Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

We analyze the Grostl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Grostl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities 248 and 2112, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Grostl-224 and -256 hash functions reduced to 7 rounds and the Grostl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations P and Q of Grostl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-freestart collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Grostl-224 and -256 permutations.

[1]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[2]  Vincent Rijmen,et al.  Plateau Characteristics and AES , 2007 .

[3]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[4]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[5]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[6]  Thomas Peyrin,et al.  Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher , 2009, Selected Areas in Cryptography.

[7]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[8]  Thomas Peyrin Cryptanalysis of Grindahl , 2007, ASIACRYPT.

[9]  Donald E. Knuth The Art of Computer Programming 2 / Seminumerical Algorithms , 1971 .

[10]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[11]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[12]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[13]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[14]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.

[15]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[16]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .