Symmetric Cryptography

Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl. Grostl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grostl has good performance on a wide range of platforms and counter-measures against side-channel attacks are well-understood from similar work on the AES.

[1]  Vincent Rijmen,et al.  Cryptanalysis of the Tiger Hash Function , 2007, ASIACRYPT.

[2]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[3]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[4]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[5]  Gene Tsudik Message authentication with one-way hash functions , 1992, CCRV.

[6]  Vincent Rijmen,et al.  A compact FPGA implementation of the hash function whirlpool , 2006, FPGA '06.

[7]  Y. Tsunoo,et al.  Cryptanalysis of Block Ciphers Implemented on Computers with Cache , 2002 .

[8]  Lars R. Knudsen,et al.  The Grindahl Hash Functions , 2007, FSE.

[9]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[10]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[11]  Eli Biham,et al.  TIGER: A Fast New Hash Function , 1996, FSE.

[12]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[13]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[14]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[15]  John Kelsey,et al.  Collisions and Near-Collisions for Reduced-Round Tiger , 2006, FSE.

[16]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[17]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[18]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[19]  Martin Feldhofer,et al.  A Case Against Currently Used Hash Functions in RFID Protocols , 2006, OTM Workshops.

[20]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[21]  William P. Marnane,et al.  Differential Power Analysis of HMAC Based on SHA-2, and Countermeasures , 2007, WISA.

[22]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[23]  Vittorio Zaccaria,et al.  AES power attack based on induced cache miss and countermeasure , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[24]  Vincent Rijmen,et al.  Update on Tiger , 2006, INDOCRYPT.

[25]  Praveen Gauravaram,et al.  An Update on the Side Channel Cryptanalysis of MACs Based on Cryptographic Hash Functions , 2007, INDOCRYPT.

[26]  Kan Yasuda,et al.  "Sandwich" Is Indeed Secure: How to Authenticate a Message with Just One Hashing , 2007, ACISP.

[27]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[28]  Jacques Stern,et al.  Cryptanalysis of Tweaked Versions of SMASH and Reparation , 2009, Selected Areas in Cryptography.

[29]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[30]  Daniel Page,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005 , 2004 .

[31]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[32]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[33]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[34]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[35]  Thomas Peyrin Cryptanalysis of Grindahl , 2007, ASIACRYPT.

[36]  Sandra Dominikus,et al.  Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[37]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[38]  Christof Paar,et al.  DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction , 2004, CHES.

[39]  Katsuyuki Okeya Side Channel Attacks Against HMACs Based on Block-Cipher Based Hash Functions , 2006, ACISP.

[40]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[41]  Kazuo Ohta,et al.  Confirmation that Some Hash Functions Are Not Collision Free , 1991, EUROCRYPT.

[42]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[43]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[44]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[45]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[46]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[47]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .