Improved Rebound Attack on the Finalist Grøstl
Jérémy Jean1 María Naya-Plasencia2 Thomas Peyrin3
1École Normale Supérieure, France
2University of Versailles, France
3Nanyang Technological University, Singapore
RAIM’2012 – June 21, 2012
(published in FSE’2012) Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Hash Functions
H: hash function (e.g.: MD5, SHA-1,...)
H 50697fb42e88f27b0d19b625b18ae016
Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 2/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition
In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered first round (Dec. 9, 2008):
Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition
In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009):
Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition
In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the final (Dec. 9, 2010):
Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition
In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen.
Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl hash function H
I H takes input m of any length Compression Function f
I Difficult to handle mn h Use fixed-size input f function f n I hn−1
I Split m into chunks m = m1||m2|| · · ·
Mode of Operation
m = m1 m2 m3 m4
f f f f Ω h0 = IV H(m) h1 h2 h3 h4
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 4/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Compression Function (CF): f
Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: I Grøstl-256: |h| = |m|=512 bits. I Grøstl-512: |h| = |m|=1024 bits.
h P h0
m Q
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 5/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Internal Permutations
Permutations P and Q apply the wide-trail strategy from the AES. I Grøstl-256: 10 rounds on state a 8 × 8. I Grøstl-512: 14 rounds on state a 8 × 16.
AddRoundConstant
SubBytes
ShiftBytes
MixBytes
Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 6/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Finalization Round Ω
Once all blocks of message have been treated: truncation.
hi−1 P h
h is the hash value the input message
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 7/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl: Best Analysis After the Tweak
I Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher.
• [Gilbert et al. FSE10]: 8-round CF distinguisher.
• [Boura et al. FSE11]: 10-round zero-sum.
I Grøstl-512 • [Schläffer 2011]: 6-round collision on the CF.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 8/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 1/2 [Jean et al. FSE12]
I Based on the rebound technique [Mendel et al. FSE09].
I Based on a way of finding solutions for three consecutive full active rounds: new.
I They apply both to 256 and 512 versions.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 2/2 [Jean et al. FSE12]
I On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10).
I On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14).
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 10/30 Outbound Inbound Outbound
Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack
Mb Mb Mb Mb Mb Mb Mb Mb
Sh Sh Sh Sh Sh Sh Sh Sh
SB SB SB SB SB SB SB SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack
Mb Mb Mb Mb Mb Mb Mb Mb
Sh Sh Sh Sh Sh Sh Sh Sh
SB SB SB SB SB SB SB SB
Outbound Inbound Outbound
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SuperSBox
Mb Mb Mb Mb Mb Mb Mb Mb
Sh Sh Sh Sh Sh Sh Sh Sh
SB SB SB SB SB SB SB SB
SuperSBox = SB ◦ MC ◦ SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 12/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010]
Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π?
WLOG, we assume: i ≤ j. n
n − i π
n − j j Time complexity if j ≤ 2(n − i), then time complexity is 2j/2. if j > 2(n − i), then time complexity is 2i+j−n.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion
Grøstl-256 Permutation
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 14/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Differential Characteristic for 9 rounds
Mb Mb Mb Mb Mb Mb Mb Mb Mb
Sh Sh Sh Sh Sh Sh Sh Sh Sh
SB SB SB SB SB SB SB SB SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 15/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds
S0 S1 S2 S3
SB Sh Mb
S3 S4 S5 S6
SB Sh Mb
S6 S7 S8 S9
SB Sh Mb
S9 S10 S11 S12
SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds
S0 S1 S2 S3
SB Sh Mb
S3 S4 S5 S6
SB Sh Mb
S6 S7 S8 S9
SB Sh Mb
S9 S10 S11 S12
SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds
S0 S1 S2 S3
SB Sh Mb
S3 S4 S5 S6
SB Sh Mb
S6 S7 S8 S9
SB Sh Mb
S9 S10 S11 S12
SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds
S0 S1 S2 S3
SB Sh Mb
S3 S4 S5 S6
SB Sh Mb
S6 S7 S8 S9
SB Sh Mb
S9 S10 S11 S12
SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds: Analysis
Counting 64 8 forward SuperSBox sets of 2 values and differences 64 8 backward SuperSBox sets of 2 values and differences Overlapping on 512 bits of values + 512 bits of differences
Number of Solutions Expected 28×64 28×64 2−512−512 = 2512+512−512−512 = 1
Limited Birthday Our Algorithm 2384 operations 2256 operations, memory 264
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 17/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Context
0 The 8 forward Li overlaps the 8 backwards Li like this:
L1 L2 L3 L4 L5 L6 L7 L8
0 0 0 0 0 0 0 0 L1 L2 L3 L4 L5 L6 L7 L8
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 18/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Step 1
