ECHO
1 The algorithm
- Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
- Website: http://crypto.rd.francetelecom.com/echo/
- NIST submission package:
- round 1/2: ECHO_Round2.zip (old version ECHO.zip)
Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin - SHA-3 Proposal: ECHO
- ,2009
- http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf
BibtexAuthor : Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Title : SHA-3 Proposal: ECHO
In : -
Address :
Date : 2009
Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin - SHA-3 Proposal: ECHO
- ,2008
- http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf
BibtexAuthor : Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin
Title : SHA-3 Proposal: ECHO
In : -
Address :
Date : 2008
2 Cryptanalysis
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.
A description of the tables is given here.
Recommended security parameter: 8 rounds (n=224,256); 10 rounds (n=384,512)
2.1 Hash function
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.
Type of Analysis | Hash Size (n) | Parameters | Compression Function Calls | Memory Requirements | Reference |
collision(1) | 256 | 5 rounds | 2112 | 285.3 | Schläffer |
(1) In this attack some problems in the previous attacks (pointed out by Jean,Fouque) have been corrected.
2.2 Building blocks
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).
Type of Analysis | Hash Function Part | Hash Size (n) | Parameters/Variants | Compression Function Calls | Memory Requirements | Reference |
distinguisher | permutation | 256 | 8 rounds | 2151 | 267 | Naya-Plasencia |
distinguisher | permutation | 224,256 | 8 rounds | 2182 | 237 | Sasaki,Li,Wang,Sakayima,Ohta |
distinguisher(1) (chosen salt) | compression function | 256 | 7 rounds | 2160 | 2128 | Schläffer |
free-start collision(1) (chosen salt) | compression function | 256 | 6 rounds | 2160 | 2128 | Schläffer |
semi-free-start collision | compression function | 256 | 4 rounds | 252 | 216 | Jean,Fouque |
semi-free-start collision | compression function | 256 | 3 rounds | 264 | 264 | Peyrin |
distinguisher | compression function | 256 | 4 rounds | 264 | 264 | Peyrin |
semi-free-start collision | compression function | 512 | 3 rounds | 296 | 264 | Peyrin |
distinguisher | compression function | 512 | 6 rounds | 296 | 264 | Peyrin |
distinguisher | permutation | all | 8 rounds | 2768 | 2512 | Gilbert,Peyrin |
distinguisher | permutation | all | 7 rounds | 2384 | 264 | Mendel,Peyrin,Rechberger,Schläffer |
distinguisher | permutation | all | 7 rounds | 2896 | - | submission document |
(1) In this attack some problems in the previous attacks (pointed out by Jean,Fouque) have been corrected.
María Naya-Plasencia - Scrutinizing rebound attacks: new algorithms for improving the complexities
- ,2010
- http://eprint.iacr.org/2010/607.pdf
BibtexAuthor : María Naya-Plasencia
Title : Scrutinizing rebound attacks: new algorithms for improving the complexities
In : -
Address :
Date : 2010
Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta - New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
- ,2010
- http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf
BibtexAuthor : Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, Kazuo Ohta
Title : New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl
In : -
Address :
Date : 2010
Martin Schläffer - Improved Collisions for Reduced ECHO-256
- ,2010
- http://eprint.iacr.org/2010/588.pdf
BibtexAuthor : Martin Schläffer
Title : Improved Collisions for Reduced ECHO-256
In : -
Address :
Date : 2010
Jérémy Jean, Pierre-Alain Fouque - Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function
- ,2010
- http://eprint.iacr.org/2010/569.pdf
BibtexAuthor : Jérémy Jean, Pierre-Alain Fouque
Title : Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function
In : -
Address :
Date : 2010
Martin Schläffer - Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function
- ,2010
- http://eprint.iacr.org/2010/321.pdf
BibtexAuthor : Martin Schläffer
Title : Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function
In : -
Address :
Date : 2010
Thomas Peyrin - Improved Differential Attacks for ECHO and Grostl
Henri Gilbert, Thomas Peyrin - Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
- FSE ,2010
- http://eprint.iacr.org/2009/531.pdf
BibtexAuthor : Henri Gilbert, Thomas Peyrin
Title : Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations
In : FSE -
Address :
Date : 2010
Florian Mendel, Thomas Peyrin, Christian Rechberger, Martin Schläffer - Improved Cryptanalysis of the Reduced Grøstl
Compression Function, ECHO Permutation and AES Block Cipher
- SAC 5867:16-35,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420
BibtexAuthor : Florian Mendel, Thomas Peyrin, ChristianRechberger, Martin Schläffer
Compression Function, ECHO Permutation and AES Block Cipher
Title : Improved Cryptanalysis of the Reduced Grøstl
In : SAC -
Address :
Date : 2009