Improved Rebound Attack on the Finalist Grøstl

Jérémy Jean1 María Naya-Plasencia2 Thomas Peyrin3

1École Normale Supérieure, France

2University of Versailles, France

3Nanyang Technological University, Singapore

RAIM’2012 – June 21, 2012

(published in FSE’2012) Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Hash Functions

H: hash function (e.g.: MD5, SHA-1,...)

H 50697fb42e88f27b0d19b625b18ae016

Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 2/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition

In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered ﬁrst round (Dec. 9, 2008):

Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition

In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009):

In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the ﬁnal (Dec. 9, 2010):

In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen.

I H takes input m of any length Compression Function f

I Diﬃcult to handle mn h Use ﬁxed-size input f function f n I hn−1

I Split m into chunks m = m1||m2|| · · ·

Mode of Operation

m = m1 m2 m3 m4

f f f f Ω h0 = IV H(m) h1 h2 h3 h4

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 4/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Compression Function (CF): f

Grøstl-v0 [Knudsen et al. 08] has been tweaked for the ﬁnal: I Grøstl-256: |h| = |m|=512 bits. I Grøstl-512: |h| = |m|=1024 bits.

h P h0

m Q

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 5/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Internal Permutations

Permutations P and Q apply the wide-trail strategy from the AES. I Grøstl-256: 10 rounds on state a 8 × 8. I Grøstl-512: 14 rounds on state a 8 × 16.

AddRoundConstant

SubBytes

ShiftBytes

MixBytes

Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 6/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Finalization Round Ω

Once all blocks of message have been treated: truncation.

hi−1 P h

h is the hash value the input message

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 7/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl: Best Analysis After the Tweak

I Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher.

• [Gilbert et al. FSE10]: 8-round CF distinguisher.

• [Boura et al. FSE11]: 10-round zero-sum.

I Grøstl-512 • [Schläﬀer 2011]: 6-round collision on the CF.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 8/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 1/2 [Jean et al. FSE12]

I Based on the rebound technique [Mendel et al. FSE09].

I Based on a way of ﬁnding solutions for three consecutive full active rounds: new.

I They apply both to 256 and 512 versions.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 2/2 [Jean et al. FSE12]

I On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10).

I On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14).

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 10/30 Outbound Inbound Outbound

Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack

Mb Mb Mb Mb Mb Mb Mb Mb

Sh Sh Sh Sh Sh Sh Sh Sh

SB SB SB SB SB SB SB SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack

Mb Mb Mb Mb Mb Mb Mb Mb

Sh Sh Sh Sh Sh Sh Sh Sh

SB SB SB SB SB SB SB SB

Outbound Inbound Outbound

Mb Mb Mb Mb Mb Mb Mb Mb

Sh Sh Sh Sh Sh Sh Sh Sh

SB SB SB SB SB SB SB SB

SuperSBox = SB ◦ MC ◦ SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 12/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010]

Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π?

WLOG, we assume: i ≤ j. n

n − i π

n − j j Time complexity if j ≤ 2(n − i), then time complexity is 2j/2. if j > 2(n − i), then time complexity is 2i+j−n.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion

Grøstl-256 Permutation

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 14/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Diﬀerential Characteristic for 9 rounds

Mb Mb Mb Mb Mb Mb Mb Mb Mb

Sh Sh Sh Sh Sh Sh Sh Sh Sh

SB SB SB SB SB SB SB SB SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 15/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds

S0 S1 S2 S3

SB Sh Mb

S3 S4 S5 S6

SB Sh Mb

S6 S7 S8 S9

SB Sh Mb

S9 S10 S11 S12

SB Sh Mb

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds

S0 S1 S2 S3

SB Sh Mb

S3 S4 S5 S6

SB Sh Mb

S6 S7 S8 S9

SB Sh Mb

S9 S10 S11 S12

SB Sh Mb

S0 S1 S2 S3

SB Sh Mb

S3 S4 S5 S6

SB Sh Mb

S6 S7 S8 S9

SB Sh Mb

S9 S10 S11 S12

SB Sh Mb

S0 S1 S2 S3

SB Sh Mb

S3 S4 S5 S6

SB Sh Mb

S6 S7 S8 S9

SB Sh Mb

S9 S10 S11 S12

SB Sh Mb

Counting 64 8 forward SuperSBox sets of 2 values and differences 64 8 backward SuperSBox sets of 2 values and differences Overlapping on 512 bits of values + 512 bits of differences

Number of Solutions Expected 28×64 28×64 2−512−512 = 2512+512−512−512 = 1

Limited Birthday Our Algorithm 2384 operations 2256 operations, memory 264

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 17/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Context

0 The 8 forward Li overlaps the 8 backwards Li like this:

L1 L2 L3 L4 L5 L6 L7 L8

0 0 0 0 0 0 0 0 L1 L2 L3 L4 L5 L6 L7 L8

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 18/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Step 1

0 We start by choosing one element in each of the four ﬁrst Li .

0 0 0 0 L1 L2 L3 L4

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 19/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Step 2

This determines a single element in each Li .

L1 L2 L3 L4 L5 L6 L7 L8

0 L1

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 20/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Step 3

0 Each determined element in the remaining Li exists with p = 2−8×8.

0 0 0 0 L5 L6 L7 L8

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 21/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Summing Up

Inbound Phase 256 0 0 0 0 In total we try2 combinations of (L1, L2, L3, L4) and each gives a solution with probability: 2−4×8×8 = 2−256.

Outbound Phase Probability2 −2×56 to pass two 8 → 1 transitions in the MixBytes.

Distinguisher We distinguish the 9-round permutation in 2256+112 = 2367 operations and2 64 in memory.

