Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Hash Function *

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 30, (014) Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Hash Function * JIAN ZOU 1,, WENLING WU 1, SHUANG WU 1 AND LE DONG 1, 1 TCA Institute of Software Chinese Academy of Sciences Beijing, P.R. China Graduate University of Chinese Academy of Sciences Beijing, P.R. China {zoujian; wwl; wushuang; dongle}@is.iscas.ac.cn The Grøstl hash function is one of the five finalists in the third round of SHA-3 competition hosted by NIST. In this paper, we propose some improved (pseudo) preimage attacks on the Grøstl hash function by using some techniques, such as subspace preimage attack and the guess-and-determine technique. We present the improved pseudo preimage attacks on 5-round Grøstl-56 hash function and 8-round Grøstl-51 hash function, and the complexities of these attacks are ( 39.90, ) (in time and memory) and ( , 499 ), respectively. We also extend the pseudo preimage from 5 rounds to 6 rounds for Grøstl-56 hash function, besides the biclique attack. Furthermore, we propose the pseudo second preimage attack on 6-round Grøstl-56 hash function. The complexities of our 6-round (pseudo) preimage and second preimage attacks are ( 53.6, ) and ( 51.0, 5.0 ), respectively. As far as we know, these are the best known preimage attacks on round-reduced Grøstl hash function. Keywords: Grøstl, hash function, meet-in-the-middle, guess-and-determine, preimage attack, initial structure 1. INTRODUCTION Cryptographic hash function is an important primitive in modern cryptography, it is used in many applications, including MAC algorithms, digital signature schemes and so on. In general, hash function must satisfy three security requirements: preimage resistance, second preimage resistance and collision resistance. After the pioneering work of Wang et al., many new methods were proposed to attack hash functions. There is a strong need for a secure and efficient hash function since the cryptanalysis of hash functions has been significantly improved. In 007, NIST announced the SHA-3 competition [8] in order to select a secure hash function design. Grøstl [4] is one of the five finalists in the third round of SHA-3 competition, which is proposed by Gauravaram et al. Grøstl is an iterated hash function based on the Merkle- Damgård design. It adopts the wide-pipe compression function and follows the AES design strategy. Since the state is double-sized as the hash value, it is difficult to construct an attack on Grøstl hash function. In FSE 008, Leurent [7] proposed the first preimage attack on the full MD4 hash function. From then on, many preimage attacks were published and some novel tech- Received January 11, 013; revised April 1 & July 10 & October 18, 013; accepted November 3, 013. Communicated by Vincent Rijmen. * This work is supported by The National Basic Research Program of China 973 Program (013CB33800); The National Natural Science Foundation of China (617476, ). 1789

2 1790 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG niques were proposed. One of them was the meet-in-the-middle (MitM) preimage attack with the splice-and-cut technique. This method was first proposed by Aoki and Sasaki to attack MD4 []. The MitM preimage attack has been applied to many hash functions such as MD4 [, 7], MD5 [11], Tiger [5], HAVAL-3/4 [10], RIPEMD [15], SHA-0/1 [3], and SHA- [1, 5]. In CRYPTO 009, Aoki and Sasaki [3] combined the MitM attack with the guessing of carry bits technique to improve their preimage attacks on SHA-0 and SHA-1. In FSE 011, Sasaki [9] proposed the MitM preimage attack on AES hash mode for the first time. In FSE 01, Wu et al. [16] improved its complexity and proposed the pseudo preimage attack on Grøstl hash function. Firstly, the pseudo preimage attack of Wu et al. was converted into a three-sum problem. Then, utilizing the b-bit partial preimage technique, the authors made their complexity lower than the birthday bound. In this article, we found out that the attack of Wu et al. could be divided into twophase MitM attacks. It was only necessary to solve the subspace preimage instead of the b-bit partial preimage in the first phase of the MitM attack. Then the left relationships would be matched in the second time MitM attack. The detail of the subspace preimage was shown in the following sections. Compared with b-bit partial preimage, the subspace preimage could achieve some balance between the two-phase MitM attacks, and then reduce the overall complexity. Using the subspace preimage technique, we proposed an improved pseudo preimage attack on 5-round Grøstl-56 hash function. Then we combined the guess-and-determine technique with the MitM attack to improve the pseudo preimage attack on 8-round Grøstl-51 hash function. We also proposed a pseudo preimage attack and a pseudo second preimage attack on 6-round Grøstl-56 hash function by using a complicated initial structure. Our results are summarized in Table 1. Table 1. Comparison to previous works. Algorithm Target Attack Type Rounds Time Memory Source Hash Function Collision 3 64 [13] Compression Function Semi-Free-Start Collision [13] Permutation Distinguisher [1] [16] Grøstl-56 Output Transformation Preimage [6] Sect [16] Pseudo Sect.4 Preimage Hash Function Sect.6 Pseudo Second Preimage Sect.7 Hash Function Collision 3 19 [13] Compression Function Semi-Free-Start Collision [1] Grøstl [16] Output Transformation Preimage Sect.5.1 Hash Function Pseudo [16] Hash Function Preimage Sect.5

