Proceedings Article•
Grøstl - a SHA-3 candidate
01 Jan 2009-pp 0
TL;DR: Grostl as mentioned in this paper is a SHA-3 candidate with a compression function built from two fixed, large, distinct permutations, which are used to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks.
Abstract: Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two �fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl
Citations
More filters
13 Jul 2009
TL;DR: The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail.
Abstract: In this work, we propose the rebound attack, a new tool for the cryptanalysis of hash functions. The idea of the rebound attack is to use the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail. The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom, and a subsequent probabilistic outbound phase. Especially on AES based hash functions, the rebound attack leads to new attacks for a surprisingly high number of rounds.
We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit hash function Whirlpool with a complexity of 2120 compression function evaluations and negligible memory requirements. The attack can be extended to a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 rounds of the similar hash function Maelstrom. Additionally, we apply the rebound attack to the SHA-3 submission Grostl, which leads to an attack on 6 rounds of the Grostl-256 compression function with a complexity of 2120 and memory requirements of about 264.
282 citations
07 Feb 2010
TL;DR: Super-Sboxes as discussed by the authors uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations to obtain improvements over the previous cryptanalysis results for these two schemes.
Abstract: In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.
201 citations
04 Nov 2009
TL;DR: Two new ways to mount attacks on the SHA-3 candidates Grostl, and ECHO, and apply these attacks also to the AES are proposed and an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO is presented.
Abstract: In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grostl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grostl-256 output transformation and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO.
97 citations
TL;DR: In this article, the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations is explored and the resulting family of hash functions is called spongent.
Abstract: The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography--optimizing the algorithms to fit the most constrained environments--has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well investigated with only few proposals in the public domain. In this paper, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants--or different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them, we provide several ASIC hardware implementations--ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.
87 citations
23 Sep 2009
TL;DR: This report summarizes the evaluation and selection of the five SHA-3 finalists – BLAKE, Grostl, JH, Keccak and Skein.
Abstract: The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007 to develop a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms currently specified in the Federal Information Processing Standard (FIPS) 180-3, Secure Hash Standard. The competition was NIST’s response to advances in the cryptanalysis of hash algorithms. NIST received sixty-four submissions in October 2008, and selected fifty-one candidate algorithms as the first-round candidates on December 10, 2008, and fourteen as the second-round candidates on July 24, 2009. One year was allocated for the public review of the second-round candidates. On December 9, 2010, NIST announced five SHA-3 finalists to advance to the third (and final) round of the competition. This report summarizes the evaluation and selection of the five finalists – BLAKE, Grostl, JH, Keccak and Skein.
86 citations