational Rebound Attacks on Reduced Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/538},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/538.pdf},<br />
abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.<br />
<br />
The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3687Keccak2011-03-21T09:27:08Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:023,<br />
author = {Ming Duan and Xuajia Lai},<br />
title = {Improved zero-sum distinguisher for full round Keccak-f permutation},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/023},<br />
year = {2011},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2011/023.pdf},<br />
abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3686JH2011-03-21T09:26:47Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/JH_FinalRnd.zip JH_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf},<br />
howpublished = {Submission to NIST (round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09a,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''42''' rounds<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3685Groestl2011-03-21T09:26:21Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 4 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Available online},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3684BLAKE2011-03-21T09:25:41Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Blake_FinalRnd.zip Blake_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP10,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/06/Blake.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''14''' rounds (n=224,256); '''16''' rounds (n=384,512)<br />
<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
url = {http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
year = {2010},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
howpublished = {Available online},<br />
note = {Accepted for presentation at WEWoRC 2009},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3683Keccak2011-03-21T09:24:55Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1579</sup> || || [http://eprint.iacr.org/2011/023.pdf Duan,Lai]<br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2011:023,<br />
author = {Ming Duan and Xuajia Lai},<br />
title = {Improved zero-sum distinguisher for full round Keccak-f permutation},<br />
howpublished = {Cryptology ePrint Archive, Report 2011/023},<br />
year = {2011},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2011/023.pdf},<br />
abstract = {K$\textsc{eccak}$ is one of the five hash functions selected for the final round of the SHA-3 competition and its inner primitive is a permutation called K$\textsc{eccak}$-$f$. In this paper, we find that for the inverse of the only one nonlinear transformation of K$\textsc{eccak}$-$f$, the algebraic degrees of any output coordinate and of the product of any two output coordinates are both 3 and also 2 less than its size 5. Combining the observation with a proposition from an upper bound on the degree of iterated permutations, we improve the zero-sum distinguisher of full 24 rounds K$\textsc{eccak}$-$f$ permutation by lowering the size of the zero-sum partition from $2^{1590}$ to $2^{1579}$.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3682Skein2011-03-21T08:51:00Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Skein_FinalRnd.zip Skein_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+10,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.1.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || compression function || all || 57 rounds || 2<sup>503</sup> || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| distinguisher || compression function || 256 || 53 rounds || 2<sup>251</sup>, Skein-256 || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinKNR10,<br />
author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},<br />
title = {Rotational Rebound Attacks on Reduced Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/538},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/538.pdf},<br />
abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.<br />
<br />
The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3681JH2011-03-21T08:49:53Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/JH_FinalRnd.zip JH_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf},<br />
howpublished = {Submission to NIST (round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09a,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''42''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3680BLAKE2011-03-21T08:49:18Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Blake_FinalRnd.zip Blake_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP10,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://ehash.iaik.tugraz.at/uploads/0/06/Blake.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''14''' rounds (n=224,256); '''16''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
url = {http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
year = {2010},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
howpublished = {Available online},<br />
note = {Accepted for presentation at WEWoRC 2009},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=File:Blake.pdf&diff=3679File:Blake.pdf2011-03-21T08:48:24Z<p>Mschlaeffer: </p>
<hr />
<div></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3678Groestl2011-03-21T08:40:31Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Groestl_FinalRnd.zip Groestl_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://groestl.info/Groestl-0.pdf},<br />
howpublished = {Submission to NIST (Round 1/2)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || 512 || 4 rounds || 2<sup>192</sup> || - || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 384,512 || 6 rounds || 2<sup>180</sup> || 2<sup>64</sup> || [http://groestl.info/groestl-analysis.pdf Schläffer]<br />
|-<br />
| collision || hash function || 224,256 || 5 rounds (Round 1) || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 256 || 6 rounds (Round 1) || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || hash function || 224,256 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 224,256 || 3 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 5 rounds (Round 1) || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || hash function || 384,512 || 4 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds (Round 1) || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds (Round 1) || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds (Round 1) || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds (Round 1) || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds (Round 1) || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds (Round 1) || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds (Round 1) || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds (Round 1) || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds (Round 1) || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<br />