3 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1791 This paper is organized as follows. We describe Grøstl hash function in Section. In Section 3, we make a brief introduction to the previous work and our improvement work on Grøstl. Then we give our attacks on Grøstl in Sections 4-7. Section 8 concludes this paper..1 Specification of Grøstl. SPECIFICATIONS AND NOTATIONS Grøstl adopts a wide-pipe design. The chaining values are 51-bit and 104-bit for Grøstl-56 and Grøstl-51, respectively. The padding rule is omitted here, since it is not involved in our attacks. Assume a message is padded and divided into message blocks M 0, M 1,, M k-1. The hash value h is generated as follows: CV 0 IV, CV i+1 CF(CV i, M i ) for i = 0, 1,, k 1, h = Trunc n (P(CV k )CV k ). Here IV is the initial value, and CF(CV i, M i ) is the compression function of Grøstl. P(CV k ) is a permutation that is a component of the compression function and will be defined later. Trunc n ( ) is the truncation function. The compression function uses two permutations P( ) and Q( ), and computes as follows (also in Fig. 1): CF(CV i, M i ) = P(CV i M i ) Q(M i ) CV i. Fig. 1. Compression function and Output transformation. Fig.. Byte positions for Grøstl-56. Here, byte positions in a state S for Grøstl-56 hash function are denoted by integer numbers N, N {0, 1,,, 63}, as shown in Fig.. We often denote several bytes of state S by S[a, b, ], e.g. 8 bytes in the rightmost column are denoted by S[56, 57,, 63]. Here CV i is the chaining value and M i is the message block. P( ) and Q( ) are AESlike permutations with 8 8 and 8 16 sized states for Grøstl-56 and Grøstl-51, respectively. Grøstl-56 adopts 10-round P( ) and Q( ). Grøstl-51 uses 14-round P( ) and Q( ). The round function of the permutations consists of the following four operations: AddConstant: The AddConstant operation xors a round constant to the state. SubBytes: The SubBytes transformation applies an S-box to each cell of the state. ShiftRows: The ShiftRows transformation cyclically rotates the cells of the ith row leftward by a shift vector (define later). MixColumns: In the MixColumns operation, each column of the matrix is multiplied by an MDS matrix.

4 179 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG We use AC, SB, SR and MC to denote these transformations for short. The shift vectors used in P( ) and Q( ) are different. P( ) in Grøstl-56 uses (0, 1,, 3, 4, 5, 6, 7) and in Grøstl-51 uses (0, 1,, 3, 4, 5, 6, 11). Q( ) in Grøstl-56 uses (1, 3, 5, 7, 0,, 4, 6) and in Grøstl-51 uses (1, 3, 5, 11, 0,, 4, 6). For a detailed explanation, we refer to the original paper [4]. As shown in the submission document of Grøstl [4], if we make CV i = CV i M i, then the compression function can be rewritten as CF( CV, M ) P( CV ') CV ' Q( M ) M. i i i i i i This important property will be used in our attacks.. Definition of Attacks Suppose that the range of the target function H is {0, 1} n. Several attacks are defined as follows: Definition 1 (Preimage Attack): Given IV and t, find M such that H (IV, M) = t. Definition (Pseudo Preimage Attack): Given t, find (IV, M) such that H (IV, M) = t. Definition 3 (Partial Preimage Attack): Given IV and t 0, find M such that H (IV, M) = t 0 * (or Trunc s (H (IV, M)) = t 0 ), where t 0 is an s-bit value and Trunc s ( ) is the truncation function. Definition 4 (Subspace Preimage Attack): Given IV and t, find M such that L(H(IV, M)) = t, where L( ) is a function with a range of {0,1} s and s n. Definition 5 (Pseudo Second Preimage Attack): Given H(IV 1, M 1 ) = t, find (IV, M ) such that H(IV, M ) = H(IV 1, M 1 ) = t. The partial preimage attack is used by Wu et al. [16] for the intermediate step of the pseudo preimage attack on Grøstl hash function. In this paper, our 5-round and 8-round pseudo preimage attacks on Grøstl hash function are based on subspace preimage attack. Specifically, by finding preimages in a linear subspace (with a linear function L( )), we can reduce the overall complexity of the previous attack. The details will be described in the following sections. 3.1 Previous Works 3. PREVIOUS WORKS AND OUR IMPROVEMENT In FSE 01, Wu et al. [16] proposed the pseudo preimage attacks on Grøstl hash function. Their ideas can be summarized as below. Suppose the length of the hash output is n-bit and the state size is n-bit. To find a pseudo preimage (CV, M) of Grøstl, it is desirable to invert the output transformation of Grøstl. Let X = CF (CV, M), then X is the

