Improved Rebound Attack on the Finalist Grøstl Jérémy Jean1
María Naya-Plasencia2 1 École
Normale Supérieure, France
2 University 3 Nanyang
Thomas Peyrin3
of Versailles, France
Technological University, Singapore
RAIM’2012 – June 21, 2012 (published in FSE’2012)
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Hash Functions H: hash function (e.g.: MD5, SHA-1, . . . )
H
50697fb42e88f27b0d19b625b18ae016
Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
2/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered first round (Dec. 9, 2008): Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA
Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1
LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA
SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
3/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009): Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA
Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1
LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA
SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
3/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the final (Dec. 9, 2010): Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA
Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1
LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA
SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
3/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen. Abacus ARIRANG AURORA BLAKE Blender BMW BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA
Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1
LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA
SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
3/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Grøstl-256
Techniques
Grøstl-512
Conclusion
Grøstl hash function H
I
H takes input m of any length
I
Difficult to handle
I
Use fixed-size input f function
I
Split m into chunks m = m1 ||m2 || · · ·
Compression Function f mn hn−1
f
hn
Ω
H(m)
Mode of Operation m=
h0 = IV
m1
m2
f
m3
f h1
m4
f
f h2
h3
h4
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
4/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Grøstl Compression Function (CF): f Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: I
Grøstl-256: |h| = |m|=512 bits.
I
Grøstl-512: |h| = |m|=1024 bits.
h
P
m
Q
h0
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
5/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Grøstl Internal Permutations Permutations P and Q apply the wide-trail strategy from the AES. I
Grøstl-256: 10 rounds on state a 8 × 8.
I
Grøstl-512: 14 rounds on state a 8 × 16.
AddRoundConstant SubBytes ShiftBytes MixBytes
Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
6/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Grøstl Finalization Round Ω
Once all blocks of message have been treated: truncation.
hi−1
P
h
h is the hash value the input message
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
7/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Grøstl: Best Analysis After the Tweak
I
I
Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher. •
[Gilbert et al. FSE10]: 8-round CF distinguisher.
•
[Boura et al. FSE11]: 10-round zero-sum.
Grøstl-512 • [Schläffer 2011]: 6-round collision on the CF.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
8/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Our New Results 1/2 [Jean et al. FSE12]
I
Based on the rebound technique [Mendel et al. FSE09].
I
Based on a way of finding solutions for three consecutive full active rounds: new.
I
They apply both to 256 and 512 versions.
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
9/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Our New Results 2/2 [Jean et al. FSE12]
I
On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10).
I
On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14).
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
10/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Rebound Attack
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
SB
SB
SB
SB
SB
SB
SB
SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
11/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Rebound Attack
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
SB
SB
SB
SB
SB
SB
SB
SB
Outbound
Inbound
Outbound
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
11/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
SuperSBox
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
SB
SB
SB
SB
SB
SB
SB
SB
SuperSBox = SB ◦ MC ◦ SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
12/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010] Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π? WLOG, we assume: i ≤ j.
n−i
n−j
n
π
j
Time complexity if j ≤ 2(n − i), then time complexity is 2j/2 . if j > 2(n − i), then time complexity is 2i+j−n . RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
13/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Grøstl-256 Permutation
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
14/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Differential Characteristic for 9 rounds
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
SB
SB
SB
SB
SB
SB
SB
SB
SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
15/30
Grøstl-512
Conclusion
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
16/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Inbound for 3 Full-Active Rounds S0
S1 SB
S3
S2 Sh
Sh
S7
S6 SB
S9
S6 Mb
S8 Sh
S10 SB
Mb
S5
S4 SB
S3
S9 Mb
S11 Sh
S12 Mb
Grøstl-512
Conclusion
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
16/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Inbound for 3 Full-Active Rounds S0
S1 SB
S3
S2 Sh
Sh
S7
S6 SB
S9
S6 Mb
S8 Sh
S10 SB
Mb
S5
S4 SB
S3
S9 Mb
S11 Sh
S12 Mb
Grøstl-512
Conclusion
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
16/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Inbound for 3 Full-Active Rounds S0
S1 SB
S3
S2 Sh
Sh
S7
S6 SB
S9
S6 Mb
S8 Sh
S10 SB
Mb
S5
S4 SB
S3
S9 Mb
S11 Sh
S12 Mb
Grøstl-512
Conclusion
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
16/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Inbound for 3 Full-Active Rounds S0
S1 SB
S3
S2 Sh
Sh
S7
S6 SB
S9
S6 Mb
S8 Sh
S10 SB
Mb
S5
S4 SB
S3
S9 Mb
S11 Sh
S12 Mb
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Inbound for 3 Full-Active Rounds: Analysis
Counting 8 forward SuperSBox sets of 264 values and differences 8 backward SuperSBox sets of
264
values and differences
Overlapping on 512 bits of values + 512 bits of differences
Number of Solutions Expected 28×64 28×64 2−512−512 = 2512+512−512−512 = 1
Limited Birthday 2384 operations
Our Algorithm 2256 operations, memory 264
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
17/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Solving the 3 Active Rounds: Context
The 8 forward Li overlaps the 8 backwards L0i like this: L1 L2 L3 L4 L5 L6 L7 L8
L01 L02 L03 L04 L05 L06 L07 L08
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
18/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Solving the 3 Active Rounds: Step 1
We start by choosing one element in each of the four first L0i . L8
L01 L02 L03 L04
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
19/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Solving the 3 Active Rounds: Step 2
This determines a single element in each Li . L1 L2 L3 L4 L5 L6 L7 L8
L01
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
20/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Solving the 3 Active Rounds: Step 3
Each determined element in the remaining L0i exists with p = 2−8×8 . L8
L05 L06 L07 L08
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
21/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Summing Up
Inbound Phase In total we try 2256 combinations of (L01 , L02 , L03 , L04 ) and each gives a solution with probability: 2−4×8×8 = 2−256 .