<bibtex><br />
@misc{groestlSchlaeffer11,<br />
author = {Martin Schläffer},<br />
title = {Updated Differential Analysis of Grøstl},<br />
howpublished = {Available online},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://groestl.info/groestl-analysis.pdf},<br />
abstract = {Grøstl is a SHA-3 finalist with clear proofs against a large class of differential attacks, similar to those of MD6. Furthermore, in this note we provide an update also regarding more advanced types of differential attacks that have been developed in recent years. We apply the rebound attacks on the initial submission to the tweaked version of Grøstl. We have analyzed the round-reduced hash function and compression function of Grøstl-256 (10 rounds) and Grøstl-512 (14 rounds). For both versions, we get collisions for 3 rounds of the hash function and collisions for 6 rounds of the compression function. We hope that our own efforts on improving the cryptanalysis will continue to motivate and accelerate external cryptanalysis.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3677JH2011-03-21T08:06:03Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/JH_FinalRnd.zip JH_FinalRnd.zip]<br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf},<br />
howpublished = {Submission to NIST (round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09a,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf},<br />
howpublished = {Submission to NIST (updated for round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/1/1f/Jh20090115.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W08,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/8/8f/Jh.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''42''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=File:Jh20090915.pdf&diff=3676File:Jh20090915.pdf2011-03-21T08:03:57Z<p>Mschlaeffer: </p>
<hr />
<div></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=File:Jh20090115.pdf&diff=3675File:Jh20090115.pdf2011-03-21T08:03:27Z<p>Mschlaeffer: </p>
<hr />
<div></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=File:Jh.pdf&diff=3674File:Jh.pdf2011-03-21T08:03:01Z<p>Mschlaeffer: </p>
<hr />
<div></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3673Keccak2011-03-21T07:40:19Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Keccak_FinalRnd.zip Keccak_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSub3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak SHA-3 submission},<br />
url = {http://keccak.noekeon.org/Keccak-submission-3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakRef3,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {The Keccak reference},<br />
url = {http://keccak.noekeon.org/Keccak-reference-3.0.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2011},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3672Skein2011-03-21T07:34:28Z<p>Mschlaeffer: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 3: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/documents/Skein_FinalRnd.zip Skein_FinalRnd.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+10,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.3.pdf},<br />
howpublished = {Submission to NIST (Round 3)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || compression function || all || 57 rounds || 2<sup>503</sup> || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| distinguisher || compression function || 256 || 53 rounds || 2<sup>251</sup>, Skein-256 || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinKNR10,<br />
author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},<br />
title = {Rotational Rebound Attacks on Reduced Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/538},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/538.pdf},<br />
abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.<br />
<br />
The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3671JH2011-03-09T07:22:15Z<p>Mschlaeffer: link to JH website corrected</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://www3.ntu.edu.sg/home/wuhj/research/jh/ http://www3.ntu.edu.sg/home/wuhj/research/jh/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh_round2.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W08,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''35.5''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&diff=3664The SHA-3 Zoo2010-12-13T07:10:21Z<p>Mschlaeffer: </p>
<hr />
<div>The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the [http://www.nist.gov/hash-competition SHA-3 contest] (see also [http://en.wikipedia.org/wiki/SHA-3 here]). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all [[SHA-3 submitters]] is also available. For a software performance related overview, see [http://bench.cr.yp.to/ebash.html eBASH]. At a separate page, we also collect [[SHA-3_Hardware_Implementations | hardware implementation results]] of the candidates. Another categorization of the SHA-3 submissions can be found [http://eprint.iacr.org/2008/511.pdf here].<br />
<br><br><br />
The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in [[Cryptanalysis Categories]].<br />
<br />
At this time, 56 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 submissions have advanced to [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/index.html round 1] and 14 submissions have made it into [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/index.html round 2].<br />
<br />
The following table should give a first impression on the remaining SHA-3 candidates. It shows only the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given [[Cryptanalysis_Categories#Main_Cryptanalysis_Table | here]].<br />
<br />
[http://ehash.iaik.tugraz.at/index.php?title=Special:Recentchangeslinked&target=The_SHA-3_Zoo&days=7&limit=50&hideminor=1 Recent updates of the SHA-3 Zoo]<br />
<br />
[http://ehash.iaik.tugraz.at/uploads/c/ce/20090922-2230_SHA-3_round2_tweaks.pdf New: Round 2 tweaks for all candidates]<br />
<br />
<br />
<br />
The 5 finalists of the SHA-3 competition are:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[BLAKE]] || Jean-Philippe Aumasson || ||<br />
|-<br />
| [[Groestl|Grøstl]] || Lars R. Knudsen || ||<br />
|-<br />
| [[JH]] || Hongjun Wu || style="background:greenyellow" | preimage ||<br />
|- <br />
| [[Keccak]] || The Keccak Team || ||<br />
|-<br />
| [[Skein]] || Bruce Schneier || ||<br />
|- <br />
|}<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The following SHA-3 candidates advanced to round 2 but did not get into the final:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Blue Midnight Wish]] || Svein Johan Knapskog || ||<br />
|-<br />
| [[CubeHash]] || Daniel J. Bernstein || style="background:greenyellow" | preimage ||<br />
|-<br />
| [[ECHO]] || Henri Gilbert || ||<br />
|- <br />
| [[Fugue]] || Charanjit S. Jutla || ||<br />
|- <br />
