Improved Rebound Attack on the Finalist Grøstl - raim 2012

Jun 21, 2012 - 64 submissions received; 51 entered first round (Dec. 9, 2008):. Abacus. ARIRANG. AURORA. BLAKE. Blender. BMW. BOOLE. Cheetah. CHI.
Télécharger le PDF
2MB taille 1 téléchargements 51 vues
commentaire
Report
Improved Rebound Attack on the Finalist Grøstl Jérémy Jean1

María Naya-Plasencia2 1 École

Normale Supérieure, France

2 University 3 Nanyang

Thomas Peyrin3

of Versailles, France

Technological University, Singapore

RAIM’2012 – June 21, 2012 (published in FSE’2012)

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Hash Functions H: hash function (e.g.: MD5, SHA-1, . . . )

H

50697fb42e88f27b0d19b625b18ae016

Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

2/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered first round (Dec. 9, 2008): Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA

Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1

LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA

SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

3/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009): Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA

Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1

LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA

SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

3/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the final (Dec. 9, 2010): Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA

Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1

LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA

SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

3/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen. Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA

Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1

LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA

SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

3/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Grøstl-256

Techniques

Grøstl-512

Conclusion

Grøstl hash function H

I

H takes input m of any length

I

Difficult to handle

I

Use fixed-size input f function

I

Split m into chunks m = m1 ||m2 || · · ·

Compression Function f mn hn−1

f

hn



H(m)

Mode of Operation m=

h0 = IV

m1

m2

f

m3

f h1

m4

f

f h2

h3

h4

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

4/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Grøstl Compression Function (CF): f Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: I

Grøstl-256: |h| = |m|=512 bits.

I

Grøstl-512: |h| = |m|=1024 bits.

h

P

m

Q

h0

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

5/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Grøstl Internal Permutations Permutations P and Q apply the wide-trail strategy from the AES. I

Grøstl-256: 10 rounds on state a 8 × 8.

I

Grøstl-512: 14 rounds on state a 8 × 16.

AddRoundConstant SubBytes ShiftBytes MixBytes

Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

6/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Grøstl Finalization Round Ω

Once all blocks of message have been treated: truncation.

hi−1

P

h

h is the hash value the input message

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

7/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Grøstl: Best Analysis After the Tweak

I

I

Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher. •

[Gilbert et al. FSE10]: 8-round CF distinguisher.



[Boura et al. FSE11]: 10-round zero-sum.

Grøstl-512 • [Schläffer 2011]: 6-round collision on the CF.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

8/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Our New Results 1/2 [Jean et al. FSE12]

I

Based on the rebound technique [Mendel et al. FSE09].

I

Based on a way of finding solutions for three consecutive full active rounds: new.

I

They apply both to 256 and 512 versions.

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

9/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Our New Results 2/2 [Jean et al. FSE12]

I

On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10).

I

On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14).

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

10/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Rebound Attack

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

SB

SB

SB

SB

SB

SB

SB

SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

11/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Rebound Attack

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

SB

SB

SB

SB

SB

SB

SB

SB

Outbound

Inbound

Outbound

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

11/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

SuperSBox

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

SB

SB

SB

SB

SB

SB

SB

SB

SuperSBox = SB ◦ MC ◦ SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

12/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010] Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π? WLOG, we assume: i ≤ j.

n−i

n−j

n

π

j

Time complexity if j ≤ 2(n − i), then time complexity is 2j/2 . if j > 2(n − i), then time complexity is 2i+j−n . RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

13/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Grøstl-256 Permutation

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

14/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Differential Characteristic for 9 rounds

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

SB

SB

SB

SB

SB

SB

SB

SB

SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

15/30

Grøstl-512

Conclusion

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

16/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Inbound for 3 Full-Active Rounds S0

S1 SB

S3

S2 Sh

Sh

S7

S6 SB

S9

S6 Mb

S8 Sh

S10 SB

Mb

S5

S4 SB

S3

S9 Mb

S11 Sh

S12 Mb

Grøstl-512

Conclusion

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

16/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Inbound for 3 Full-Active Rounds S0

S1 SB

S3

S2 Sh

Sh

S7

S6 SB

S9

S6 Mb

S8 Sh

S10 SB

Mb

S5

S4 SB

S3

S9 Mb

S11 Sh

S12 Mb

Grøstl-512

Conclusion

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

16/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Inbound for 3 Full-Active Rounds S0

S1 SB

S3

S2 Sh

Sh

S7

S6 SB

S9

S6 Mb

S8 Sh

S10 SB

Mb

S5

S4 SB

S3

S9 Mb

S11 Sh

S12 Mb

Grøstl-512

Conclusion

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

16/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Inbound for 3 Full-Active Rounds S0