Outbound Phase Probability 2−2×56 to pass two 8 → 1 transitions in the MixBytes.
Distinguisher We distinguish the 9-round permutation in 2256+112 = 2367 operations and 264 in memory. Note: This compares to a generic complexity of 2384 operations. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
22/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Grøstl-512 Permutation
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
23/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Differential Characteristic for 10 rounds
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Mb
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
Sh
SB
SB
SB
SB
SB
SB
SB
SB
SB
SB
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
24/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Inbound Phase S0
S1
SB
S3
S2
Sh
Sh
S7
S6
SB
S9
S6
Mb
S8
Sh
S10
SB
Mb
S5
S4
SB
S3
S9
Mb
S11
Sh
S12
Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
25/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Inbound Phase S0
S1
SB
S3
S2
Sh
Sh
S7
S6
SB
S9
S6
Mb
S8
Sh
S10
SB
Mb
S5
S4
SB
S3
S9
Mb
S11
Sh
S12
Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
25/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Inbound Phase S0
S1
SB
S3
S2
Sh
Sh
S7
S6
SB
S9
S6
Mb
S8
Sh
S10
SB
Mb
S5
S4
SB
S3
S9
Mb
S11
Sh
S12
Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
25/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Inbound Phase S0
S1
SB
S3
S2
Sh
Sh
S7
S6
SB
S9
S6
Mb
S8
Sh
S10
SB
Mb
S5
S4
SB
S3
S9
Mb
S11
Sh
S12
Mb
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
25/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Observations
Counting 16 forward SuperSBox sets of 264 values and differences 16 backward SuperSBox sets of
264
values and differences
Overlapping on 1024 bits of values + 1024 bits of differences
Number of Solutions Expected 216×64 216×64 2−1024−1024 = 21024+1024−1024−1024 = 1
Limited Birthday 2896 operations
Our Algorithm 2280 operations, memory 264
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
26/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Algorithm: Guess-and-Determine Approach Constraints The differences around the MixBytes layer are restricted since the right state is not fully active.
Mb
Notations Forward SuperSBoxes: L1 , . . . , L16 . Backward SuperSBoxes: L01 , . . . , L016 . RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
27/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Grøstl-256
Techniques
Grøstl-512
Conclusion
Algorithm: Guess-and-Determine Approach Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
3
4
3
4
5
6
8
6
5
4
3
4
3
2
2
2
1 2 3 4 5 6 7 L0i
8 9 10 11 12 13 14 15 16
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
27/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
F
3
F F
4
F F F
5
F F F F
6
F F F F
7
F F F F
8
F F F F
2256
9
F F F
10
F F
11
F
Current Probability 1 L04
12
Legend
F
13
X Known value and difference
F
14
F
15
Known difference
F
16 3
4
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
4
X X X
5
X X X X
6
X X X X
7
X X X X
8
X X X X
2256
9
X X X
10
X X
11
X
Current Probability 1 Next step: L05 , L06 , L07 , L08 .L04
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
2256
4
X X X
5
X X X X
6
X X X X
7
X X X X
9
X X X
10
X X
11
X
1
X X X X
8
L04
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
Current Probability
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
2256
4
X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X
X X X
9
X X X
10
X X
11
X
1
X
X X X X X X X
8
X
Next step: L1 , L16 .L04
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
Current Probability
X
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
2256
4
X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X
X X X
9
X X X
10
X X
11
X
1
X
X X X X X X X
8
X
Next step: L04 .