| [[Hamsi]] || <nowiki>Özgül Kü&#231;ük</nowiki> || ||<br />
|-<br />
| [[Luffa]] || Dai Watanabe || ||<br />
|-<br />
| [[Shabal]] || <nowiki>Jean-Fran&#231;ois Misarsky</nowiki> || ||<br />
|-<br />
| [[SHAvite-3]] || Orr Dunkelman || ||<br />
|-<br />
| [[SIMD]] || <nowiki>Ga&#235;tan Leurent</nowiki> || ||<br />
|-<br />
|}<br />
<br />
<br />
<br />
<br />
<br />
The following submitted hash functions have not advanced to round 2:<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120" | Status !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements<br />
|-<br />
| [[Abacus]] || Neil Sholer || in round 1 || style="background:orange" | 2nd-preimage ||<br />
|-<br />
| [[ARIRANG]] || Jongin Lim || in round 1 || ||<br />
|- <br />
| [[AURORA]] || Masahiro Fujita || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Blender]] || Colin Bradbury || in round 1|| style="background:orange" | collision, preimage || near-collision<br />
|- <br />
| [[Boole]] || Greg Rose || in round 1 || style="background:red" | collision ||<br />
|- <br />
| [[Cheetah]] || Dmitry Khovratovich || in round 1|| || length-extension<br />
|-<br />
| [[CHI]] || Phillip Hawkes || in round 1|| ||<br />
|- <br />
| [[CRUNCH]] || Jacques Patarin || in round 1|| || length-extension<br />
|-<br />
| [[DCH]] || David A. Wilson || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Dynamic SHA]] || Xu Zijie || in round 1|| style="background:red"|collision || length-extension <br />
|-<br />
| [[Dynamic SHA2]] || Xu Zijie || in round 1|| style="background:orange"|collision || length-extension<br />
|-<br />
| [[ECOH]] || Daniel R. L. Brown || in round 1|| style="background:orange"| 2nd preimage ||<br />
|-<br />
| [[Edon-R (SHA-3 submission)|Edon-R]] || Danilo Gligoroski || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[EnRUPT]] || Sean O'Neil || in round 1|| style="background:red" | collision ||<br />
|- <br />
| [[ESSENCE]] || Jason Worth Martin || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[FSB (SHA-3 submission) | FSB]] || Matthieu Finiasz || in round 1|| ||<br />
|-<br />
| [[HASH 2X]] || Jason Lee || not in round 1 || style="background:red" | 2nd-preimage ||<br />
|-<br />
| [[Khichidi-1]] || M. Vidyasagar || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[LANE]] || Sebastiaan Indesteege || in round 1|| ||<br />
|- <br />
| [[Lesamnta]] || Hirotaka Yoshida || in round 1|| ||<br />
|-<br />
| [[LUX]] || <nowiki>Ivica Nikoli&#263;</nowiki> || in round 1|| style="background:orange" | collision, 2nd preimage || DRBG,HMAC<br />
|- <br />
| [[Maraca]] || Robert J. Jenkins || not in round 1 || style="background:red" | preimage ||<br />
|- <br />
| [[MCSSHA-3]] || Mikhail Maslennikov || in round 1|| style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[MD6]] || Ronald L. Rivest || in round 1|| ||<br />
|- <br />
| [[MeshHash]] || Björn Fay || in round 1 || style="background:orange" | 2nd preimage ||<br />
|- <br />
| [[NaSHA]] || Smile Markovski || in round 1|| style="background:orange" | collision ||<br />
|-<br />
| [[NKS2D]] || Geoffrey Park || not in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Ponic]] || Peter Schmidt-Nielsen || not in round 1 || style="background:yellow" | 2nd-preimage<br />
|-<br />
| [[SANDstorm]] || Rich Schroeppel || in round 1|| ||<br />
|-<br />
| [[Sarmal]] || <nowiki>Kerem Var&#305;c&#305;</nowiki> || in round 1|| style="background:yellow" | preimage ||<br />
|- <br />
| [[Sgàil]] || Peter Maxwell|| in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[SHAMATA]] || Orhun Kara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Spectral Hash]] || <nowiki>&#199;etin Kaya Ko&#231;</nowiki> || in round 1|| style="background:red" | collision ||<br />
|-<br />
| [[StreamHash]] || Michal Trojnara || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[SWIFFTX]] || Daniele Micciancio || in round 1|| ||<br />
|-<br />
| [[Tangle]] || Rafael Alvarez || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[TIB3]] || Daniel Penazzi || in round 1|| style="background:yellow" | collision ||<br />
|-<br />
| [[Twister]] || Michael Gorski || in round 1|| style="background:orange" | preimage ||<br />
|- <br />
| [[Vortex (SHA-3 submission)|Vortex]] || Michael Kounavis || in round 1|| style="background:yellow" | preimage ||<br />
|-<br />
| [[WaMM]] || John Washburn || in round 1 || style="background:red" | collision ||<br />
|-<br />
| [[Waterfall]] || Bob Hattersley || in round 1 || style="background:orange" | collision ||<br />
|-<br />
| [[ZK-Crypt]] || Carmi Gressel || not in round 1 || ||<br />
|}<br />
<br />
<br />
<br />
Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!</div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Hamsi&diff=3649Hamsi2010-12-07T09:04:51Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Özgül Kücük<br />
* Website: [http://homes.esat.kuleuven.be/~okucuk/hamsi/ http://homes.esat.kuleuven.be/~okucuk/hamsi/]<br />
* NIST submission package: <br />
**round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Hamsi_Round2.zip Hamsi_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Hamsi.zip Hamsi.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/HamsiUpdate.zip HamsiUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Kucuk09,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1203.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Kucuk08,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/95/Hamsi.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: '''(3,6)''' P,P<sub>f</sub> rounds (n=224,256); '''(6,12)''' P,P<sub>f</sub> rounds (n=384,512).<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd-preimage || hash function || 256 || (3,6) || 2<sup>247</sup> || ? || [http://eprint.iacr.org/2010/602.pdf Dinur,Shamir]<br />
|- <br />
| 2nd-preimage || hash function || 256 || (3,6) || 2<sup>251.3</sup> || ? || [http://dx.doi.org/10.1007/978-3-642-17373-8_2 Fuhr]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || output transformation || 256 || 6 rounds || 2<sup>10</sup> || - || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| observations || hash function || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| distinguisher || output transformation || 224, 256 || 6 rounds || 2<sup>124.3</sup> || || [http://131002.net/data/papers/AKKMOPS10.pdf Aumasson et al.]<br />
|-<br />
| distinguisher || permutation || 224, 256 || 6 rounds || 2<sup>28</sup> || || [http://131002.net/data/papers/AKKMOPS10.pdf Aumasson et al.]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 3 rounds || 2<sup>26</sup> || || [http://131002.net/data/papers/AKKMOPS10.pdf Aumasson et al.]<br />
|-<br />
| non-randomness || compression function || 224, 256 || 5 rounds || || || [http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt Aumasson]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 3 rounds || 2<sup>21</sup> || || [http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf Nikolic]<br />