S1 SB

S3

S2 Sh

Sh

S7

S6 SB

S9

S6 Mb

S8 Sh

S10 SB

Mb

S5

S4 SB

S3

S9 Mb

S11 Sh

S12 Mb

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Inbound for 3 Full-Active Rounds: Analysis

Counting 8 forward SuperSBox sets of 264 values and differences 8 backward SuperSBox sets of

264

values and differences

 

Overlapping on 512 bits of values + 512 bits of differences

Number of Solutions Expected 28×64 28×64 2−512−512 = 2512+512−512−512 = 1

Limited Birthday 2384 operations

Our Algorithm 2256 operations, memory 264

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

17/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Solving the 3 Active Rounds: Context

The 8 forward Li overlaps the 8 backwards L0i like this: L1 L2 L3 L4 L5 L6 L7 L8

L01 L02 L03 L04 L05 L06 L07 L08

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

18/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Solving the 3 Active Rounds: Step 1

We start by choosing one element in each of the four first L0i . L8

L01 L02 L03 L04

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

19/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Solving the 3 Active Rounds: Step 2

This determines a single element in each Li . L1 L2 L3 L4 L5 L6 L7 L8

L01

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

20/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Solving the 3 Active Rounds: Step 3

Each determined element in the remaining L0i exists with p = 2−8×8 . L8

L05 L06 L07 L08

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

21/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Summing Up

Inbound Phase In total we try 2256 combinations of (L01 , L02 , L03 , L04 ) and each gives a solution with probability: 2−4×8×8 = 2−256 .

Outbound Phase Probability 2−2×56 to pass two 8 → 1 transitions in the MixBytes.

Distinguisher We distinguish the 9-round permutation in 2256+112 = 2367 operations and 264 in memory. Note: This compares to a generic complexity of 2384 operations. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

22/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Grøstl-512 Permutation

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

23/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Differential Characteristic for 10 rounds

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Mb

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

Sh

SB

SB

SB

SB

SB

SB

SB

SB

SB

SB

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

24/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Inbound Phase S0

S1

SB

S3

S2

Sh

Sh

S7

S6

SB

S9

S6

Mb

S8

Sh

S10

SB

Mb

S5

S4

SB

S3

S9

Mb

S11

Sh

S12

Mb

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

25/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Inbound Phase S0

S1

SB

S3

S2

Sh

Sh

S7

S6

SB

S9

S6

Mb

S8

Sh

S10

SB

Mb

S5

S4

SB

S3

S9

Mb

S11

Sh

S12

Mb

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

25/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Inbound Phase S0

S1

SB

S3

S2

Sh

Sh

S7

S6

SB

S9

S6

Mb

S8

Sh

S10

SB

Mb

S5

S4

SB

S3

S9

Mb

S11

Sh

S12

Mb

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

25/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Inbound Phase S0

S1

SB

S3

S2

Sh

Sh

S7

S6

SB

S9

S6

Mb

S8

Sh

S10

SB

Mb

S5

S4

SB

S3

S9

Mb

S11

Sh

S12

Mb

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

25/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Observations

Counting 16 forward SuperSBox sets of 264 values and differences 16 backward SuperSBox sets of

264

values and differences

 

Overlapping on 1024 bits of values + 1024 bits of differences

Number of Solutions Expected 216×64 216×64 2−1024−1024 = 21024+1024−1024−1024 = 1

Limited Birthday 2896 operations

Our Algorithm 2280 operations, memory 264

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

26/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Algorithm: Guess-and-Determine Approach Constraints The differences around the MixBytes layer are restricted since the right state is not fully active.

Mb

Notations Forward SuperSBoxes: L1 , . . . , L16 . Backward SuperSBoxes: L01 , . . . , L016 . RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

  27/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Grøstl-256

Techniques

Grøstl-512

Conclusion

Algorithm: Guess-and-Determine Approach Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

3

4

3

4

5

6

8

6

5

4

3

4

3

2

2

2

1 2 3 4 5 6 7 L0i

8 9 10 11 12 13 14 15 16

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

27/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

F

3

F F

4

F F F

5

F F F F

6

F F F F

7

F F F F

8

F F F F

2256

9

F F F

10

F F

11

F

Current Probability 1 L04

12

Legend

F

13

X Known value and difference

F

14

F

15

Known difference

F

16 3

4

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

4

X X X

5

X X X X

6

X X X X

7

X X X X

8

X X X X

2256

9

X X X

10

X X

11

X

Current Probability 1 Next step: L05 , L06 , L07 , L08 .L04

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

2256

4

X X X

5

 X X X X

6

 X X X X 

7

 X X X X  



  

9

X X X

10

X X

11

X

1



X X X X   

8



L04

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

Current Probability



3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

2256

4

X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

X

X X X

9

X X X

10

X X

11

X

1

X

X X X X X X X

8

X

Next step: L1 , L16 .L04

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

Current Probability

X

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

2256

4

X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

X

X X X

9

X X X

10

X X

11

X

1

X

X X X X X X X

8

X

Next step: L04 .

