Gröstl

Gröstl
developer	Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Released	2008
Derived from	AES
Certification	Finalist in the SHA-3 selection process
Length of the hash value (bit)	224, 256, 384, 512
construction	wide-pipe Merkle Damgård construction
Round	10 (Grøstl-224, Grøstl-256) ; 14 (Grøstl-384, Grøstl-512)
Best known cryptanalysis
	M. Schläffer: Updated Differential Analysis of Grøstl. January 2011. ; Collision on 3 rounds of Grøstl-224 and Grøstl-256 with a time complexity of 2 64 and on 3 rounds of Grøstl-512 with a time complexity of 2 192

Grøstl is a cryptographic hash function . It was developed by a team of Danish and Austrian scientists led by the cryptographer Lars Knudsen . Grøstl was one of the candidates in the competition for the future SHA-3 standard . He was selected as one of five finalists in December 2010.

It was named after the Austrian dish Gröstl , which is similar to the US hash .

construction

The message is expanded and divided into blocks of bits each , which are processed one after the other. A block is entered into a compression function together with a concatenation value, which is also bits, which supplies the next concatenation value. The last concatenation value is entered into a finalization function that calculates the hash value: ${\ displaystyle m_ {1} \ dots m_ {n}}$ ${\ displaystyle l}$ ${\ displaystyle v_ {i}}$ ${\ displaystyle l}$

{\ displaystyle v_ {i + 1} = f (v_ {i}, m_ {i}); \; i = 1,2, \ dots, n}

{\ displaystyle h = g (v_ {n + 1})}

.

${\ displaystyle v_ {1}}$ is a constant initialization vector. Grøstl can calculate hash values from to bits, in whole byte steps. The variant with bit hash length is called Grøstl-n . depends on the hash length; it is for and for greater hash lengths. ${\ displaystyle n = 8}$ ${\ displaystyle n = 512}$ ${\ displaystyle n}$ ${\ displaystyle l}$ ${\ displaystyle l = 512}$ ${\ displaystyle n \ leq 256}$ ${\ displaystyle l = 1024}$

The compression and finalization functions are based on two permutations , each of which bijectively map a bit input to an output of the same length : ${\ displaystyle P, Q}$ ${\ displaystyle l}$

{\ displaystyle f (v, m) = P (v \ oplus m) \ oplus Q (m) \ oplus v}

{\ displaystyle g (v) = \ operatorname {trunc} (P (v) \ oplus v, n)}

${\ displaystyle \ oplus}$ stands for the bit-by-bit XOR operation . The output of is created by omitting the bits that go beyond this ( truncation ). ${\ displaystyle g}$ ${\ displaystyle n}$

${\ displaystyle P}$ and are very similar to the AES block encryption , among other things, the same S-Box is used for this. You apply a round function 10 times ( ) or 14 times ( ) to the data block in order to permute its values. ${\ displaystyle Q}$ ${\ displaystyle l = 512}$ ${\ displaystyle l = 1024}$

safety

In the SHA-3 selection process, the low security margin - compared to other finalists - was criticized, as well as possible cache-time attacks , which, however, depend on the implementation. The advantages were the intensive cryptanalysis and the good understanding based on the AES block cipher.

Individual evidence

^ M. Schläffer: Updated Differential Analysis of Grøstl . January 2011.
↑ Derivation of the name
^ National Institute of Standards and Technology: Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition . November 2010. p. 33 doi : 10.6028 / NIST.IR.7896

Web links

Official website

[1] M. Schläffer: Updated Differential Analysis of Grøstl . January 2011.

[2] Derivation of the name

[3] National Institute of Standards and Technology: Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition . November 2010. p. 33 doi : 10.6028 / NIST.IR.7896