|-<br />
| distinguisher || compression function || 224, 256 || 6 rounds || 2<sup>27</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| distinguisher || compression function || 384, 512 || 12 rounds || 2<sup>729</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 3 rounds || 2<sup>5</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 4 rounds || 2<sup>32</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 5 rounds || 2<sup>125</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| message-recovery || compression function || 224, 256 || 3 rounds || 2<sup>10.48</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
| pseudo-2nd-preimage || hash function || 256 || (3,6) rounds || 2<sup>254.25</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{hamsiDS10,<br />
author = {Itai Dinur and Adi Shamir},<br />
title = {An Improved Algebraic Attack on Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/602},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/602.pdf},<br />
abstract = {Hamsi is one of the $14$ second-stage candidates in NIST's SHA-3 competition. The only previous attack on this hash function was a very marginal attack on its 256-bit version published by Thomas Fuhr at Asiacrypt $2010$, which is better than generic attacks only for very short messages of fewer than $100$ 32-bit blocks, and is only $26$ times faster than a straightforward exhaustive search attack. In this paper we describe a different algebraic attack which is less marginal: It is better than the best known generic attack for all practical message sizes (up to $4$ gigabytes), and it outperforms exhaustive search by a factor of at least $512$ for all messages with at least $40$ blocks. The attack is based on the observation that in order to discard a possible second preimage, it suffices to show that one of its hashed output bits is wrong. Since the output bits of the compression function of Hamsi-256 can be described by low degree polynomials, it is actually faster to compute a small number of output bits by a fast polynomial evaluation technique rather than via the official algorithm.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Fuhr-asiacrypt10,<br />
author = {Thomas Fuhr},<br />
title = {Finding Second Preimages of Short Messages for Hamsi-256},<br />
url = {http://dx.doi.org/10.1007/978-3-642-17373-8_2},<br />
howpublished = {In Advances in Cryptology - ASIACRYPT 2010, Proceedings},<br />
editor = {Masayuki Abe},<br />
year = {2010},<br />
pages = {20-37},<br />
publisher = {Springer},<br />
series = {Lecture Notes in Computer Science},<br />
volume = {6477}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{acispAKKMOPS10,<br />
author = {Jean-Philippe Aumasson, Emilia Käsper, Lars Ramkilde Knudsen, Krystian Matusiewicz, Rune Ødegaard, Thomas Peyrin, Martin Schläffer},<br />
title = {Distinguishers for the compression function and output transformation of Hamsi-256},<br />
url = {http://131002.net/data/papers/AKKMOPS10.pdf},<br />
booktitle = {ACISP},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
pages = {87-103},<br />
volume = {6168},<br />
abstract = {Hamsi is one of 14 remaining candidates in NIST’s Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi’s resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsi’s building blocks do not behave ideally.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt},<br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiN09,<br />
author = {Ivica Nikolic},<br />
title = {Near Collisions for the Compression Function of Hamsi-256},<br />
url = {http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf},<br />
howpublished = {CRYPTO rump session},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAM9,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Meiqin Wang, Xiaoyun Wang, Keting Jia, Wei Wang},<br />
title = {New Pseudo-Near-Collision Attack on Reduced-Round of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/484},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/484.pdf},<br />
abstract = {Hamsi-256 is designed by Özgül Kücük and it has been a candidate Hash function for the second round of SHA-3. The compression function of Hamsi-256 maps a 256-bit chaining value and a 32-bit message to a new 256-bit chaining value. As hashing a message, Hamsi-256 operates 3-round except for the last message it operates 6-round. In this paper, we will give the pseudo-near-collision for 5-round Hamsi-256. By the message modifying, the pseudo-near-collision for 3, 4 and 5 rounds can be found with $2^5$, $2^{32}$ and $2^{125}$ compression function computations respectively.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Cagdas Calik and Meltem Sonmez Turan},<br />
title = {Message Recovery and Pseudo-Preimage Attacks on the Compression Function of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/057}},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/057.pdf},<br />
abstract = {Hamsi is one of the second round candidates of the SHA-3<br />
competition. In this study, we present non-random differential proper-<br />
ties for the compression function of the hash function Hamsi-256. Based<br />
on these properties, we first demonstrate a distinguishing attack that<br />
requires a few evaluations of the compression function and extend the<br />
distinguisher to 5 rounds with complexity 2^83 . Then, we present a mes-<br />
sage recovery attack with complexity of 2^10.48 compression function evaluations. Also, we present a pseudo-preimage attack for the compression<br />
function with complexity 2^254.25 . The pseudo-preimage attack on the<br />
compression function is easily converted to a pseudo second preimage<br />
attack on Hamsi-256 hash function with the same complexity.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Hamsi&diff=3648Hamsi2010-12-07T09:00:27Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Özgül Kücük<br />
* Website: [http://homes.esat.kuleuven.be/~okucuk/hamsi/ http://homes.esat.kuleuven.be/~okucuk/hamsi/]<br />
* NIST submission package: <br />
**round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Hamsi_Round2.zip Hamsi_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Hamsi.zip Hamsi.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/HamsiUpdate.zip HamsiUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Kucuk09,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1203.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Kucuk08,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/95/Hamsi.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: '''(3,6)''' P,P<sub>f</sub> rounds (n=224,256); '''(6,12)''' P,P<sub>f</sub> rounds (n=384,512).<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd-preimage || hash function || 256 || (3,6) || 2<sup>251.3</sup> || ? || [http://dx.doi.org/10.1007/978-3-642-17373-8_2 Fuhr]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || output transformation || 256 || 6 rounds || 2<sup>10</sup> || - || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| observations || hash function || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| distinguisher || output transformation || 224, 256 || 6 rounds || 2<sup>124.3</sup> || || [http://131002.net/data/papers/AKKMOPS10.pdf Aumasson et al.]<br />
|-<br />
