Grøstl Distinguishing Attack: A New Rebound Attack of an AES-like Permutation

Authors

  • Victor Cauchois Direction générale de l'armement - Maîtrise de l'information (DGA MI), Boîte Postale 7, 35998 Rennes Cedex 9, France; Institut de Recherche Mathématique de Rennes (IRMAR), Université de Rennes 1, Campus de Beaulieu, 35042 Rennes, France
  • Clément Gomez Direction générale de l'armement - Maîtrise de l'information (DGA MI), Boîte Postale 7, 35998 Rennes Cedex 9, France
  • Reynald Lercier Direction générale de l'armement - Maîtrise de l'information (DGA MI), Boîte Postale 7, 35998 Rennes Cedex 9, France;Institut de Recherche Mathématique de Rennes (IRMAR), Université de Rennes 1, Campus de Beaulieu, 35042 Rennes, France

DOI:

https://doi.org/10.13154/tosc.v2017.i3.1-23

Keywords:

Cryptanalysis, Hash function, Rebound attacks, AES-like, Grøstl

Abstract

We consider highly structured truncated differential paths to mount a new rebound attack on Grøstl-512, a hash functions based on two AES-like permutations, P1024 and Q1024, with non-square input and output registers. We explain how such differential paths can be computed using a Mixed-Integer Linear Programming approach. Together with a SuperSBox description, this allows us to build a rebound attack with a 6-round inbound phase whereas classical rebound attacks have 4-round inbound phases. This yields the first distinguishing attack on a 11-round version of P1024 and Q1024 with about 272 computations and a memory complexity of about 256 bytes, to be compared with the 296 computations required by the corresponding generic attack. Previous best results on this permutation reached 10 rounds with a computational complexity of about 2392 operations, to be compared with the 2448 computations required by the corresponding generic attack.

Published

2017-09-19

Issue

Section

Articles

How to Cite

Grøstl Distinguishing Attack: A New Rebound Attack of an AES-like Permutation. (2017). IACR Transactions on Symmetric Cryptology, 2017(3), 1-23. https://doi.org/10.13154/tosc.v2017.i3.1-23