Confirmation that some hash functions are not collision free
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Hash functions based on block ciphers: a synthetic approach
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Improved Indifferentiability Security Analysis of chopMD Hash Function
Fast Software Encryption
Salvaging Merkle-Damgård for Practical Applications
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Seven-property-preserving iterated hashing: ROX
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
On the indifferentiability of the sponge construction
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Security analysis of the mode of JH hash function
FSE'10 Proceedings of the 17th international conference on Fast software encryption
Indifferentiable security analysis of popular hash functions with prefix-free padding
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Multi-property-preserving hash domain extension and the EMD transform
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
A failure-friendly design principle for hash functions
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Security reductions of the second round SHA-3 candidates
ISC'10 Proceedings of the 13th international conference on Information security
Careful with composition: limitations of the indifferentiability framework
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
On the security of hash functions employing blockcipher postprocessing
FSE'11 Proceedings of the 18th international conference on Fast software encryption
On the indifferentiability of fugue and luffa
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Security analysis and comparison of the SHA-3 finalists BLAKE, grøstl, JH, keccak, and skein
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Cryptophia's short combiner for collision-resistant hash functions
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
| Hi-index | 0.00 |
The notion of indifferentiability, introduced by Maurer et al., is an important criterion for the security of hash functions. Concretely, it ensures that a hash function has no structural design flaws and thus guarantees security against generic attacks up to the proven bounds. In this work we prove the indifferentiability of Grøstl, a second round SHA-3 hash function candidate. Grøstl combines characteristics of the wide-pipe and chop-Merkle-Damgård iterations and uses two distinct permutations P and Q internally. Under the assumption that P and Q are random l-bit permutations, where l is the iterated state size of Grøstl, we prove that the advantage of a distinguisher to differentiate Grøstl from a random oracle is upper bounded by O((Kq)4/2l), where the distinguisher makes at most q queries of length at most K blocks. This result implies that Grøstl behaves like a random oracle up to q = O(2n/2) queries, where n is the output size. Furthermore, we show that the output transformation of Grøstl, as well as 'Grøstail' (the composition of the final compression function and the output transformation), are clearly differentiable from a random oracle. This rules out indifferentiability proofs which rely on the idealness of the final state transformation.