| distinguisher || permutation || 224, 256 || 6 rounds || 2<sup>28</sup> || || [http://131002.net/data/papers/AKKMOPS10.pdf Aumasson et al.]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 3 rounds || 2<sup>26</sup> || || [http://131002.net/data/papers/AKKMOPS10.pdf Aumasson et al.]<br />
|-<br />
| non-randomness || compression function || 224, 256 || 5 rounds || || || [http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt Aumasson]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 3 rounds || 2<sup>21</sup> || || [http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf Nikolic]<br />
|-<br />
| distinguisher || compression function || 224, 256 || 6 rounds || 2<sup>27</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| distinguisher || compression function || 384, 512 || 12 rounds || 2<sup>729</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 3 rounds || 2<sup>5</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 4 rounds || 2<sup>32</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| free-start near-collision || compression function || 224, 256 || 5 rounds || 2<sup>125</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| message-recovery || compression function || 224, 256 || 3 rounds || 2<sup>10.48</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
| pseudo-2nd-preimage || hash function || 256 || (3,6) rounds || 2<sup>254.25</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
|}<br />
<br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Fuhr-asiacrypt10,<br />
author = {Thomas Fuhr},<br />
title = {Finding Second Preimages of Short Messages for Hamsi-256},<br />
url = {http://dx.doi.org/10.1007/978-3-642-17373-8_2},<br />
howpublished = {In Advances in Cryptology - ASIACRYPT 2010, Proceedings},<br />
editor = {Masayuki Abe},<br />
year = {2010},<br />
pages = {20-37},<br />
publisher = {Springer},<br />
series = {Lecture Notes in Computer Science},<br />
volume = {6477}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{acispAKKMOPS10,<br />
author = {Jean-Philippe Aumasson, Emilia Käsper, Lars Ramkilde Knudsen, Krystian Matusiewicz, Rune Ødegaard, Thomas Peyrin, Martin Schläffer},<br />
title = {Distinguishers for the compression function and output transformation of Hamsi-256},<br />
url = {http://131002.net/data/papers/AKKMOPS10.pdf},<br />
booktitle = {ACISP},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
pages = {87-103},<br />
volume = {6168},<br />
abstract = {Hamsi is one of 14 remaining candidates in NIST’s Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi’s resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsi’s building blocks do not behave ideally.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt},<br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiN09,<br />
author = {Ivica Nikolic},<br />
title = {Near Collisions for the Compression Function of Hamsi-256},<br />
url = {http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf},<br />
howpublished = {CRYPTO rump session},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAM9,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Meiqin Wang, Xiaoyun Wang, Keting Jia, Wei Wang},<br />
title = {New Pseudo-Near-Collision Attack on Reduced-Round of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/484},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/484.pdf},<br />
abstract = {Hamsi-256 is designed by Özgül Kücük and it has been a candidate Hash function for the second round of SHA-3. The compression function of Hamsi-256 maps a 256-bit chaining value and a 32-bit message to a new 256-bit chaining value. As hashing a message, Hamsi-256 operates 3-round except for the last message it operates 6-round. In this paper, we will give the pseudo-near-collision for 5-round Hamsi-256. By the message modifying, the pseudo-near-collision for 3, 4 and 5 rounds can be found with $2^5$, $2^{32}$ and $2^{125}$ compression function computations respectively.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Cagdas Calik and Meltem Sonmez Turan},<br />
title = {Message Recovery and Pseudo-Preimage Attacks on the Compression Function of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/057}},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/057.pdf},<br />
abstract = {Hamsi is one of the second round candidates of the SHA-3<br />
competition. In this study, we present non-random differential proper-<br />
ties for the compression function of the hash function Hamsi-256. Based<br />
on these properties, we first demonstrate a distinguishing attack that<br />
requires a few evaluations of the compression function and extend the<br />
distinguisher to 5 rounds with complexity 2^83 . Then, we present a mes-<br />
sage recovery attack with complexity of 2^10.48 compression function evaluations. Also, we present a pseudo-preimage attack for the compression<br />
function with complexity 2^254.25 . The pseudo-preimage attack on the<br />
compression function is easily converted to a pseudo second preimage<br />
attack on Hamsi-256 hash function with the same complexity.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Hamsi&diff=3647Hamsi2010-12-06T17:03:51Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Özgül Kücük<br />
* Website: [http://homes.esat.kuleuven.be/~okucuk/hamsi/ http://homes.esat.kuleuven.be/~okucuk/hamsi/]<br />
* NIST submission package: <br />
**round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Hamsi_Round2.zip Hamsi_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Hamsi.zip Hamsi.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/HamsiUpdate.zip HamsiUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Kucuk09,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1203.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Kucuk08,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/95/Hamsi.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: '''(3,6)''' P,P<sub>f</sub> rounds (n=224,256); '''(6,12)''' P,P<sub>f</sub> rounds (n=384,512).<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd-preimage || hash function || 256 || (3,6) || 2<sup>251.3</sup> || ? || [http://dx.doi.org/10.1007/978-3-642-17373-8_2 Fuhr]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| observations || hash function || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| non-randomness || compression function || 224, 256 || 5 rounds || || || [http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt Aumasson]<br />
|-<br />