Note: This compares to a generic complexity of 2384 operations.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 22/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion

Grøstl-512 Permutation

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 23/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Diﬀerential Characteristic for 10 rounds

Mb Mb Mb Mb Mb Mb Mb Mb Mb Mb

Sh Sh Sh Sh Sh Sh Sh Sh Sh Sh

SB SB SB SB SB SB SB SB SB SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 24/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound Phase

S0 S1 S2 S3 SB Sh Mb

S3 S4 S5 S6 SB Sh Mb

S6 S7 S8 S9 SB Sh Mb

S9 S10 S11 S12 SB Sh Mb

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 25/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound Phase

S0 S1 S2 S3 SB Sh Mb

S3 S4 S5 S6 SB Sh Mb

S6 S7 S8 S9 SB Sh Mb

S9 S10 S11 S12 SB Sh Mb

S0 S1 S2 S3 SB Sh Mb

S3 S4 S5 S6 SB Sh Mb

S6 S7 S8 S9 SB Sh Mb

S9 S10 S11 S12 SB Sh Mb

S0 S1 S2 S3 SB Sh Mb

S3 S4 S5 S6 SB Sh Mb

S6 S7 S8 S9 SB Sh Mb

S9 S10 S11 S12 SB Sh Mb

Counting 64 16 forward SuperSBox sets of 2 values and differences 64 16 backward SuperSBox sets of 2 values and differences Overlapping on 1024 bits of values + 1024 bits of differences

Number of Solutions Expected 216×64 216×64 2−1024−1024 = 21024+1024−1024−1024 = 1

Limited Birthday Our Algorithm 2896 operations 2280 operations, memory 264

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 26/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Algorithm: Guess-and-Determine Approach

Constraints The diﬀerences around the MixBytes layer are restricted since the right state is not fully active.

Notations Forward SuperSBoxes: L1,..., L16. 0 0 Backward SuperSBoxes: L1,..., L16.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 27/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Algorithm: Guess-and-Determine Approach

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

8 Li0 9

3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2

Number of diﬀerent diﬀerences in each Li RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 27/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 F 2256 3 F F 4 F F F 5 F F F F Current Probability 6 F F F F 7 F F F F 1 8 F F F F Li0 9 F F F 10 F F L40 11 F 12 Legend 13 F 14 F X Known value and difference 15 F Known difference 16 F Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 X 2256 3 X X 4 X X X 5 X X X X Current Probability 6 X X X X 7 X X X X 1 8 X X X X Li0 9 X X X 10 X X Next step: L50 , L60 , L70 , L80 .L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 X 2256 3 X X 4 X X X 5 X X X X Current Probability 6 X X X X 7 X X X X 1 8 X X X X Li0 9 X X X 10 X X L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 X 2256 3 X X 4 X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L1, L16.L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1

2 X 2256

3 X X

4 X X X

5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L40 . 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1

2 X 2256

3 X X

4 X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1

2 X 2256

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L15.L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1

2 X 2256

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L6.L40

11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 F

2 X 2256+16

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X F 10 X X F L40

11 X F

12 F Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X 10 X X X Next step: L90 .

11 X X

12 X Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X 10 X X X L40

11 X X

12 X Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L14.L40

11 X X

12 X Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X

4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L30 .L40

11 X X

12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40

11 X X

12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L1.L40

11 X X

12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X

2 X 2256+16

3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40

11 X X 12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X

2 X X 2256+16

3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L10 .L40

11 X X 12 X X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X F F F

2 X X 2256+16+8

3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40

11 X X 12 X X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X 2256+16+8

3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L13.L40

11 X X 12 X X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X 2256+16+8

3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L20 .L40

11 X X 12 X X Legend 13 X

14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40

11 X X 12 X X Legend 13 X

14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L7, L16.L40

11 X X 12 X X Legend 13 X

14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

11 X X 12 X X Legend 13 X

14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

11 X X X X 12 X X X Legend 13 X X

14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X L40 11 X X X X 12 X X X Legend 13 X X

14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X Legend 13 X X

14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X Legend 13 X X X X

14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L10, L12.L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X

14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L20 .L160 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X

14 X X X X X Known value and difference X 15 X X X X X Known difference 16 X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3+5) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X

14 X X X X X Known value and difference X 15 X X X X X Known difference 16 X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3+5) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L130 , L140 , L150 .L160 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X

14 X X X X X Known value and difference X 15 X X X X X Known difference 16 X X X X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3+5+8+8+8) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X 14 X X X X X X Known value and difference 15 X X X X X Known difference 16 X X X X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Final Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 = 2280 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Final Probability 6 X X X X X X X X 8 (1+2+3+5+8+8+8) 280 7 X X X X X X X X 2− · = 2− 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X The End.L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X X X 14 X X X X X X X X X Known value and difference 15 X X X X X X X X Known difference 16 X X X X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step

Number of diﬀerent diﬀerences in each Li

Inbound Phase In total we try: 2256+16+8 = 2280possibilities, and each gives a solution with probability

2−8×(1+2+3+5+8+8+8) = 2−280.

Outbound Phase Again: P(outbound) = 2−2×56 = 2−112.

Distinguisher Finally, we distinguish the 10-round permutation in 2280+112 = 2392 operations and2 64 in memory.

This compares to a generic complexity of 2448 operations.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 29/30 Thank you!

Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Conclusion

I We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.

I We propose a way to solve 3 fully active states in the middle.

I The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.

I More infos in the paper: http://www.di.ens.fr/~jean/

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 30/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Conclusion

I We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.

I We propose a way to solve 3 fully active states in the middle.

I The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.

I More infos in the paper: http://www.di.ens.fr/~jean/ Thank you!

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 30/30