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
Current Probability
X
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
2256
4
X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X
X X X
9
X X X
10
X X
11
X
1
X
X X X X X X X
8
X
L04
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
Current Probability
X
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256 X
X X X X
X X X
9
X X X
10
X X
11
X
1
X
X X X X X X X
8
X
Next step: L15 .L04
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
Current Probability
X
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Current Complexity 1
L0i
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256 X
X X X X
X X X
9
X X X
10
X X
11
X
1
X
X X X X X X X
8
X
Next step: L6 .L04
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
Current Probability
X
3
4
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
F
1
L0i
6
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256+16 X
X X X X
X X X
9
X X X F
10
X X F
11
X F
1
X
X X X X X X X
8
X
L04
F
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
X
1
L0i
6
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256+16 X
X X X X
X X X
9
X X X X
10
X X X
11
X X
1
X
X X X X X X X
8
X
Next step: L09 .
X
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
X
1
L0i
6
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256+16 X
X X X X
X X X
1
X
X X X X X X X
8
X
X X X X
9 10
X X X
11
X X
L04
X
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
X
1
L0i
6
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256+16 X
X X X X
X X X
1
X
X X X X X X X
8
X
X X X X X X X
9 10
X X X
11
X X
X
Next step: L14 .L04
X
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
X
1
L0i
6
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
2256+16 X
X X X X
X X X
1
X
X X X X X X X
8
X
X X X X X X X
9 10
X X X
11
X X
X
Next step: L03 .L04
X
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
X
1
L0i
6
2
X
3
X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X
X X X X
X X X
1
X X
X X X X X X X
9 10
X X X
11
X X
X
L04
X
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X X X X X X X
8
2256+16
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
Current Complexity
X
1
L0i
6
2
X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X X
X X X X
X X X
1
X X
X X X X X X X
9 10
X X X
11
X X
X
Next step: L1 .L04
X
12
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X X X X X X X
8
2256+16
X X X X
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1 1
L0i
2
3
4
5
6
7
9
10
11
12
14
15
16
Current Complexity
X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X X
X X X X
X X X
X X X
11
X X
1
X X X
L04
X
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X X X X X X X
9 10
2256+16
X X X X
X X X X X X X
8
13
X
2
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
9
10
11
12
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
14
15
16
X X X
X X X X
X X X
X X X
11
X X X
1
X X X
Next step: L01 .L04
X
Legend
X
13
X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X X X X X X X
9 10
2256+16
X X X X
X X X X X X X
8
13
Current Complexity
1
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
9
10
11
12
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
X X X
10
X X X
11
X X X
15
16
Current Complexity
X X X
1
X X X
L04
X
Legend X Known value and difference
X
14
X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X
13
2256+16+8
X X X X
X X X X X X X
9
14
X X X X
X X X X X X X
8
13
F F F
1
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X X X
11
X X X
16
X X X
1 X X
Next step: L13 .L04 Legend X Known value and difference
X X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X
14
2256+16+8
X
X
13
Current Complexity
X X X X
10
15
X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X X X
11
X X X
16
X X X
1 X X
Next step: L02 .L04 Legend X Known value and difference
X X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X
14
2256+16+8
X
X
13
Current Complexity
X X X X
10
15
X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
11
X X X
X X X
1 X X
L04 Legend X Known value and difference
X X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X
14
2256+16+8
X
X
13
Current Complexity
X X X X
X X X
16
X X X X X
10
15
X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X
11
X X X
X X X
1 X X
Next step: L7 , L16 .L04 Legend X Known value and difference
X X
15
Known difference
X
16 3
4
3
4
Current Probability
X
X
14
2256+16+8
X
X
13
Current Complexity
X X X X
X X X
16
X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
6
8
6
5
4
3
4
3
2
2
2
F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X
16
X X X
11
X X
1
X X X
L04
Legend
X
X Known value and difference
X
14
X
15
X
16 3
4
3
4
Current Probability
X
X
X
2256+16+8
X X X X
X X X
Current Complexity
X X X X X
10
13
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
6
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X
X X X
11
X X X
1 X X
Next step: L010 , L011 .L04 X
Legend
X
X Known value and difference
X
15
X
16 3
4
3
4
Current Probability
X
X
14
2256+16+8
X
X X X
Current Complexity
X X X X
X X X X X
