Académique Documents
Professionnel Documents
Culture Documents
ABSTRACT
INTRODUCTION DESCRIPTION OF GRINDAHL HASH FUNCTION OVERALL ANALYSIS COLLISION
ATTACK
ON
GRINDAHL
HASH
ABSTRACT
Due to recent breakthroughs in hash functions
cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function. cryptanalytic work on 256-bit version of GRINDAHL is not collision resistant. With a work effort of approximately 2^112 hash computations, one can generate a collision
INTRODUCTION
HASH FUNCTION:
Basically, a hash function H is a function that maps
an input of variable size to a fixed length output value. A cryptographic hash function has to satisfy collision resistant property. Using 2^112 hash computations, one can generate a collision . so grindahl is not collision resistant for the purpose of providing security it requires 2^n , 2^n ,2^n/2 operations respectively.
strategy concatenate permute truncate. 2 versions are available , a 256 bit output, a 512 bit output. A compression mode is also available. Concatenate sk = Mk+1||sk Truncate Permute : probability can be defined as
OVERALL ANALYSIS
finding a good differential path for the 256-bit
version of GRINDAHL. A trail of k iterations starting from s0 and so that with two different messages M andM0 we have the same hash output. Thus, we only care about collision. Potential Attack Truncated Differences
PPOTENTIAL ATTACK
The attacker does not look at the actual values of
differences inserted in the bytes of the internal state, but only checks if there is a differen11ce or not.
TUNCATED DIFFERENCES
The number of truncated-differences in a column can
be reduced and their position changed by a clever use of the Mix Columns transformation
input and the output of Mix Columns is greater or equal to 5. let V = (A,B,C,D) be an input vector of four bytes A, B, C and D; and let W = (A0,B0,C0,D0) be an output vector of four bytes A0, B0, C0 and D0. We denote the function Mix Columns by MC : V 7! W or MC : (A,B,C,D) 7! (A0,B0,C0,D0).
if the i-th byte of the 4-byte vectors V1 and V2 are different, and 0 otherwise. Finally, ND(V1, V2) returns the number of differences. Our goal is to compute the probability that a fixed mask of input truncated-differences maps to a fixed mask of output truncated-differences
and V2 distinct on their 2 first bytes give two output words different on their 3 first bytes through MixColumns. Table : Approximate probability that two 4-byte input words with DI different bytes on predefined positions maps to two 4-byte output words with DO different bytes on predefined positions through Mix Columns. The values are base 2 logarithms
the internal state. Table: Influences on the columns of the extended internal states for a modification of a byte of the message block Mk = (Ak, Bk, Ck, Dk) incoming at iteration k. We denote by X if the column is affected (or active) and void if not. The first table shows influences on sk1, the second on sk and the third on sk+1.
the forward direction as quickly as in the backward direction. if we look for a collision at the end of iteration k, we try all the possible truncated difference masks for the message blocks inserted at itrations k, k 1, etc. th rough mix columns.
COLLISION ATTACK
Truncated-differential path in 8 iterations starting
from an all-difference pair of states. The dark cells mean that we have a non-zero difference for this byte, and the light cells stand for no difference. Each row represents an iteration. The first column gives the differences in the state just after its update with the 4-byte message word, and the second column gives the same state
COLLISION ATTACK
after application of the ShiftRows transformation.
Finally, the third column represents the internal state just after application of the Mix Columns function. Note that the Add Constant and Sub Bytes functions have no effect on the differential path, thus they are omitted here. Each first 4-byte column of the first column states represents the message words inserted at each iteration, that
COLLISION ATTACK
will later be used as control bytes. The first 4-byte
column of the state after every Mix Columns transition can have whatever difference mask since those bytes will be immediately truncated.
COLLISION ATTACK
STEP 1:
start with the predefined initial value and compute some iterations with lots of truncated-differences in the incoming message blocks in order to quickly come to an all-difference pair of states denoted A after a few iterations. Second step: from this pair of states A, generate 2148 = 2112 all-difference pairs of states A1, . . . ,A2112 . This step requires 2112 20,27 = 2112,27 iterations computations
COLLISION ATTACK
Third step: continue the attack by fixing the control
bytes iteration per iteration Fourth step: add a (k + 1)-th message block without truncated-difference in order to force a truncation after the last iteration k of the differential trail (the final blank rounds are done without truncation).
Table
Dependencies of the message blocks used as control
bytes and inserted during the truncated-differential path from Figure 1, for a collision at the end of iteration k.
CONCLUSION
We showed in this work that the 256-bit version of
GRINDAHL is not collision resistant. By introducing a non-intuitive technique in order to find a good differential path and with a careful use of the control bytes available, we presented an attack finding collisions with no more than 2112 hash computations. Finally, possible patches for the 256-bit version of GRINDAHL that may lead to new versions with stronger security arguments.
REFFERENCES
[1] Augot, D., Finiasz, M., Sendrier, N., A Family of Fast
Syndrome Based Cryptographic Hash Functions, Lecture Notes in Computer Science. vol. 3715, pp. 64 83. Springer, Heidelberg, 2005. [2] Bellare, M., Ristenpart, T., Multi-PropertyPreserving Hash Domain Extension and the EMD Transform, Lecture Notes in Computer Science. vol. 4284, pp. 299314. Springer, Heidelberg, 2006.
QUESTIONS ?
THAK YOU