0 We start by choosing one element in each of the four first Li .
L8
0 0 0 0 L1 L2 L3 L4
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 19/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Step 2
This determines a single element in each Li .
L1 L2 L3 L4 L5 L6 L7 L8
0 L1
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 20/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Solving the 3 Active Rounds: Step 3
0 Each determined element in the remaining Li exists with p = 2−8×8.
L8
0 0 0 0 L5 L6 L7 L8
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 21/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Summing Up
Inbound Phase 256 0 0 0 0 In total we try2 combinations of (L1, L2, L3, L4) and each gives a solution with probability: 2−4×8×8 = 2−256.
Outbound Phase Probability2 −2×56 to pass two 8 → 1 transitions in the MixBytes.
Distinguisher We distinguish the 9-round permutation in 2256+112 = 2367 operations and2 64 in memory.
Note: This compares to a generic complexity of 2384 operations.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 22/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion
Grøstl-512 Permutation
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 23/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Differential Characteristic for 10 rounds
Mb Mb Mb Mb Mb Mb Mb Mb Mb Mb
Sh Sh Sh Sh Sh Sh Sh Sh Sh Sh
SB SB SB SB SB SB SB SB SB SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 24/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound Phase
S0 S1 S2 S3 SB Sh Mb
S3 S4 S5 S6 SB Sh Mb
S6 S7 S8 S9 SB Sh Mb
S9 S10 S11 S12 SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 25/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound Phase
S0 S1 S2 S3 SB Sh Mb
S3 S4 S5 S6 SB Sh Mb
S6 S7 S8 S9 SB Sh Mb
S9 S10 S11 S12 SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 25/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound Phase
S0 S1 S2 S3 SB Sh Mb
S3 S4 S5 S6 SB Sh Mb
S6 S7 S8 S9 SB Sh Mb
S9 S10 S11 S12 SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 25/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound Phase
S0 S1 S2 S3 SB Sh Mb
S3 S4 S5 S6 SB Sh Mb
S6 S7 S8 S9 SB Sh Mb
S9 S10 S11 S12 SB Sh Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 25/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Observations
Counting 64 16 forward SuperSBox sets of 2 values and differences 64 16 backward SuperSBox sets of 2 values and differences Overlapping on 1024 bits of values + 1024 bits of differences
Number of Solutions Expected 216×64 216×64 2−1024−1024 = 21024+1024−1024−1024 = 1
Limited Birthday Our Algorithm 2896 operations 2280 operations, memory 264
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 26/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Algorithm: Guess-and-Determine Approach
Constraints The differences around the MixBytes layer are restricted since the right state is not fully active.
Mb
Notations Forward SuperSBoxes: L1,..., L16. 0 0 Backward SuperSBoxes: L1,..., L16.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 27/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Algorithm: Guess-and-Determine Approach
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1
2
3
4
5
6
7
8 Li0 9
10
11
12
13
14
15
16
3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2
Number of different differences in each Li RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 27/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 F 2256 3 F F 4 F F F 5 F F F F Current Probability 6 F F F F 7 F F F F 1 8 F F F F Li0 9 F F F 10 F F L40 11 F 12 Legend 13 F 14 F X Known value and difference 15 F Known difference 16 F Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 X 2256 3 X X 4 X X X 5 X X X X Current Probability 6 X X X X 7 X X X X 1 8 X X X X Li0 9 X X X 10 X X Next step: L50 , L60 , L70 , L80 .L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 X 2256 3 X X 4 X X X 5 X X X X Current Probability 6 X X X X 7 X X X X 1 8 X X X X Li0 9 X X X 10 X X L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 2 X 2256 3 X X 4 X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L1, L16.L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1
2 X 2256
3 X X
4 X X X
5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L40 . 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1
2 X 2256
3 X X
4 X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1
2 X 2256
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L15.L40 11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1
