Abstract
We analyze the Grøstl-0 hash function, that is the version of Grøstl submitted to the SHA-3 competition. This paper extends Peyrin’s internal differential strategy, that uses differential paths between the permutations P and Q of Grøstl-0 to construct distinguishers of the compression function. This results in collision attacks and semi-free-start collision attacks on the Grøstl-0 hash function and compression function with reduced rounds. Specifically, we show collision attacks on the Grøstl-0-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities 248 and 2112 and on the Grøstl-0-512 hash function reduced to 6 out of 14 rounds with time complexity 2183. Furthermore, we demonstrate semi-free-start collision attacks on the Grøstl-0-256 compression function reduced to 8 rounds and the Grøstl-0-512 compression function reduced to 9 rounds. Finally, we show improved distinguishers for the Grøstl-0-256 permutations with reduced rounds.
Similar content being viewed by others
References
Daemen J., Rijmen V.: Design of Rijndael. Springer (2001).
Daemen J., Rijmen V.: Understanding two-round differentials in AES. In: De Prisco R., Yung M. (eds.) Security and Cryptography for Networks—SCN ’06. LNCS, vol. 4116, pp. 78–94. Springer (2006)
Daemen J., Rijmen V.: Plateau Characteristics, Information Security, IET, vol. 1–1, pp. 11–17 (2007).
De Cannière C., Rechberger C.: Finding SHA-1 characteristics: general results and applications. In: Lai X., Chen K. (eds.) Advances in Cryptology—ASIACRYPT ’06. LNCS, vol. 4284, pp. 1–20. Springer (2006).
Gauravaram P., Knudsen L.R., Matusiewicz K., Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: Grøstl—a SHA-3 candidate (2008).
Gauravaram P., Knudsen L.R., Matusiewicz K., Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: Grøstl—a SHA-3 candidate, tweaked version (2011).
Gilbert H., Peyrin T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong S., Iwata T. (eds.) Fast Software Encryption—FSE ’10, LNCS, vol. 6174, pp. 365–383. Springer (2010).
Ideguchi K., Tischhauser E., Preneel B.: Improved collision attacks on the reduced-round Grøstl hash function. In: Burmester M., Tsudik G., Magliveras S.S., Ilić I. (eds.) Information Security— ISC ’10. LNCS, vol. 6531, pp. 1–16 (2011).
Knudsen L.R.: Truncated and higher order differentials. In: Preneel B. (ed.) Fast Software Encryption—FSE ’94. LNCS, vol. 1008, pp. 196–211. Springer (1995).
Knuth D.E.: The Art of Computer Programming—Seminumerical Algorithms, vol. 2, 3rd edn. Addison-Wesley (1997).
Lamberger M., Mendel F., Rechberger C., Rijmen V., Schläffer M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui M. (ed.) Advances in Cryptology—ASIACRYPT ’09. LNCS, vol. 5912, pp. 126–143. Springer (2009).
Lamberger M., Mendel F., Rechberger C., Rijmen V., Schläffer M.: The Rebound Attack and Subspace Distinguishers: Application to Whirlpool, Cryptology ePrint Archive: Report 2010/198.
Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman O. (ed.) Fast Software Encryption—FSE ’09. LNCS, vol. 5665, pp. 260–276. Springer (2009).
Mendel F., Peyrin T., Rechberger C., Schläffer M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson M.J., Rijmen V., Safavi-Naini R. (eds.) Selected Areas in Cryptography—SAC ’09. LNCS, vol. 5867, pp. 16–35. Springer (2009).
Mendel F., Rechberger C., Schläffer M., Thomsen S.S.: Rebound attacks on the reduced Grøstl hash function. In: Pieprzyk J. (ed.) Topics in Cryptology—CT-RSA ’10. LNCS, vol. 5985, pp. 350–365. Springer (2010).
National Institute of Standards and Technology, Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family, Federal Register, 27(212), 62212–62220 (Nov. 2007)
Nikolić I., Pieprzyk J., Sokolowski P., Steinfeld R.: Known and chosen key differential distinguishers for block ciphers. In: Rhee K.H., Nyang D.H. (eds.) Information Security and Cryptology—ICISC ’10. LNCS, vol. 6829, pp. 29–48. Springer (2011).
Peyrin T.: Cryptanalysis of grindahl. In: Kurosawa K. (ed.) Advances in Cryptology—ASIACRYPT ’07. LNCS, vol. 4833, pp. 551–567. Springer (2008).
Peyrin T.: Improved differential attacks for ECHO and Grøstl. In: Rabin T. (ed.) Advances in Cryptology—CRYPTO ’10. LNCS, vol. 6223, pp. 370–392. Springer (2010).
Sasaki Y., Li Y., Wang L., Sakiyama K., Ohta K.: Non-full-active Super-Sbox analysis: applications to ECHO and Grøstl. In: Abe M. (ed.) Advances in Cryptology—ASIACRYPT ’10. LNCS, vol. 6477, pp. 38–55. Springer (2010).
Wang X., Yu H.: How to break MD5 and other hash functions. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT ’05. LNCS, vol. 3494, pp. 19–35. Springer (2005).
Wang X., Yin Y.L., Yu H.: Finding collisions in the full SHA-1. In: Shoup V. (ed.) Advances in Cryptology—CRYPTO ’05. LNCS, vol. 3621, pp. 17–36. Springer (2005).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by L. R. Knudsen.
Rights and permissions
About this article
Cite this article
Ideguchi, K., Tischhauser, E. & Preneel, B. Internal differential collision attacks on the reduced-round Grøstl-0 hash function. Des. Codes Cryptogr. 70, 251–271 (2014). https://doi.org/10.1007/s10623-012-9674-6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-012-9674-6