16
X X X X X
10
13
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
X 6
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
L04
X
Legend X Known value and difference
X X
16 3
4
3
4
2−8·(1)
X
X
15
Current Probability
X
X
14
2256+16+8
X
X X X
13
Current Complexity
X X X X
X X X
11
16
X X X X
X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
X 6
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
Next step: L8 , L9 , L11 , L15 .L04
X X
Legend X Known value and difference
X X
16 3
4
3
4
2−8·(1)
X
X
15
Current Probability
X
X
14
2256+16+8
X
X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
X 6
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X X X
X X
Legend
4
3
X Known value and difference
X
X
16 3
L04
X
X
15
4
5
6
8
2−8·(1+2)
X
X
14
Current Probability
X
X
X
2256+16+8
X
X X
X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
Next step: L012 .L04
X X
Legend
X
4
3
X Known value and difference
X
X
16 4
5
X X 6
8
2−8·(1+2)
X
X X X
15
Current Probability
X
X X X X
14
2256+16+8
X
X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X X X
X
X
3
L04
X X
Legend
X
4
3
X Known value and difference
X
X
16 4
5
X X 6
8
2−8·(1+2+3)
X
X X X
15
Current Probability
X
X X X X
14
2256+16+8
X
X X X X
X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
Next step: L10 , L12 .L04
X X
Legend
X
4
3
X Known value and difference
X
X
16 4
5
X X 6
8
2−8·(1+2+3)
X
X X X
15
Current Probability
X
X X X X
14
2256+16+8
X
X X X X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
L04
X X
4
3
4
5
6
Legend
X
X
X X
X
16
8
2−8·(1+2+3)
X
X X X
15
Current Probability
X
X X X X
14
2256+16+8
X
X X X X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
X Known value and difference
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
Next step: L02 .L016
X X
4
3
4
5
6
Legend
X X
X X
X
X
X
X
X X
X
16
8
2−8·(1+2+3)
X
X X X X
15
Current Probability
X
X X X X X
14
2256+16+8
X
X X X X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
X Known value and difference
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
L04
X X X X
X X
X
4
3
4
5
Legend X Known value and difference
X
X X X X
X
16
6
8
2−8·(1+2+3+5)
X
X X X X
15
Current Probability
X
X X X X X
14
2256+16+8
X
X X X X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
Next step: L013 , L014 , L015 .L016
X X X X
X X
X
X
16 4
3
4
5
Legend X Known value and difference
X
X X X X X X X 6
8
2−8·(1+2+3+5)
X
X X X X
15
Current Probability
X
X X X X X
14
2256+16+8
X
X X X X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X
3
L04
X X
4
Legend
3
X Known value and difference
X X X X X
16 4
5
X X X X X X X 6
8
2−8·(1+2+3+5+8+8+8)
X
X X X X X
15
Current Probability
X
X X X X X X
14
2256+16+8
X
X X X X X X X X
13
Current Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
6
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Grøstl & SHA-3
Hash Functions
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Guess-and-Determine Algorithm Li
1
L0i
2
3
4
5
6
7
1
X
2
X X
3
X X X
4
X X X X
5
X X X X X
6
X X X X X X
7
X X X X X X X
9
10
X
11
12
13
X X
X
X X X
X X X
3
4
Legend
3
X Known value and difference
X X X X X X X X
16 4
5
X X X X X X X 6
8
6
2−8·(1+2+3+5+8+8+8) = 2−280
X
X X X X X X X X
15
Final Probability
The End.L04
X
X X X X X X X X
14
2256+16+8 = 2280
X
X X X X X X X X
13
Final Complexity
X X X X
X X X X X X X
11
16
X X X X
X X X X X X X
10
15
X X X X X X
X X X X X X X
9
14
X X X X X X
X X X X X X X
8
12
8
5
4
3
4
3
2
2
2
Known difference F Guessed value and difference Highlight current step
Number of different differences in each Li
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
28/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Summing Up Inbound Phase In total we try: 2256+16+8 = 2280 possibilities, and each gives a solution with probability 2−8×(1+2+3+5+8+8+8) = 2−280 . Outbound Phase Again: P(outbound) = 2−2×56 = 2−112 . Distinguisher Finally, we distinguish the 10-round permutation in 2280+112 = 2392 operations and 264 in memory. This compares to a generic complexity of 2448 operations. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
29/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Conclusion I
We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.
I
We propose a way to solve 3 fully active states in the middle.
I
The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.
I
More infos in the paper: http://www.di.ens.fr/~jean/
RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
30/30
Hash Functions
Grøstl & SHA-3
Cryptanalysis
Techniques
Grøstl-256
Grøstl-512
Conclusion
Conclusion I
We have provided new rebound results on building blocks of both versions of Grøstl that improve the previous number of analysed rounds.
I
We propose a way to solve 3 fully active states in the middle.
I
The results do not threaten the security of Grøstl, but we believe they will help better understanding AES-based constructions and their bounds regarding rebound techniques.
I
More infos in the paper: http://www.di.ens.fr/~jean/
Thank you! RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl
30/30