| near-collision || compression function || 224, 256 || 3 rounds || 2<sup>21</sup> || || [http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf Nikolic]<br />
|-<br />
| distinguisher || compression function || 224, 256 || 6 rounds || 2<sup>27</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| distinguisher || compression function || 384, 512 || 12 rounds || 2<sup>729</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| near-collision || compression function || 224, 256 || 3 rounds || 2<sup>5</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| near-collision || compression function || 224, 256 || 4 rounds || 2<sup>32</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| near-collision || compression function || 224, 256 || 5 rounds || 2<sup>125</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| message-recovery || compression function || 224, 256 || 3 rounds || 2<sup>10.48</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
| pseudo-2nd-preimage || hash function || 256 || (3,6) rounds || 2<sup>254.25</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Fuhr-asiacrypt10,<br />
author = {Thomas Fuhr},<br />
title = {Finding Second Preimages of Short Messages for Hamsi-256},<br />
url = {http://dx.doi.org/10.1007/978-3-642-17373-8_2},<br />
howpublished = {In Advances in Cryptology - ASIACRYPT 2010, Proceedings},<br />
editor = {Masayuki Abe},<br />
year = {2010},<br />
pages = {20-37},<br />
publisher = {Springer},<br />
series = {Lecture Notes in Computer Science},<br />
volume = {6477}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt},<br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiN09,<br />
author = {Ivica Nikolic},<br />
title = {Near Collisions for the Compression Function of Hamsi-256},<br />
url = {http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf},<br />
howpublished = {CRYPTO rump session},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAM9,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Meiqin Wang, Xiaoyun Wang, Keting Jia, Wei Wang},<br />
title = {New Pseudo-Near-Collision Attack on Reduced-Round of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/484},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/484.pdf},<br />
abstract = {Hamsi-256 is designed by Özgül Kücük and it has been a candidate Hash function for the second round of SHA-3. The compression function of Hamsi-256 maps a 256-bit chaining value and a 32-bit message to a new 256-bit chaining value. As hashing a message, Hamsi-256 operates 3-round except for the last message it operates 6-round. In this paper, we will give the pseudo-near-collision for 5-round Hamsi-256. By the message modifying, the pseudo-near-collision for 3, 4 and 5 rounds can be found with $2^5$, $2^{32}$ and $2^{125}$ compression function computations respectively.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Cagdas Calik and Meltem Sonmez Turan},<br />
title = {Message Recovery and Pseudo-Preimage Attacks on the Compression Function of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/057}},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/057.pdf},<br />
abstract = {Hamsi is one of the second round candidates of the SHA-3<br />
competition. In this study, we present non-random differential proper-<br />
ties for the compression function of the hash function Hamsi-256. Based<br />
on these properties, we first demonstrate a distinguishing attack that<br />
requires a few evaluations of the compression function and extend the<br />
distinguisher to 5 rounds with complexity 2^83 . Then, we present a mes-<br />
sage recovery attack with complexity of 2^10.48 compression function evaluations. Also, we present a pseudo-preimage attack for the compression<br />
function with complexity 2^254.25 . The pseudo-preimage attack on the<br />
compression function is easily converted to a pseudo second preimage<br />
attack on Hamsi-256 hash function with the same complexity.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Fugue&diff=3646Fugue2010-12-06T17:02:15Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Shai Halevi and William E. Hall and Charanjit S. Jutla<br />
* Website: [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2_Update.zip Fugue_Round2_Update.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Fugue.zip Fugue.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/FugueUpdate.zip FugueUpdate.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2.zip Fugue_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Halevi09,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/fugue_09.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Halevi08,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (k,r,t) = '''(2,5,13)''' for (n=224,256); (k,r,t) = '''(3,5,13)''' for (n=384); (k,r,t) = '''(4,8,13)''' for (n=512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| || |||| || || <br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || (2,1,5) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start near-collision || compression function || 256 || (2,2,10) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| distinguisher<sup>(1)</sup> || output transformation || 256 || || 1 || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| internal collision || hash function || 256 || (2,5,13) || 2<sup>352</sup> || 2<sup>352</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|-<br />
| internal collision || hash function || 512 || (4,8,13) || 2<sup>480</sup> || 2<sup>480</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|- <br />
|}<br />
<sup>(1)</sup>The Fugue team commented on these distinguishers in [http://ehash.iaik.tugraz.at/uploads/d/d7/Fugue_designers_reply_to_AumassonPhan_Distinguisher.txt this note] using [http://ehash.iaik.tugraz.at/uploads/c/c8/Fig7.pdf this figure].<br />
<br />
<br />
<bibtex><br />
@misc{nistTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{nistAP10,<br />
author = {Jean-Philippe Aumasson and Raphael C.-W. Phan},<br />
title = {Analysis of Fugue-256},<br />
howpublished = {Posting to NIST hash mailing list},<br />
year = {2010},<br />
url = {http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf},<br />
abstract = {We would like to report our analysis results on the final round algorithm of<br />
Fugue-256 (i.e., the function called "G"):<br />
The attached pdf note shows an example differential characteristic of<br />
probability 1, on 15 intermediate rounds of G, as well as an extended<br />
characteristic that can be used as a distinguisher for the full<br />
18-round G. It also shows how differences propagate on an<br />
augmented-round version of G (i.e. if more G2 rounds were added).<br />
A detailed analysis as well as further observations will be reported<br />
in a subsequent paper.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sacKhovratovich09,<br />
author = {Dmitry Khovratovich},<br />
title = {Cryptanalysis of hash functions with structures},<br />