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

Current Probability

X

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

2256

4

 X X X

5

X X X X X



6

X X X X X X

7

X X X X X X X

   X

X X X

9

X X X

10

X X

11

X

1

X

X X X X X X X

8

X

L04

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

Current Probability

X

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256 X

X X X X

X X X

9

X X X

10

X X

11

X

1

X

X X X X X X X

8

X

Next step: L15 .L04

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

Current Probability

X

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Current Complexity 1

L0i

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256 X

X X X X

X X X

9

X X X

10

X X

11

X

1

X

X X X X X X X

8

X

Next step: L6 .L04

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

Current Probability

X

3

4

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

F

1

L0i

6

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256+16 X

X X X X

X X X

9

X X X F

10

X X F

11

X F

1

X

X X X X X X X

8

X

L04

F

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

X

1

L0i

6

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256+16 X

X X X X

X X X

9

X X X X

10

X X X

11

X X

1

X

X X X X X X X

8

X

Next step: L09 .

X

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

X

1

L0i

6

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256+16 X

X X X X

X X X

1

X

X X X X X X X

8

X

X X X X   

9 10

X X X

11

X X



L04

X

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

X

1

L0i

6

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256+16 X

X X X X

X X X

1

X

X X X X X X X

8

X

X X X X X X X

9 10

X X X

11

X X

X

Next step: L14 .L04

X

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

X

1

L0i

6

2

X

3

X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

2256+16 X

X X X X

X X X

1

X

X X X X X X X

8

X

X X X X X X X

9 10

X X X

11

X X

X

Next step: L03 .L04

X

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

X

1

L0i

6

2

X

3

 X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

 X

X X X X

X X X

1

X X

X X X X X X X

9 10

X X X

11

X X

X

L04

X

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X X X X X X X

8

2256+16

   

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

2

3

4

5

7

8

9

10

11

12

13

14

15

16

Current Complexity

X

1

L0i

6

2

X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

X X

X X X X

X X X

1

X X

X X X X X X X

9 10

X X X

11

X X

X

Next step: L1 .L04

X

12

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X X X X X X X

8

2256+16

X X X X

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1 1

L0i

2

3

4

5



6

7

9

10

11

12

14

15

16

Current Complexity

 X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

X X

X X X X

X X X

X X X

11

X X 

1

X X X

L04

X

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X X X X X X X

9 10

2256+16

X X X X

X X X X X X X

8

13

X

2

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

9

10

11

12

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

14

15

16

X X X

X X X X

X X X

X X X

11

X X X

1

X X X

Next step: L01 .L04

X

Legend

X

13

X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X X X X X X X

9 10

2256+16

X X X X

X X X X X X X

8

13

Current Complexity

1

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

9

10

11

12

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

X X X

10

X X X

11

X X X

15

16

Current Complexity

X X X

1

X X X

L04

X

Legend X Known value and difference

X

14

X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X

13

2256+16+8

X X X X

X X X X X X X

9

14

X X X X

X X X X X X X

8

13

F F F

1

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X X X

11

X X X

16

X X X

1 X X

Next step: L13 .L04 Legend X Known value and difference

X X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X

14

2256+16+8

X

X

13

Current Complexity

X X X X

10

15

X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X X X

11

X X X

16

X X X

1 X X

Next step: L02 .L04 Legend X Known value and difference

X X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X

14

2256+16+8

X

X

13

Current Complexity

X X X X

10

15

X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13



11

X X X

X X X

1 X X

L04 Legend X Known value and difference

X X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X

14

2256+16+8

X

X

13

Current Complexity

X X X X

X X X

16

X X X X X

10

15

     X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X

11

X X X

X X X

1 X X

Next step: L7 , L16 .L04 Legend X Known value and difference

X X

15

Known difference

X

16 3

4

3

4

Current Probability

X

X

14

2256+16+8

X

X

13

Current Complexity

X X X X

X X X

16

X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

6

8

6

5

4

3

4

3

2

2

2

F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X

16

X X X

11

X X 

1

X X X

L04 

Legend



X

X Known value and difference

X

14

X

15



X

16 3

4

3

4

Current Probability

X

X 

X

2256+16+8

X X X X

X X X 

Current Complexity

X X X X X

10

13

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

6

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X

X X X

11

X X X

1 X X

Next step: L010 , L011 .L04 X

Legend

X

X Known value and difference

X

15

X

16 3

4

3

4

Current Probability

X

X

14

2256+16+8

X

X X X

Current Complexity

X X X X

X X X X X

16

X X X X X

10

13

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

X 6

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

L04

 X

Legend X Known value and difference

X X

16 3

4

3

4

2−8·(1)