5 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1793 preimage of the output transformation. With H = CV M, we get (P(H) H) (Q(M) M) X = 0. Then the pseudo preimage attack turns into a three-sum problem. Using four parameters x 1, x, x 3 and b, the attack process can be described as follows (also in Fig. 3): Step 1: Find x1 preimages X of the output transformation and store them in a lookup table L 1. 3 Step : Find x H such that the leftmost b bits of P(H) H are zero. This step is considered to find partial zero preimages on P(H) H. Then store P(H) H in a lookup table L. Step 3: Find x random M with the correct padding and calculate Q(M) M. Check if there exists an entry in L 1 that matches the leftmost b bits of Q(M) M. Then x x b partial matches Q(M) M X, whose leftmost b bits are all zero, are expected to remain Step 4: For each of the x x b Q(M) M X remained in Step 3, check if there exists an entry in L that matches the remaining (n b) bits. Once a full match is found, a pseudo preimage of Grøstl hash function is found. Fig. 3. Outline for Wu s attack on Grøstl. Fig. 4. Outline for our attack on Grøstl. 1 Suppose for Grøstl with n-bit state, it needs C ( n, n) computations to find a fixed position n-bit partial preimage of X and it needs C ( n, b) computations to find a chosen position b-bit partial preimage of P(H) H. Then the complexity for each step can be 1+ 1(, ) calculated as follows: In Step 1, building the lookup table L 1 takes x C n n computations and x1 3+ (, ) memory. In Step, building the lookup table L takes x C n b computations and x3 memory. In Step 3, it takes x Q calls to calculate Q(M) M in order to check the partial match in lookup table L 1. The complexity is equivalent to x -1 compression function calls. In Step 4, checking the final match for x x b candidates needs 1+ - x x b 1+ - table lookup, which can be equivalently regarded as x x b C TL compression function calls. C TL is the complexity of one table lookup, where unit one is one compression function call. C TL is chosen as 1/640 and 1/048 for 6-round Grøstl-56 and 8-round

6 1794 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG Grøstl-51, respectively. And the overall complexity to compute the pseudo preimage of x1+ C1( n, n) x3+ C( n, b) x-1 x1+ x-b 1 3 Grøstl is: C TL, with memory requirement of x + x. x Note that the condition of 1 + x + x 3 - n 1should be satisfied in order to find one final match. 3. Outline for Our Pseudo Preimage Attack on the Grøstl Hash Function Since the attack of Wu et al. can be divided into two-phase MitM attack, we just need the state to satisfy some linear relationships instead of finding a b-bit partial pre- image in the first phase of the MitM attack. We can reduce the complexity of C ( n, b) in this way. Since the overall complexity of Wu et al. is calculated by x 1, x, x 3, C 1 (n, n) and C (n, b), if we can reduce the complexity of C ( n, b) and find the balance between other parameters, the overall complexity can be reduced. We will show how to find the balance in the following sections. As a result, we propose the subspace preimage attack to improve the b-bit partial preimage attack. Subspace preimage attack can be defined by a linear subspace (with a linear function L( )). In subspace preimage attack process, we store the L(A) in the lookup table L Sub, and check if there exists an entry in L Sub that L(A) is equal to L(B). If we find one, L(A B) is equal to 0, which means A B is in the linear subspace. In other words, we just match the linear relationship in subspace preimage attack. In this way, we can decrease the load for the partial matching. An example of the subspace preimage attack is shown in Fig. 5. We should compute the 16-bit state value (red) in partial preimage attack, however we just need to find the value of the two states (red) to satisfy a given 8-bit linear relationship (decided by the blue states) in the subspace preimage attack. Note that the subspace preimage attack is valid when the whole attack process can be divided into two-phase MitM attack (also in Fig. 4). Fig. 5. An example of subspace preimage attack. In [16], the notation (, ) C n b stands for the complexity to find a b-bit chosen position partial preimage of P(H) H. We adopt the same notation for the subspace preimage. Here, b denotes the bit size of the output of the linear function L( ). The linear subspace defined by the equation L(x) = t 0 whose dimension is n b. Note that a b-bit partial preimage is a special kind of subspace preimage, where the linear function for the subspace is L(x) = Trun b (x). As shown in Fig. 4, the attack can be described as follows: we adopt the subspace preimage attack in the first stage of MitM attack. Then we match the left bytes in the second time MitM attack. Using the same four parameters x 1, x, x 3 and b, our attack process can be described as follows:

7 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1795 Step 1: Find x1 preimages X of the output transformation and store them in a lookup table L 1. Step : Find x3 subspace preimages of P(H) H. Then store P(H) H in a lookup table L. Step 3: Find x random M with the correct padding and calculate Q(M) M. Check if there exists an entry in L 1 that Q(M) M X is in the same subspace of P(H) H Then x x b partial matches Q(M) M X are expected to remain Step 4: For each of the x x b QM ( ) M Xremained in Step 3, check whether there exists an entry in L that matches the remaining (n b) bits. Once a full match is found, a pseudo preimage of Grøstl hash function is found. Then the overall complexity to compute the pseudo preimage of Grøstl is similar to Wu et al. [16] and can be written as: x1+ C1( n, n) x3+ C( n, b) x-1 x1+ x-b C TL, (1) 1 3 with the memory requirement of x + x. Note that our subspace preimage attack just improve the complexity of C ( n, b ). 4. IMPROVED PSEUDO PREIMAGE ATTACK ON 5-ROUND GRØSTL-56 HASH FUNCTION According to Eq. (1), the overall complexity to compute the pseudo preimage of Grøstl depends on parameters: x 1, x, x 3, C 1 (n, n) and C (n, b). 1 Since Wu et al. [16] have proved that their method to compute C (51,56) = 06 for 1 5-round Grøstl-56 is optimal, it seems impossible to improve the C (51,56). However we find that C (51, b) can be optimized by the subspace preimage attack. We will show our techniques in this section. As a result, we can improve the overall complexity of pseudo preimage attack on 5-round Grøstl Subspace Preimage Attack on P(H) H We show the chunk separation for the subspace preimage attack in Fig. 6. As shown in Fig. 6, we adopt the MitM attack here and there are five colors shown in it. The red/ blue color bytes mean neutral bytes. They are independent from each other. The white color bytes stand for the bytes whose values are affected by both red and blue bytes, and we cannot determine their values until a partial match is found. The gray bytes are constants, which we can choose randomly in the initial structure. The yellow (principal diagonal) bytes are truncated bytes. For convenience, some parameters for the MitM attack should be presented: the matching point size m, the freedom degrees D r (corresponding to red bytes) and D b (corresponding to blue bytes). Without loss of generality, we assume that D b D r. We use

8 1796 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG AC SB SR MC AC SB SR MC AC SB SR MC Initial structure AC SB SR MC AC SB SR MC Matching point Fig. 6. Chunk separation of 5-round chosen position subspace preimage attack on P(H) H for Grøstl-56. (d r, d b ) to indicate the actually used freedom degrees. The MitM preimage attack can be described in the following steps: Step 1: Set random values to constants in the initial structure. Step : For all possible dr values of red bytes, compute backward from the initial structure and obtain the values at the matching point. Store the values in a lookup table L r. Step 3: For all possible db values of blue bytes, compute forward from the initial structure and obtain the results at the matching point. Check if there exists an entry in L r that matches the result at the matching point. Step 4: If no full match has been found, repeat the above 3 steps. In Fig. 6, freedom degrees for the red and blue bytes are D r (= 48 bits) and D b (= 64 bits). Besides, the matching point size is m max (= 64 bits), since we can construct 64 bits linear relationship for the last four columns. If we just set d r = d b = 48 bits and m best = 48 bits, we can find 48 (= / 48 ) 48-bit subspace preimages with the complexity of 48. It means that a 48-bit subspace preimage is found with the complexity of 0 (= 48 / 48 ). Here the complexity is measured by compression function calls. It takes about half P ( ) calls in the MitM attack, i.e. 1/4 compression function calls to evaluate the matching point for each direction. Therefore the complexity has a fraction C (51,48) - 0 : =. We will multiply the same coefficient in the following of this paper. The complexity of C( 51,48) in our attack is smaller than the complexity of C ( 51,31) 14 in Wu s attack. 1 With C ( 51,56) 06 C( 51,48) and, we can compute the best overall complexity of the pseudo preimage attack for 5-round Grøstl-56. When b = 48, x 1 = 3.4, x = 39.4 and x 3 = 40.4, we can improve the overall complexity to about Memory requirement is about 40.4.