2 X 2256
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X 10 X X Next step: L6.L40
11 X 12 Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 F
2 X 2256+16
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X F 10 X X F L40
11 X F
12 F Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X 10 X X X Next step: L90 .
11 X X
12 X Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X 10 X X X L40
11 X X
12 X Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L14.L40
11 X X
12 X Legend 13 X 14 X X Known value and difference 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X
4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L30 .L40
11 X X
12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40
11 X X
12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L1.L40
11 X X
12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X
2 X 2256+16
3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40
11 X X 12 X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X
2 X X 2256+16
3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L10 .L40
11 X X 12 X X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X F F F
2 X X 2256+16+8
3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40
11 X X 12 X X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X 2256+16+8
3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L13.L40
11 X X 12 X X Legend 13 X 14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X 2256+16+8
3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L20 .L40
11 X X 12 X X Legend 13 X
14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40
11 X X 12 X X Legend 13 X
14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X Next step: L7, L16.L40
11 X X 12 X X Legend 13 X
14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X L40
11 X X 12 X X Legend 13 X
14 X Known value and difference X 15 X Known difference 16 X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 7 X X X X X X X X 1 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X Next step: L100 , L110 .L40
11 X X X X 12 X X X Legend 13 X X
14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X L40 11 X X X X 12 X X X Legend 13 X X
14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L8, L9, L11, L15.L40 11 X X X X X X X X 12 X X X Legend 13 X X
14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X Legend 13 X X
14 X Known value and difference X 15 X Known difference 16 X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L120 .L40 11 X X X X X X X X 12 X X X X X Legend 13 X X X X
14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X Legend 13 X X X X
14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L10, L12.L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X
14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X
14 X X X Known value and difference X 15 X X X Known difference 16 X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L20 .L160 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X
14 X X X X X Known value and difference X 15 X X X X X Known difference 16 X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3+5) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X
14 X X X X X Known value and difference X 15 X X X X X Known difference 16 X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3+5) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X Next step: L130 , L140 , L150 .L160 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X
14 X X X X X Known value and difference X 15 X X X X X Known difference 16 X X X X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Current Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Current Probability 6 X X X X X X X X 8 (1+2+3+5+8+8+8) 7 X X X X X X X X 2− · 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X 14 X X X X X X Known value and difference 15 X X X X X Known difference 16 X X X X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Guess-and-Determine Algorithm
Li
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Final Complexity 1 X X X X X X X X 2 X X X X X X X X 2256+16+8 = 2280 3 X X X X X X X X 4 X X X X X X X X 5 X X X X X X X X Final Probability 6 X X X X X X X X 8 (1+2+3+5+8+8+8) 280 7 X X X X X X X X 2− · = 2− 8 X X X X X X X X Li0 9 X X X X X X X X 10 X X X X X X X X The End.L40 11 X X X X X X X X 12 X X X X X X X X Legend 13 X X X X X X X X 14 X X X X X X X X X Known value and difference 15 X X X X X X X X Known difference 16 X X X X X X X X Guessed value and difference 3 4 3 4 5 6 8 6 5 4 3 4 3 2 2 2 F Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 28/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Summing Up
Inbound Phase In total we try: 2256+16+8 = 2280possibilities, and each gives a solution with probability
2−8×(1+2+3+5+8+8+8) = 2−280.
Outbound Phase Again: P(outbound) = 2−2×56 = 2−112.
Distinguisher Finally, we distinguish the 10-round permutation in 2280+112 = 2392 operations and2 64 in memory.
This compares to a generic complexity of 2448 operations.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 29/30 Thank you!
Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Conclusion
I We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.
I We propose a way to solve 3 fully active states in the middle.
I The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.
I More infos in the paper: http://www.di.ens.fr/~jean/
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 30/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Conclusion
I We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.
I We propose a way to solve 3 fully active states in the middle.
I The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.
I More infos in the paper: http://www.di.ens.fr/~jean/ Thank you!
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 30/30