howpublished = {Proceedings of Selected Areas in Cryptography},<br />
year = {2009},<br />
url = {http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf},<br />
abstract = {Hash function cryptanalysis has acquired many methods,<br />
tools and tricks from other areas, mostly block ciphers. In this paper<br />
another trick from block cipher cryptanalysis, the structures, is used for<br />
speeding up the collision search. We investigate the memory and the time<br />
complexities of this approach under different assumptions on the round<br />
functions. The power of the new attack is illustrated with the crypt-<br />
analysis of the hash functions Grindahl and the analysis of the SHA-3<br />
candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=JH&diff=3645JH2010-12-06T16:54:39Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh_round2.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W08,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''35.5''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 19 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3644BLAKE2010-12-06T16:47:48Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| semi-free-start near-collisions || compression function || 256 || 2 rounds || 2<sup>26</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|-<br />
| collision || hash || all || toy version BLOKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| semi-free-start collision || compression function || all || toy version BRAKE || example || - || [http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf Vidali,Nose,Pašalic]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 4-7) || 2<sup>21</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 4 rounds (No. 7-10) || 2<sup>16</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 512 || 5 rounds (No. 7-11) || 2<sup>216</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (No. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{iplVNP10,<br />
author = {Janoš Vidali, Peter Nose, Enes Pašalic},<br />
title = {Collisions for variants of the BLAKE hash function},<br />
url = {http://lkrv.fri.uni-lj.si/~janos/blake/collisions.pdf},<br />
booktitle = {Information Processing Letters},<br />
year = {2010},<br />
abstract = {In this paper we present an attack to the BLOKE and BRAKE hash functions, which are weakened versions of the SHA-3 candidate BLAKE. In difference to BLAKE, the BLOKE hash function does not permute the message words and constants in the round computation of the compression function, and BRAKE additionally removes feedforward and zeroes the constants used in each round of the compression function. We show that in these cases we can efficiently find, for any intermediate hash value, a fixed-point block giving us an internal collision, thus producing collisions for messages of equal length in case of BLOKE, and internal collisions for BRAKE.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
howpublished = {Available online},<br />
note = {Accepted for presentation at WEWoRC 2009},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=File:NIST-2ndSHA3Conf-SASAKI.pdf&diff=3643File:NIST-2ndSHA3Conf-SASAKI.pdf2010-12-06T15:57:39Z<p>Mschlaeffer: </p>
<hr />
<div></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3642Keccak2010-12-06T15:39:20Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| 2nd preimage || 512 || 6 rounds || 2<sup>506</sup> || 2<sup>176</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 7 rounds || 2<sup>507</sup> || 2<sup>320</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
| 2nd preimage || 512 || 8 rounds || 2<sup>511.5</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt Bernstein]<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || 24 rounds || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{KeccakBernstein10,<br />
author = {Daniel J. Bernstein},<br />
title = {Second preimages for 6 (7? (8??)) rounds of Keccak?},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/65/NIST-mailing-list_Bernstein-Daemen.txt},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=File:NIST-mailing-list_Bernstein-Daemen.txt&diff=3641File:NIST-mailing-list Bernstein-Daemen.txt2010-12-06T15:34:11Z<p>Mschlaeffer: </p>
<hr />
<div></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3640Keccak2010-12-06T15:15:26Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || all || || 2<sup>1590</sup> || || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|- <br />
| distinguisher || permutation || all || 20 rounds || 2<sup>1586</sup> || || [http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf Boura,Canteaut]<br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canniere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacBC10,<br />
author = {Christina Boura, Anne Canteau},<br />
title = {Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256},<br />
url = {http://www-rocq.inria.fr/secret/Christina.Boura/data/sac.pdf},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {The zero-sum distinguishers introduced by Aumasson and Meier are investigated. First, the minimal size of a zero-sum is established. Then, we analyze the impacts of the linear and the nonlinear layers in an iterated permutation on the construction of zero-sum partitions. Finally, these techniques are applied to the Keccak-f permutation and to Hamsi-256. We exhibit several zero-sum partitions for 20 rounds (out of 24) of Keccak-f and some zero-sum partitions of size $2^{19}$ and $2^{10}$ for the finalization permutation in Hamsi-256.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>Mschlaefferhttps://ehash.iaik.tugraz.at/index.php?title=Luffa&diff=3639Luffa2010-12-06T14:08:12Z<p>Mschlaeffer: Cryptanalysis updated</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Christophe De Canniere, Hisayoshi Sato, Dai Watanabe<br />
* Website: [http://www.sdl.hitachi.co.jp/crypto/luffa/ http://www.sdl.hitachi.co.jp/crypto/luffa/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LuffaUpdate.zip LuffaUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Luffa.zip Luffa.zip])<br />
**round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Luffa_Round2_Update.zip Luffa_Round2_Update.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Luffa_Round2.zip Luffa_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CHSW09,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Specification},<br />
url = {http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_Specification_20091002.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3CHSW09a,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Supporting Document},<br />
url = {http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3CHSW08,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Specification},<br />
url = {http://ehash.iaik.tugraz.at/uploads/e/ea/Luffa_Specification.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3CHSW08a,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Supporting Document},<br />
