## Cryptanalysis of GRINDAHL

Citations: | 9 - 4 self |

### BibTeX

@MISC{Peyrin_cryptanalysisof,

author = {Thomas Peyrin},

title = {Cryptanalysis of GRINDAHL},

year = {}

}

### OpenURL

### Abstract

Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA-256. This paper provides the first cryptanalytic work on this new scheme. We show that the 256-bit version of GRINDAHL is not collision resistant. With a work effort of approximatively 2 112 hash computations, one can generate a collision. Key words: GRINDAHL, hash functions, RIJNDAEL. 1

### Citations

2577 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...reimage resistance and collision resistance. For an ideal hash function with an n-bit output, one expects that compromising these properties should require 2 n , 2 n and 2 n/2 operations respectively =-=[12]-=-. A possible way of building a hash function has been introduced by the pioneering work of Merkle and Damgård [22,10], using an iterative process: at each iteration, a fixed-length input function h (t... |

299 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...promising these properties should require 2 n , 2 n and 2 n/2 operations respectively [12]. A possible way of building a hash function has been introduced by the pioneering work of Merkle and Damgård =-=[22,10]-=-, using an iterative process: at each iteration, a fixed-length input function h (the compression function) updates an internal state called chaining variable with some part of the message. With some ... |

218 |
The Design of Rijndael
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ... 2 Description of GRINDAHL GRINDAHL is a family of hash functions based on the so-called Concatenate-PermuteTruncate strategy, where in our case the permutation uses the design principles of RIJNDAEL =-=[11]-=-, well known for being the winning candidate of the Advanced Encryption Standard (AES) process [23]. Two algorithms are defined, a version with a 256-bit output and a 512-bit one. Also, a compression ... |

107 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...omain is the construction of secure compression functions based on block ciphers. The problem of building a secure n-bit compression function from an ideal n-bit block cipher is more or less resolved =-=[28,29,7]-=- and due to a need of bigger output size the cryptographic community is now concentrated on the problem of building a secure (k × n)-bit compression function from an ideal n-bit block cipher [13,26,31... |

61 | Multi-property-preserving hash domain extension and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ...to the problem of building a collision-resistant compression function h. However, due to recent attacks [16,18,17,14] against this iterative process, other hash domain extensions have been introduced =-=[2,5]-=-. Almost all the proposed hash functions define a compression function to be used with any hash domain extension algorithm. There are basically three different ways of building a compression function.... |

44 | C.: Finding SHA-1 characteristics: General results and applications
- Cannière, Rechberger
- 2006
(Show Context)
Citation Context ...ession function is from scratch, for example the well known and standardized SHA-1 [25] or MD5 [30]. However, almost all of this type of hash functions have been broken by novel cryptanalysis results =-=[32,33,34,35,8]-=-. To anticipate further improvements of the attacks, the NIST is initiating an effort [24] to develop one or more additional hash algorithms through a public competition, similar to the development pr... |

38 | Some Plausible Constructions of Double-Block-Length Hash Functions
- Hirose
- 2006
(Show Context)
Citation Context ...[28,29,7] and due to a need of bigger output size the cryptographic community is now concentrated on the problem of building a secure (k × n)-bit compression function from an ideal n-bit block cipher =-=[13,26,31]-=-. Finally, the most common and efficient way of building a compression function is from scratch, for example the well known and standardized SHA-1 [25] or MD5 [30]. However, almost all of this type of... |

28 | N.: Improved fast syndrome based cryptographic hash functions
- Finiasz, Gaborit, et al.
- 2007
(Show Context)
Citation Context ...ed in K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 551–567. c○ Springer-Verlag Berlin Heidelberg 2007sproblem, such as factorisation [9], finding small vectors in lattices [3], syndrome decoding =-=[1]-=- or solving multivariate quadratic equations [6]. The usually bad efficiency of these schemes is compensated by the proofs of security they provide. Another very active domain is the construction of s... |

17 |
RadioGatún, a belt-and-mill hash function
- Bertoni, Daemen, et al.
(Show Context)
Citation Context ...on, similar to the development process for the Advanced Encryption Standard [23]. In parallel, new hash functions have been published very recently, such as FORK256 [15] (broken in [21]), RADIO-GATÙN =-=[4]-=- or GRINDAHL [20]. We show here that for the GRINDAHL hash function one can find a collision (resp. a second preimage) with a work effort of 2 112 (resp. 2 224 ) hash computations approximatively, whe... |

15 | O.: A framework for iterative hash functions - HAIFA. Cryptology ePrint Archive, Report 2007/278
- Biham, Dunkelman
- 2007
(Show Context)
Citation Context ...to the problem of building a collision-resistant compression function h. However, due to recent attacks [16,18,17,14] against this iterative process, other hash domain extensions have been introduced =-=[2,5]-=-. Almost all the proposed hash functions define a compression function to be used with any hash domain extension algorithm. There are basically three different ways of building a compression function.... |

13 | VSH, an efficient and provable collision-resistant hash function
- Contini, Lenstra, et al.
(Show Context)
Citation Context ...French RNRT SAPHIR project (http://www.crypto-hash.fr). Appeared in K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 551–567. c○ Springer-Verlag Berlin Heidelberg 2007sproblem, such as factorisation =-=[9]-=-, finding small vectors in lattices [3], syndrome decoding [1] or solving multivariate quadratic equations [6]. The usually bad efficiency of these schemes is compensated by the proofs of security the... |

8 | T.: On building hash functions from multivariate quadratic equations
- Billet, Robshaw, et al.
- 2007
(Show Context)
Citation Context ...33, pp. 551–567. c○ Springer-Verlag Berlin Heidelberg 2007sproblem, such as factorisation [9], finding small vectors in lattices [3], syndrome decoding [1] or solving multivariate quadratic equations =-=[6]-=-. The usually bad efficiency of these schemes is compensated by the proofs of security they provide. Another very active domain is the construction of secure compression functions based on block ciphe... |