International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Grøstl Distinguishing Attack: A New Rebound Attack of an AES-like Permutation

Authors:
Victor Cauchois , DGA MI, Boîte Postale 7, 35998 Rennes Cedex 9; IRMAR, Université de Rennes 1, Campus de Beaulieu, 35042 Rennes
Clément Gomez , DGA MI, Boîte Postale 7, 35998 Rennes Cedex 9
Reynald Lercier , DGA MI, Boîte Postale 7, 35998 Rennes Cedex 9; IRMAR, Université de Rennes 1, Campus de Beaulieu, 35042 Rennes
Download:
DOI: 10.13154/tosc.v2017.i3.1-23
URL: https://tosc.iacr.org/index.php/ToSC/article/view/763
Search ePrint
Search Google
Abstract: We consider highly structured truncated differential paths to mount a new rebound attack on Grøstl-512, a hash functions based on two AES-like permutations, P1024 and Q1024, with non-square input and output registers. We explain how such differential paths can be computed using a Mixed-Integer Linear Programming approach. Together with a SuperSBox description, this allows us to build a rebound attack with a 6-round inbound phase whereas classical rebound attacks have 4-round inbound phases. This yields the first distinguishing attack on a 11-round version of P1024 and Q1024 with about 272 computations and a memory complexity of about 256 bytes, to be compared with the 296 computations required by the corresponding generic attack. Previous best results on this permutation reached 10 rounds with a computational complexity of about 2392 operations, to be compared with the 2448 computations required by the corresponding generic attack.
BibTeX
@article{tosc-2017-28489,
  title={Grøstl Distinguishing Attack: A New Rebound Attack of an AES-like Permutation},
  journal={IACR Trans. Symmetric Cryptol.},
  publisher={Ruhr-Universität Bochum},
  volume={2017, Issue 3},
  pages={1-23},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/763},
  doi={10.13154/tosc.v2017.i3.1-23},
  author={Victor Cauchois and Clément Gomez and Reynald Lercier},
  year=2017
}