Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl

In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal properties of a class of AES-based permutations with a low complexity. We apply this framework to SHA-3 round-2 candidates ECHO and Grostl. The first application is for the full-round (8-round) ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2182 and 237 amount of memory. The complexity, especially in terms of the product of time and memory, is drastically reduced from the previous best attack which required 2512×2512. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grostl-256 permutation with a practical complexity, and finally show that our approach improves a semi-free-start collision attack on the 7-round Grostl-512 compression function. Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active states.

[1]  Olivier Billet , .

[2]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[3]  Dong Hoon Lee,et al.  Information, Security and Cryptology - ICISC 2009, 12th International Conference, Seoul, Korea, December 2-4, 2009, Revised Selected Papers , 2010, ICISC.

[4]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[5]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[6]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[7]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[8]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[9]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[10]  Alex Biryukov,et al.  The Hash Function Cheetah : Specification and Supporting Documentation , 2008 .

[11]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[12]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[13]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[14]  Florian Mendel,et al.  Cryptanalysis of Twister , 2009, ACNS.

[15]  Yu Sasaki,et al.  Rebound Attack on the Full Lane Compression Function , 2009, ASIACRYPT.

[16]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[17]  Martin Schläffer Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function , 2010, Selected Areas in Cryptography.

[18]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[19]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[20]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[21]  Bart Preneel,et al.  The Lane hash function , 2009, Symmetric Cryptography.

[22]  Thomas Peyrin Cryptanalysis of Grindahl , 2007, ASIACRYPT.

[23]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[24]  Shuang Wu,et al.  Cryptanalysis of the LANE Hash Function , 2009, Selected Areas in Cryptography.

[25]  Bart Preneel,et al.  Improved Collision Attacks on the Reduced-Round Grøstl Hash Function , 2010, ISC.

[26]  Vincent Rijmen,et al.  Rebound Attack on Reduced-Round Versions of JH , 2010, FSE.

[27]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[28]  Thomas Peyrin,et al.  Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher , 2009, Selected Areas in Cryptography.

[29]  Shuang Wu,et al.  Practical Rebound Attack on 12-Round Cheetah-256 , 2009, ICISC.

[30]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[31]  G. Leopold The Federal Register. , 1979, Journal of clinical ultrasound : JCU.

[32]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[33]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.