9 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL IMPROVED PSEUDO PREIMAGE ATTACK ON 8-ROUND GRØSTL-51 HASH FUNCTION In this section, we will discuss how to reduce the overall complexity of the 8-round pseudo preimage attack on Grøstl-51 hash function by improving the complexity of 1 C (104,51) and C (104, b ). 5.1 Preimage Attack on 8-round Grøstl-51 Output Transformation Our 8-round preimage attack on the output transformation of Grøstl-51 combines the guess-and-determine technique with the MitM attack. The guess-and-determine technique was firstly used in the preimage attack on SHA-0/SHA-1 by Aoki and Sasaki [3]. By guessing some unknown bytes, all the possible values of the guessed bytes are used as extra freedom degrees in the MitM attack. As a result, we can obtain enough matching points. Note that the guessed bytes are extra constraints after finding a partial match, and we should check the guessed value to produce a valid preimage. We will show more details about the guessing technique in the following attack algorithm. The chunk separation of the 8-round attack (combine the guess-and-determine technique with the MitM attack) is shown in Fig. 7. Since Grøstl-51 compression function has slow diffusion, we can construct a -round initial structure easily. As shown in Fig. 7, we use the purple bytes (counter-diagonal) as the guessed bytes and other colors are the same meanings as described in the MitM attack. In order to evaluate the complexity for this attack, we should define these parameters: freedom degrees in red and blue bits (D r, D b ), the guessed red and blue bits (D gr, D gb ), the bits of the matching point m and the bits of the partial preimage size b. Here we also use (d r, d b ) to denote the actually used freedom degrees. The attack procedure is similar to the MitM attack which can be described as follows: Step 1: Set the constants in the initial structure randomly. Step : For all possible values dr of the red bytes and Dgr of the guessed red bytes, compute backward from the initial structure and obtain the value at the matching point. Store the values in a lookup table L. Step 3: For all possible value d D b of the blue bytes and gb of the guessed blue bytes, compute forward from the initial structure and obtain the value at the matching point. Check if there exists an entry in L that matches the result at the matching point. The expected number of the partial matches is dr dbdgr Dgb m. Step 4: Once a partial match is found; compute and check if the guessed value is right. Dgr Dgb d The probability of the validity is. There are r d b m valid partial matches left. Then we continue the computation and check the full match. The probability that a partial match is a full match is n ( ) m. Step 5: The success probability for the above 4 steps (from Step 1 to Step 4) is ( ) ( ) d r d b D gr D gb m gr gb r b D D nm d d n. Then we should repeat the above four steps

10 1798 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG ndr db times to find a full match. The complexity for each step can be calculated as follows: In Step, building the d lookup table L takes r D gr d computations and memory. In Step 3, it takes b D gb computations to find the partial matches. The expected number of the partial matches is dr dbdgr Dgb m dr dbdgr Dgb m. In Step 4, testing all the partial matches needs computations. The probability of the validity is, and there are r d b m valid partial ( Dgr Dgb ) d + ndr db matches left. In Step 5, we should repeat the above four steps times. Then the complexity of the above attack algorithm is: nd r + b + r + b + + r d d D b gr d Dgb d d Dgr Dgb m ( ). () In Fig. 7, the parameters for the attack on the output transformation of 8-round Grøstl are as follows: d r = d b = 80 bits, D gr = D gb = 40 bits, m = 144 bits and n = 51 bits. According to Eq. (), the complexity of our attack can be calculated as C 1(104,51) = - 51 ( ) 470 compression function calls. The memory requirement is = 10. Then the complexity of C 1(104,51) 470 in our attack is smaller than the complexity of C 1(104,51) 495 in Wu s attack. Note that the guess-and-determine technique is especially useful for the slow diffusion target. Fig. 7. Chunk separation of preimage attack on 8-round Grøstl-51 output transformation.

11 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL Subspace Preimage Attack on P(H)H We show the chunk separation of subspace preimage attack on P(H)H in Fig. 8. Note that we do not adopt the guess-and-determine technique here, because we cannot find a good guess-and-determine way to make the complexity better than the simple MitM attack. We find out the guess-and-determine method is not fit for the b-bit subspace preimage attack when b is small. The parameters for the MitM attack: the freedom degrees D r = 16 bits, D b = 16 bits. The size of matching point b max is 3 bits. We set d r = d b = b best = 16 bits, and then we can find 16 (= / 16 ) 16-bit subspace preimages with the complexity of 16. It means that a 16-bit subspace preimage is found with the complexity of 0 (= 16 / 16 ). The complexity is C (104,16) 0. C According to Eq. (1) and 1 (104,51) 470 C, (104,16), we can rewrite the overx all complexity as 1470 x3 x1 x1x16 C TL. When b = 16, x 1 = 7, x = 498 and x 3 = 499, it has the minimum complexity The memory requirement is 499. Note that we can use the memoryless MitM attack in our pseudo preimage attack, but the memoryless MitM attack leads to a higher complexity. Moreover, the memory requirement of our attack is mainly on the generalized birthday attack [14], which is much bigger than the requirement in the MitM preimage attacks. As a result, we do not use the memoryless MitM technique. Fig. 8. Chunk separation of 8-round chosen position subspace preimage attack on P(H) H for Grøstl-51.

