Abstract. In this article, we provide the first third-party security analysis of the PRINCE lightweight block cipher, and the underlying PRINCEcore. First, while no claim was made by the authors regarding related-key attacks, we show that one can attack the full cipher with only a single pair of related keys, and then reuse the same idea to derive an attack in the single-key model for the full PRINCEcore for several instances of the α parameter (yet not the one randomly chosen by the designers). We also show how to exploit the structural linear relations that exist for PRINCE in order to obtain a key recovery attack that slightly breaks the security claims for the full cipher. We analyze the application of integral attacks to get the best known key-recovery attack on a reduced version of the PRINCE cipher. Finally, we provide time-memory-data tradeoffs, that require only known plaintext-ciphertext data, and that can be applied to full PRINCE.
The Grøstl hash function is one of the 5 final round candidates of the SHA-3 competition hosted by NIST. In this paper, we study the preimage resistance of the Grøstl hash function. We propose pseudo preimage attacks on Grøstl hash function for both 256-bit and 512-bit versions, i.e., we need to choose the initial value in order to invert the hash function. Pseudo preimage attack on 5(out of 10)-round Grøstl-256 has a complexity of (2 244.85 , 2 230.13 ) (in time and memory) and pseudo preimage attack on 8(out of 14)-round Grøstl-512 has a complexity of (2 507.32 , 2 507.00 ). To the best of our knowledge, our attacks are the first (pseudo) preimage attacks on round-reduced Grøstl hash function, including its compression function and output transformation. These results are obtained by a variant of meet-in-the-middle preimage attack framework by Aoki and Sasaki. We also improve the time complexities of the preimage attacks against 5-round Whirlpool and 7-round AES hashes by Sasaki in FSE 2011.Grøstl is a double-pipe design, i.e., the size of the chaining value (2n-bit) is twice as the hash size (n-bit). Message length should be less than 2 73 − 577 bits. The padding rule is not introduced here, since it's not important in our attack.The compression function of Grøstl is written as:Where H is the chaining value and M is the message block, both are of 2n bits. After all message blocks are processed, the last chaining value X is used as input of the output transformation, which is written as Ω(X) = T runc n (P (X) ⊕ X)The right half of P (X) ⊕ X is used as the hash value. The compression function and output transformation are illustrated in Fig. 2.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.