X

X

15

Current Probability

X

X

14

2256+16+8

X

X X X

13

Current Complexity

X X X X

X X X    

11

16

X X X X

X X X X   

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

X 6

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

Next step: L8 , L9 , L11 , L15 .L04

X X

Legend X Known value and difference

X X

16 3

4

3

4

2−8·(1)

X

X

15

Current Probability

X

X

14

2256+16+8

X

X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

X 6

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X X X

X X

Legend

4

3

X Known value and difference

  X

X

16 3

L04

X



X

15

4

5

6

8

2−8·(1+2)

X

 

X

14

Current Probability

X

X  

X

2256+16+8

X

X X  

X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

Next step: L012 .L04

X X

Legend

X

4

3

X Known value and difference

X

X

16 4

5

X X 6

8

2−8·(1+2)

X

X X X

15

Current Probability

X

X X X X

14

2256+16+8

X

X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X X X

X

X

3

L04

X X

Legend

X

4

3

X Known value and difference

X

X

16 4

5

X X 6

8

2−8·(1+2+3)

X

X X X

15

Current Probability

X

X X X X

14

2256+16+8

X

X X X X   

X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

Next step: L10 , L12 .L04

X X

Legend

X

4

3

X Known value and difference

X

X

16 4

5

X X 6

8

2−8·(1+2+3)

X

X X X

15

Current Probability

X

X X X X

14

2256+16+8

X

X X X X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

L04

X X

4

3

4

5

6

Legend

 

X 



X





X X

X

16

8

2−8·(1+2+3)

X

X X  X

15

Current Probability

X

X X X  X

14

2256+16+8

X

X X X X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

X Known value and difference

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

Next step: L02 .L016

X X

4

3

4

5

6

Legend

X X

X X

X

X

X

X

X X

X

16

8

2−8·(1+2+3)

X

X X X X

15

Current Probability

X

X X X X X

14

2256+16+8

X

X X X X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

X Known value and difference

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

L04

X X X X

X X

X

4

3

4

5

Legend X Known value and difference

X

X  X   X X

X

16

6

8

2−8·(1+2+3+5)

X

X X X X

15

Current Probability

X

X X X X X

14

2256+16+8

X

X X X X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

Next step: L013 , L014 , L015 .L016

X X X X

X X

X

X

16 4

3

4

5

Legend X Known value and difference

X

X X X X X X X 6

8

2−8·(1+2+3+5)

X

X X X X

15

Current Probability

X

X X X X X

14

2256+16+8

X

X X X X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X

3

L04

X X

4

Legend

3

X Known value and difference

X X  X   X X

16 4

5

X X X X X X X 6

8

2−8·(1+2+3+5+8+8+8)

X

X X X  X   X

15

Current Probability

X

X X X X  X  X

14

2256+16+8

X

X X X X X X X X

13

Current Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

6

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Grøstl & SHA-3

Hash Functions

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Guess-and-Determine Algorithm Li

1

L0i

2

3

4

5

6

7

1

X

2

X X

3

X X X

4

X X X X

5

X X X X X

6

X X X X X X

7

X X X X X X X

9

10

X

11

12

13

X X

X

X X X

X X X

3

4

Legend

3

X Known value and difference

X X X X X X X X

16 4

5

X X X X X X X 6

8

6

2−8·(1+2+3+5+8+8+8) = 2−280

X

X X X X X X X X

15

Final Probability

The End.L04

X

X X X X X X X X

14

2256+16+8 = 2280

X

X X X X X X X X

13

Final Complexity

X X X X

X X X X X X X

11

16

X X X X

X X X X X X X

10

15

X X X X X X

X X X X X X X

9

14

X X X X X X

X X X X X X X

8

12

8

5

4

3

4

3

2

2

2

Known difference F Guessed value and difference  Highlight current step

Number of different differences in each Li

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

28/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Summing Up Inbound Phase In total we try: 2256+16+8 = 2280 possibilities, and each gives a solution with probability 2−8×(1+2+3+5+8+8+8) = 2−280 . Outbound Phase Again: P(outbound) = 2−2×56 = 2−112 . Distinguisher Finally, we distinguish the 10-round permutation in 2280+112 = 2392 operations and 264 in memory. This compares to a generic complexity of 2448 operations. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

29/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Conclusion I

We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.

I

We propose a way to solve 3 fully active states in the middle.

I

The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.

I

More infos in the paper: http://www.di.ens.fr/~jean/

RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

30/30

Hash Functions

Grøstl & SHA-3

Cryptanalysis

Techniques

Grøstl-256

Grøstl-512

Conclusion

Conclusion I

We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.

I

We propose a way to solve 3 fully active states in the middle.

I

The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.

I

More infos in the paper: http://www.di.ens.fr/~jean/

Thank you! RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl

30/30