12 1800 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG 6. PSEUDO PREIMAGE ATTACK ON 6-ROUND GRØSTL-56 HASH FUNCTION Since Grøstl-56 compression function achieves full diffusion in two rounds, the previous techniques only can attack 5-round Grøstl-56. Using so-called biclique technique, Khovratovich [6] has proposed a 6-round attack on Grøstl-56 output transformation function. 6.1 Preimage Attack on 6-round Grøstl-56 Output Transformation Our 6-round preimage attack is obtained by combining the MitM attack with a complicated initial structure. The detail of the initial structure is shown as follows (also in Fig. 9): Fig. 9. Chunk separation of preimage attack on 6-round Grøstl-56 output transformation. Step 1: Randomly set the State value #6[1,3,5,7,8,10,1,14,17,19,1,3,4,6,8,30] (gray). Step : Set the value of the State #4[0,5,6,7,8,9,14,15,16,17,18,3,4,5,6,7] (blue) so that the chosen 4 bytes at State #3[7,14,1,8] (red) can be achieved through the Inverse- MixColumns operation. Step 3: For each value of the State #4[0,5,6,7,8,9,14,15,16,17,18,3,4,5,6,7] (blue), we can calculate through the SubBytes and ShiftRows operations and get the corresponding values of the State #5[0,1,,3,8,9,10,15,16,17,,3,4,9,30,31] (blue). Step 4: With the known values of State #5 (blue) and State #6 (gray), we calculate the rest blue bytes of State #5 and State #6 through the MixColumns operation. Step 5: With the calculated bytes #5[4,5,6,7,11,1,13,14,18,19,0,1,5,6,7,8], we compute the values of #4[33,34,35,36,4,43,44,45,51,5,53,54,60,61,6,63] through the Inverse-ShiftRows and Inverse-SubBytes operations. We check whether the values of the

13 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1801 State #4[33,34,35,36,4,43,44,45,51,5,53,54,60,61,6,63] satisfy the linear relationship so that the chosen 4 bytes at #3[35,4,49,56] can be achieved through the Inverse-Mix- Columns operation. For Grøstl-56 compression function, we suppose that it needs C r computations to find a suitable initial structure for the forward direction (from #6 to #8) and it needs C b computations to find a suitable initial structure for the backward direction (from #6 to #4). Then the complexity to find a suitable initial structure can be written as follows: ndbdr d ( r Cr dbcb dbdr m n Cr db Cbdr m ) ( ). (3) Note that the initial structure is from State #4 to State #8, the above steps just shows the process from State #6 to State #4 (backward direction). The process form State #6 to State #8 (forward direction) is similar to the process from State #6 to State #4, and we omit the details. The state values of #4[33,34,35,36,4,43,44,45,51,5,53,54,60,61,6,63] in Step 5 should satisfy an 8-bit linear relationship in each column, so we should repeat the above 5 steps 3 times to get an initial structure that satisfies our requirements. Compared with the guess-and-determine MitM attack, our new attack has two advantages: 1. We do not require the matching points m > D b +D r. It only requires d r > C b and d b > C r.. There are no guessed bytes; we do not have to check if the guessed values are right. Therefore this attack is suitable for the partial preimage attack. The parameters for this attack are as follows: C r = C b = 3 bits, d r = d b = 40 bits, m = 8 bits and n = 56 bits. According to Eq. (3), the complexity is C 1 (51,56) = - 56 ( ) 46 compression function calls. Note that the complexity of ( 46, 8 ) (time, memory) in our attack is smaller than ( 51, 51 ) in Khovratovich attack [6]. 6. Preimage Attack on P(H) H Since the guess-and-determine MitM attack is not suitable for the partial preimage attack, our new 6-round preimage attack is suitable to achieve a better C 1(n,b). As shown in Fig. 9, the parameters for our attack are as follows: C r = C b = 3 bits, m = 8 bits. We set d r = d b = 40 bits, then 8 (= / 8 ) 8-bit subspace preimages can be found with a complexity of 8. It means that an 8-bit subspace preimage can be found with a complexity of 0 (= 8 / 8 ). Then the complexity is C (51,8) = According to Eq. (1) and C 1(51,56) 46, C (51,8) -, we can rewrite the overall complexity as x x x -1 + x 1 +x -8 C TL. When x 1 = 5.67, x = 5.67, b = 8 and x 3 = 53.67, the minimum complexity is The memory requirement is PSEUDO SECOND PREIMAGE ATTACK ON 6-ROUND GRØSTL-56 HASH FUNCTION Given Grøstl (CV 0, M 0, M 1 ) = h, we want to find another (CV 0, M 0, M 1 ) such that

