Rebound attachs on GRφSTL

Abstract

Cryptographic hash Functions are widely used for a wide range of applications such as au- thentication of information, digital signatures and protection of pass-phrases. In the last few years, the cryptanalysis of hash functions has gained much importance within the cryp- tographic community. In 2004 a series of attacks by Wang et al. [19, 20] have exposed security vulnerabilities in the design of the most widely deployed SHA-1 hash function. As a result, the US National Institute for Standards and Technology (NIST) recommended the replacement of SHA-1 by the SHA-2 hash function family and in 2008, they announced a call for the design of a new SHA-3 hashing algorithm. On October 31, 2008, the “SHA-3 competition”, organised by the National Institute of Standards and Technology (NIST), was launched [17]. 64 algorithms were submitted, out of which, 51 were accepted for the first round of the competition. On July 24, 2009, 14 candidates were chosen by NIST to advance to the second round of the competition. One of the candidates accepted for the second round is called Grφstl [11], developed by Praveen Gauravaram, Lars R. Knudsen and Krystian Matusiewicz. Grφstl further advanced to the final round along with BLAKE [2], JH, Keccak [3], Skein [10] and became one of the top 5 proposals for SHA-3. The report breifly specifies the Grφstl family of cryptographic hash algorithms, one of the top 5 finalists of the SHA-3 hash function competition and a well known attack named Rebound Attack on Grφstl. The rebound attack is a freedom degrees utilization technique that was first proposed by Mendel et al. in [15] as an analysis of round-reduced Grφstl and Whirlpool [18]. The main idea of the rebound attack is to use the available degrees of freedom in a collision attack to effeciently bypass the low probability parts of a truncated differential trail. The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom, followed by a subsequent probabilistic outbound phase. Report discusses available rebound attacks on reduced rounds of Grφstl-256. The report first describes a simple method to utilize the available freedom degrees. The original idea of rebound is then applied to reduced rounds of Grφstl- 256. Report describes attack on 4 rounds of Grφstl-256. It further explains same rebound technique applied on 5 and 6 rounds Grφstl-256. The new technique Super Sbox Cryptanalysis [12] introduced by Thomas Peyrin and Henri Gilbert is explained in the report alongwith its application on 7 rounds of Grφstl-256.