Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl

  • Yu Sasaki
  • Yang Li
  • Lei Wang
  • Kazuo Sakiyama
  • Kazuo Ohta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6477)

Abstract

In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal properties of a class of AES-based permutations with a low complexity. We apply this framework to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round) ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2182 and 237 amount of memory. The complexity, especially in terms of the product of time and memory, is drastically reduced from the previous best attack which required 2512×2512. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach improves a semi-free-start collision attack on the 7-round Grøstl-512 compression function. Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active states.

Keywords

AES-based permutation ECHO Grøstl SHA-3 Super-Sbox 

References

  1. 1.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register /Vol. 72, No. 212/Friday, November 2, 2007/Notices (2007)Google Scholar
  4. 4.
    U.S. Department of Commerce, National Institute of Standards and Technology: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (Federal Information Processing Standards Publication 197) (2001)Google Scholar
  5. 5.
    Daemen, J., Rijmen, V.: The design of Rijndael: AES – the Advanced Encryption Standard (AES). Springer, Heidelberg (2002)Google Scholar
  6. 6.
    Peyrin, T.: Cryptanalysis of Grindahl. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 551–567. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: Cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) Fast Software Encryption. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Gilbert, H., Peyrin, T.: Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010)Google Scholar
  10. 10.
    Rijmen, V., Toz, D., Varici, K.: Rebound attack on reduced-round versions of JH. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 286–303. Springer, Heidelberg (2010)Google Scholar
  11. 11.
    Wu, S., Feng, D., Wu, W.: Cryptanalysis of the LANE hash function. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 126–140. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Wu, S., Feng, D., Wu, W.: Practical rebound attack on 12-round Cheetah-256. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 300–314. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full LANE compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Mendel, F., Rechberger, C., Schläffer, M.: Cryptanalysis of Twister. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 342–353. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: Results on the full Whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The rebound attack and subspace distinguishers: Application to Whirlpool. Cryptology ePrint Archive, Report 2010/198 (2010)Google Scholar
  17. 17.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Rebound attack on the reduced Grøstl hash function. In: Pieprzyk, J. (ed.) Topics in Cryptology - CT-RSA 2010. LNCS, vol. 5985, pp. 350–365. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl addendum. Submission to NIST (updated) (2009)Google Scholar
  19. 19.
    Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 proposal: ECHO. Submission to NIST (updated) (2009)Google Scholar
  20. 20.
    Wu, H.: The hash function JH. Submission to NIST (updated) (2009)Google Scholar
  21. 21.
    Khovratovich, D., Biryukov, A., Nikolić, I.: The hash function Cheetah: Specification and supporting documentation. Submission to NIST (2008)Google Scholar
  22. 22.
    Indesteege, S.: The LANE hash function. Submission to NIST (2008)Google Scholar
  23. 23.
    Ewan Fleischmann, C.F., Gorski, M.: The Twister hash function family. Submission to NIST (2008)Google Scholar
  24. 24.
    Rijmen, V., Barreto, P.S.L.M.: The Whirlpool hashing function. Submitted to NISSIE (2000)Google Scholar
  25. 25.
    Peyrin, T.: Improved differential attacks for ECHO and Grøstl. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 370–392. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Peyrin, T.: Improved differential attacks for ECHO and Grøstl. Cryptology ePrint Archive, Report 2010/223 (2010) Extended version of the CRYPTO (2010) articleGoogle Scholar
  27. 27.
    Schläffer, M.: Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function. In: Preproceedings of SAC 2010, pp. 379–398 (2010)Google Scholar
  28. 28.
    Ideguchi, K., Tischhauser, E., Preneel, B.: Improved collision attacks on the reduced-round Grøstl hash function. Cryptology ePrint Archive, Report 2010/375 (2010); Appeared in the accepted papers list of ISC (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Yang Li
    • 2
  • Lei Wang
    • 2
  • Kazuo Sakiyama
    • 2
  • Kazuo Ohta
    • 2
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationMusashino-shiJapan
  2. 2.The University of Electro-CommunicationsChoufu-shiJapan

Personalised recommendations