14 180 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG Grøstl(CV 0, M 0, M 1 ) = h. Let CV 1 = CF (CV 0, M 0 ), then CV 1 is the input to the last block of compression function. If we want to find the pseudo second preimage of Grøstl, then h, CV 1 and M 1 are known to us. Note that M 1 obeys the right padding rule. If we can use some techniques to find (CV 0, M 0 ) that satisfies P(CV 0, M 0 ) Q(M 0 ) CV 0 = CV 1, (4) then we find a pseudo second preimage of Grøstl. In the following, we will show how to find a (CV 0, M 0 ) that satisfies Eq. (4). As shown in Fig. 10, the attack turns into a two-phase MitM attack. With parameters y 1, y, y 3 and b, the attack process can be described as follows: Step 1: Find y1 1 b-bit partial preimages of P(H) H. We should store the y P(H)H and H in the lookup table L ps. Step : Find y the same b-bit partial preimages of Q(M 0 )M 0 as P(H) H in L ps. Check whether the remaining n-b bits are the same to CV 1. Once a full match is found, we find a (CV 0, M 0 ) such that it satisfies P(CV 0, M 0 ) Q(M 0 )CV 0 = CV 1. Then (CV 0, M 0, M 1 ) is a pseudo second preimage of Grøstl. Suppose that for Grøstl with n-bit state, it needs 3 C ( n, b) and 4 C ( n, b) computations to find a b-bit partial preimage of P(H) H and Q(M 0 )M 0, respectively. Fig. 10. Outline for our pseudo second preimage attack on Grøstl. Then we can calculate the complexity for each step of the attack algorithm. In Step 1, it takes 1 3 y C ( n, b) computations and y1 memory to build the lookup table L ps. In Step, it takes 4 y C ( n, b) computations to calculate y the given b-bit partial preimage of Q(M 0 ) M 0 and check whether the remaining n-b bits are the same to CV 1. y As a result, the overall complexity is 1C3( n, b) yc4( n, b), with memory requirement of 1 y y. Note that we need 1+ y- n 1 in order to find a full match.

15 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL Preimage Attack on P(H) H and Q(M 0 ) M 0 of Grøstl-56 The chunk separations for P(H) H and Q(M 0 ) M 0 are shown in Figs. 9 and 11, respectively. As shown in Fig. 9, the freedom degrees for the partial preimage attack on P(H) H are D r = 18 bits, D b = 18 bits. The sizes of the matching point are b = 8 bits and n = 56 bits. The cost to construct the complicated initial structure is C r = C b = 3 bits. We set d r = d b = b = 40 bits, then we can find 8 (= / 8 ) 8-bit partial preimages with a complexity of 8. The average complexity to compute an 8-bit partial preimage is 0 ( 8 / 8 ). So we can calculate the complexity of an 8-bit partial preimage C attack on P(H) H: 3 (51,8) = =. This means we just need - computation to get an 8-bit partial preimage on P(H) H. As shown in Fig. 11, it also takes - computation to get the same 8-bit partial preimage on Q(M 0 ) M 0 as P(H) H. If we choose y 1 = y = (518)/ = 5, the complexity to calculate the pair (CV 0, M 0 ) is = 51 and the memory is 5. Then we can find a pseudo second preimage of Grøstl-56. Since the guess-and-determine technique is not suitable for the b-bit partial preimage attack (when b is small), we cannot find a pseudo second preimage attack on 8-round Grøstl-51 whose complexity is better than the pseudo preimage attack on 8-round Grøstl-51. Fig. 11. Chunk separation of 6-round preimage attack on Q(M 0 ) M 0 of Grøstl CONCLUSION In this paper, we improved the pseudo preimage attack on 5-round Grøstl-56 hash function. In addition, we improved the pseudo preimage attack on 8-round Grøstl-51 hash function by combining the guess-and-determine technique with the MitM attack. At last we constructed a 6-round pseudo preimage attack and a 6-round pseudo second preimage attack on Grøstl-56 hash function by using a complicated initial structure. We found out that the guess-and-determine MitM attack was useful to solve the full preimage attack instead of the partial preimage attack. We should check whether the guessed bits were correct, which was not suitable to solve the partial preimage problem. Since the choices of numbers and positions for the guessed bits were too many, it seemed impossible to do an exhaustive search. So it remains to be an open problem to find the op-

