Gröstl
Gröstl | |
---|---|
developer | Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen |
Released | 2008 |
Derived from | AES |
Certification | Finalist in the SHA-3 selection process |
Length of the hash value (bit) | 224, 256, 384, 512 |
construction | wide-pipe Merkle Damgård construction |
Round | 10 (Grøstl-224, Grøstl-256) 14 (Grøstl-384, Grøstl-512) |
Best known cryptanalysis | |
M. Schläffer: Updated Differential Analysis of Grøstl. January 2011. Collision on 3 rounds of Grøstl-224 and Grøstl-256 with a time complexity of 2 64 and on 3 rounds of Grøstl-512 with a time complexity of 2 192 |
Grøstl is a cryptographic hash function . It was developed by a team of Danish and Austrian scientists led by the cryptographer Lars Knudsen . Grøstl was one of the candidates in the competition for the future SHA-3 standard . He was selected as one of five finalists in December 2010.
It was named after the Austrian dish Gröstl , which is similar to the US hash .
construction
The message is expanded and divided into blocks of bits each , which are processed one after the other. A block is entered into a compression function together with a concatenation value, which is also bits, which supplies the next concatenation value. The last concatenation value is entered into a finalization function that calculates the hash value:
- .
is a constant initialization vector. Grøstl can calculate hash values from to bits, in whole byte steps. The variant with bit hash length is called Grøstl-n . depends on the hash length; it is for and for greater hash lengths.
The compression and finalization functions are based on two permutations , each of which bijectively map a bit input to an output of the same length :
stands for the bit-by-bit XOR operation . The output of is created by omitting the bits that go beyond this ( truncation ).
and are very similar to the AES block encryption , among other things, the same S-Box is used for this. You apply a round function 10 times ( ) or 14 times ( ) to the data block in order to permute its values.
safety
In the SHA-3 selection process, the low security margin - compared to other finalists - was criticized, as well as possible cache-time attacks , which, however, depend on the implementation. The advantages were the intensive cryptanalysis and the good understanding based on the AES block cipher.
Individual evidence
- ^ M. Schläffer: Updated Differential Analysis of Grøstl . January 2011.
- ↑ Derivation of the name
- ^ National Institute of Standards and Technology: Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition . November 2010. p. 33 doi : 10.6028 / NIST.IR.7896