The art of computer programming, volume 2 (3rd ed.): seminumerical algorithms
The art of computer programming, volume 2 (3rd ed.): seminumerical algorithms
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
Fast Software Encryption
Selected Areas in Cryptography
Rebound Distinguishers: Results on the Full Whirlpool Compression Function
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Super-Sbox cryptanalysis: improved attacks for AES-like permutations
FSE'10 Proceedings of the 17th international conference on Fast software encryption
Improved differential attacks for ECHO and Grøstl
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Finding SHA-1 characteristics: general results and applications
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Understanding two-round differentials in AES
SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
Rebound attacks on the reduced grøstl hash function
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Internal differential collision attacks on the reduced-round GrØstl-0 hash function
Designs, Codes and Cryptography
Hi-index | 0.00 |
We analyze the Grøstl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Grøstl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities 248 and 2112, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Grøstl-224 and -256 hash functions reduced to 7 rounds and the Grøstl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations P and Q of Grøstl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-freestart collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Grøstl-224 and -256 permutations.