16 1804 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG timal guess-and-determine strategy for Grøstl. If we could divide the attack process into several phases of MitM attack, we could use the subspace technique to improve the overall complexity. In our attack, it was hard to attack more rounds of Grøstl because the difference Shift- Row operations between P ( ) and Q ( ). These results showed that it was good to adopt difference ShiftRow operations between P ( ) and Q ( ). Our attacks do not threat any security claims of Grøstl. ACKNOWLEDGEMENT The authors would like to thank Lei Wang and Jian Guo for their inspiring suggestions. The authors would like to thank anonymous referees for their helpful comments and suggestions. This work is supported by the National Basic Research Program of China 973 Program (013CB33800), and the National Natural Science Foundation of China (617476, ). REFERENCES 1. K. Aoki, J. Guo, K. Matusiewicz, Y. Sasaki, and L. Wang, Preimages for step-reduced SHA-, in Proceedings of ASIACRYPT, LNCS, Vol. 591, 009, pp K. Aoki and Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more, in Proceedings of the 15th International Workshop on Selected Areas in Cryptography, LNCS, Vol. 5381, 008, pp K. Aoki and Y. Sasaki, Meet-in-the-middle preimage attacks against reduced SHA- 0 and SHA-1, in Proceedings of CRYPTO, LNCS, Vol. 5677, 009, pp P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, and S. S. Thomsen, Grøstl a SHA-3 candidate, Submission to NIST (Round 3), J. Guo, S. Ling, C. Rechberger, and H. X. Wang, Advanced meet-in-the-middle preimage attacks: First results on full tiger, and improved results on MD4 and SHA-, in Proceedings of ASIACRYPT, LNCS, Vol. 6477, 010, pp D. Khovratovich, Bicliques for permutations: Collision and preimage attacks in stronger settings, in Proceedings of ASIACRYPT, LNCS, Vol. 7658, 01, pp G. Leurent, MD4 is not one-way, in Proceedings of FSE, LNCS, Vol. 5086, 008, pp National Institute of Standards and Technology, Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family, Federal Register, 7(1):61-60, 007, documents/fr_notice_nov07.pdf. 9. Y. Sasaki, Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool, in Proceedings of FSE, LNCS, Vol. 6733, 011, pp Y. Sasaki and K. Aoki, Preimage attacks on 3, 4, and 5-pass HAVAL, in Pro-

17 PSEUDO (SECOND) PREIMAGE ATTACK ON GRØSTL 1805 ceedings of ASIACRYPT, LNCS, Vol. 5350, 008, pp Y. Sasaki and K. Aoki, Finding preimages in full MD5 faster than exhaustive search, in Proceedings of EUROCRYPT, LNCS, Vol. 5479, 009, pp Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, and K. Ohta, New non-ideal properties of AES-based permutations: Applications to ECHO and Grøstl, in Proceedings of ASIACRYPT, LNCS, Vol. 6477, 010, pp M. Schläffer, Updated differential analysis of Grøstl, Grøstl website, January D. Wagner, A Generalized Birthday Problem in Proceedings of CRYPTO, LNCS, Vol. 44, 00, pp L. Wang, Y. Sasaki, W. Komatsubara, K. Ohta, and K. Sakiyama, Preimage attacks on step-reduced RIPEMD/RIPEMD-18 with a new local-collision approach, in Proceedings of CT-RSA, LNCS, Vol. 6558, 011, pp S. Wu, D. G. Feng, W. L. Wu, J. Guo, L. Dong, and J. Zou, Preimage attack on round-reduced Grøstl hash function and others, in Proceedings of FSE, LNCS, Vol. 7549, 01, pp Jian Zou () is currently a Ph.D. student in Graduate School of Chinese Academy of Sciences and Institute of Software, Chinese Academy of Sciences. His current research area includes cryptanalysis on hash functions and block ciphers. Wen-Ling Wu () is now a Professor at the TCA, Institute of Software, Chinese Academy of Sciences. She received her B.S. and M.S. degrees in Mathematics from Northwest University in 1987 and 1990, respectively. She received her Ph.D. degree in Cryptography from Xidian University in Her current research interests include theory of cryptography, modes of operation, block ciphers and hash functions. Shuang Wu () is now a Lecturer at the TCA, Institute of Software, Chinese Academy of Sciences. He received his Ph.D. degree from Graduate School of Chinese Academy of Sciences and Institute of Software, Chinese Academy of Sciences in 011. His current research area includes provable security and cryptanalysis on hash functions and block ciphers.

18 1806 JIAN ZOU, WENLING WU, SHUANG WU AND LE DONG Le Dong () is currently a Ph.D. student in Graduate School of Chinese Academy of Sciences and Institute of Software, Chinese Academy of Sciences. His current research area includes cryptanalysis on hash functions and block ciphers.