url = {http://ehash.iaik.tugraz.at/uploads/f/fe/Luffa_SupportingDocument.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision || 256 || 4 rounds || 2<sup>90</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/FindingCollisionsForReducedLuffa-256v2_20101108.pdf Preneel,Yoshida,Watanabe]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || hash || 256 || Round 1 || 2<sup>251</sup> || - || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|-<br />
| distinguisher || permutation || || 8 rounds || 2<sup>252</sup> || - || [http://eprint.iacr.org/2010/589.pdf Boura,Canteaut,DeCanniere]<br />
|-<br />
| semi-free-start collision || hash || 256 || 7 rounds || 2<sup>104</sup> || 2<sup>102</sup> || [http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053 Khovratovich,Naya-Plasencia,Röck,Schläffer]<br />
|-<br />
| distinguisher || round function || 256 || 8 rounds || 2<sup>104</sup> || 2<sup>102</sup> || [http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053 Khovratovich,Naya-Plasencia,Röck,Schläffer]<br />
|-<br />
| distinguisher || permutation || || 8 rounds || 2<sup>116.3</sup> || ? || [http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053 Khovratovich,Naya-Plasencia,Röck,Schläffer]<br />
|-<br />
| distinguisher || permutation || || 8 rounds || 2<sup>82</sup> || - || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| free-start 2nd preimage || hash || all || || 1 || - || [http://eprint.iacr.org/2009/224.pdf Jia]<br />
|-<br />
| free-start preimage || hash || 256 || || 2<sup>127</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]<br />
|-<br />
| free-start preimage || hash || 512 || || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]<br />
|-<br />
| semi-free-start collision || hash || all || any || 2<sup>256*(w-1)/w</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]<br />
|-<br />
| semi-free-start collision || hash || 512 || any || 2<sup>204.8</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]<br />
|-<br />
| non-randomness || permutation || || 8 rounds || 2<sup>224</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Christina Boura and Anne Canteaut and Christophe De Canni\`ere},<br />
title = {Higher-order differential properties of Keccak and Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/589},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/589.pdf},<br />
abstract = {In this paper, we identify higher-order differential and zero-sum properties in the full Keccak-f permutation, in the Luffa v1 hash function, and in components of the Luffa v2 algorithm. These structural properties rely on a new bound on the degree of iterated permutations with a nonlinear layer composed of parallel applications of smaller balanced Sboxes. These techniques yield zero-sum partitions of size $2^{1590}$ for the full Keccak-f permutation and several observations on the Luffa hash family. We first show that Luffa v1 applied to one-block messages is a function of 255 variables with degree at most 251. This observation leads to the construction of a higher-order differential distinguisher for the full Luffa v1 hash function, similar to the one presented by Watanabe et al. on a reduced version. We show that similar techniques can be used to find all-zero higher-order differentials in the Luffa v2 compression function, but the additional blank round destroys this property in the hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{luffaPYW10,<br />
author = {Bart Preneel, Hirotaka Yoshida, Dai Watanabe},<br />
title = {Finding Collisions for Reduced Luffa-256 v2},<br />
url = {http://www.sdl.hitachi.co.jp/crypto/luffa/FindingCollisionsForReducedLuffa-256v2_20101108.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {Luffa is a family of cryptographic hash functions that has been selected as a second round SHA-3 candidate. This paper presents the first collision finding analysis of Luffa-256 v2 which is the 256-bit hash function in the Luffa family. We show that collisions for 4 out of 8 steps of Luffa can be found with complexity $2^{90}$ using sophisticated message modification techniques. Furthermore, we present a security analysis which shows how difficult it is to apply the same approach to Luffa-256 v2 reduced to 5 steps: the resulting attack would require a complexity of $2^{224}$. This analysis can be seen as an indication that the full 8 steps of the Luffa-256 v2 hash function has a large security margin against differential collision search with message modification technique.},<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacKNRS10,<br />
author = {Dmitry Khovratovich, Maria Naya-Plasencia, Andrea Röck, Martin Schläffer},<br />
title = {Cryptanalysis of Luffa v2 Components},<br />
url = {http://online.tugraz.at/tug_online/voe_main2.getVollText?pDocumentNr=163671&pCurrPk=52053},<br />
booktitle = {SAC},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {We develop a number of techniques for the cryptanalysis of the SHA-3 candidate Luffa, and apply them to various Luffa components. These techniques include a new variant of the rebound approach taking into account the specifics of Luffa. The main improvements include the construction of good truncated differential paths, the search for differences using multiple inbound phases and a fast final solution search via linear systems. Using these techniques, we are able to construct non-trivial semi-free-start collisions for 7 (out of 8 rounds) of Luffa-256 with a complexity of $2^{104}$ in time and $2^{102}$ in memory. This is the first analysis of a Luffa component other that the permutation of Luffa v1. Additionally, we provide new and more efficient distinguishers also for the full permutation of Luffa v2. For this permutation distinguisher, we use a new model which applies first a short test on all samples and then a longer test on a smaller subset of the inputs. We demonstrate that a set of right pairs for the given differential path can be found significantly faster than for a random permutation.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAM9,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Keting Jia},<br />
title = {Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/224},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/224.pdf},<br />
abstract = {In this paper, we show some pseudo-collision and pseudo-second-preimage examples for the SHA-3 candidate algorithm Luffa. The pseudo-collision and pseudo-second-preimage can be obtained easily by the message injection function. At the same time, the pseudo-preimage attacks are shown in this paper. For Luffa-224/256, only two iteration functions is needed to get the pseudo-preimage. We need $2^{127}$ and $2^{171}$ to get the pseudo-preimage for Luffa-384 and Luffa-512 respectively. },<br />
}<br />
</bibtex></div>Mschlaeffer