Improved Differential Attacks for ECHO and Grøstl

  • Thomas Peyrin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grøstl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grøstl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grøstl. In particular, we are able to mount a distinguishing attack for the full Grøstl-256 compression function.


hash function cryptanalysis ECHO Grøstl AES internal differential attack 


  1. 1.
    Barreto, P.S.L.M.: An observation on Grøstl. Comment submitted to the NIST hash function mailing list,,
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  3. 3.
    Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 Proposal: ECHO. Submission to NIST (2008),
  4. 4.
    Biham, E., Dunkelman, O.: A Framework for Iterative Hash Functions: HAIFA. In: Second NIST Cryptographic Hash Workshop (2006)Google Scholar
  5. 5.
    Biham, E., Dunkelman, O.: The SHAvite-3 Hash Function. Submission to NIST (2008)Google Scholar
  6. 6.
    Biryukov, A. (ed.): FSE 2007. LNCS, vol. 4593. Springer, Heidelberg (2007) (revised selected papers)Google Scholar
  7. 7.
    Biryukov, A., Khovratovich, D., Nikolic, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: Halevi (ed.) [16], pp. 231–249Google Scholar
  8. 8.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  9. 9.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  10. 10.
    Daemen, J., Rijmen, V.: The Design of Rijndael. In: Information Security and Cryptography. Springer, Heidelberg (2002), ISBN 3-540-42580-2Google Scholar
  11. 11.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard (ed.) [8], pp. 416–427Google Scholar
  12. 12.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A Strengthened Version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996)Google Scholar
  13. 13.
    Dunkelman, O. (ed.): FSE 2009. LNCS, vol. 5665. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  14. 14.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl – a SHA-3 candidate. Submission to NIST (2008),
  15. 15.
    Gilbert, H., Peyrin, T.: Super-Sbox Cryptanalysis: Improved Attacks for AES-like Permutations. In: FSE 2010. LNCS. Springer, Heidelberg (to appear 2010), Google Scholar
  16. 16.
    Halevi, S. (ed.): CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  17. 17.
    Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.): SAC 2009. LNCS, vol. 5867. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  18. 18.
    Kelsey, J.: Some notes on Grøstl. Comment submitted to the NIST hash function mailing list,,
  19. 19.
    Khovratovich, D.: Cryptanalysis of Hash Functions with Structures. In: Jocobson Jr., M.J., et al. (eds.) [17], pp. 108–125Google Scholar
  20. 20.
    Knudsen, L.R., Rechberger, C., Thomsen, S.S.: The Grindahl Hash Functions. In: Biryukov (ed.) [6], pp. 39–57Google Scholar
  21. 21.
    Knudsen, L.R., Rijmen, V.: Known-Key Distinguishers for Some Block Ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  23. 23.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In: Matsui (ed.) [24], pp. 126–143Google Scholar
  24. 24.
    Matsui, M. (ed.): ASIACRYPT 2009. LNCS, vol. 5912. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  25. 25.
    Matusiewicz, K., Naya-Plasencia, M., Nikolic, I., Sasaki, Y., Schläffer, M.: Rebound Attack on the Full Lane Compression Function. In: Matsui (ed.) [24], pp. 106–125Google Scholar
  26. 26.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In: Jocobson Jr., M.J., et al. (eds.) [17], pp. 16–35Google Scholar
  27. 27.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In: Dunkelman (ed.) [13], pp. 260–276Google Scholar
  28. 28.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Rebound Attacks on the Reduced Grøstl Hash Function. In: Pieprzyk (ed.) [37], pp. 350–365 Google Scholar
  29. 29.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard (ed.) [8], pp. 428–446Google Scholar
  30. 30.
    Minier, M., Phan, R.C.-W., Pousse, B.: Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks. In: Preneel (ed.) [38], pp. 60–76Google Scholar
  31. 31.
    National Institute of Standards and Technology. FIPS 180-1: Secure Hash Standard (April 1995),
  32. 32.
    National Institute of Standards and Technology. FIPS PUB 197, Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197, U.S. Department of Commerce (November 2001)Google Scholar
  33. 33.
    National Institute of Standards and Technology. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Federal Register 27(212), 62212–62220 (November 2007), (2008/10/17)
  34. 34.
    Nguyên, P.Q. (ed.): VIETCRYPT 2006. LNCS, vol. 4341. Springer, Heidelberg (2006)Google Scholar
  35. 35.
    Peyrin, T.: Cryptanalysis of Grindahl. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 551–567. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  36. 36.
    Peyrin, T.: Improved Differential Attacks for ECHO and Grostl. Cryptology ePrint Archive, Report 2010/223 (2010),
  37. 37.
    Pieprzyk, J. (ed.): CT-RSA 2010. LNCS, vol. 5985. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  38. 38.
    Preneel, B. (ed.): AFRICACRYPT 2009. LNCS, vol. 5580. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  39. 39.
    RIPE. Integrity Primitives for Secure Information Systems. In: Bosselaers, A., Preneel, B. (eds.) RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  40. 40.
    Rogaway, P.: Formalizing Human Ignorance. In: Nguyen (ed.) [34], pp. 211–228Google Scholar
  41. 41.
    Rivest, R.L.: RFC 1321: The MD5 Message-Digest Algorithm (April 1992),
  42. 42.
    Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  43. 43.
    Wagner, D.: A Generalized Birthday Problem. In: Yung (ed.) [46], pp. 288–303Google Scholar
  44. 44.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup (ed.) [42], pp. 17–36Google Scholar
  45. 45.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer (ed.) [9], pp. 19–35Google Scholar
  46. 46.
    Yung, M. (ed.): CRYPTO 2002. LNCS, vol. 2442. Springer, Heidelberg (2002)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Thomas Peyrin
    • 1
  1. 1.IngenicoFrance

Personalised recommendations