Shabal

Last updated August 17, 2023

Shabal is a cryptographic hash function submitted by the France-funded research project Saphir to NIST's international competition on hash functions.

Saphir partners

The research partners of Saphir (with the exception of LIENS) initiated the conception of Shabal and were later joined by partners of the research project Saphir2 who actively contributed to the final design of Shabal. Saphir (Security and Analysis of Hash Primitives) is an ANR funded project on hash functions. Saphir has started in March 2006 for a duration of three years and brought five partners together: Cryptolog International, DCSSI, France Telecom (leader), Gemalto and LIENS. Partners of Saphir2 come from both industry and academia; in addition to partners of Saphir, 4 new partners: EADS SN, INRIA, Sagem Sécurité and UVSQ joined and contributed to the project.^[1]

History

Shabal was an entry in the NIST hash function competition, where it passed to the second round, but failed to enter the final round. Shabal was not selected as a finalist mainly due to security concerns. Although the security of the full hash algorithm was not compromised, the discovery of non-randomness properties with low time complexities raised concerns among NIST's cryptographers about the possibility of more powerful attacks in the future.^[2]

The name of the algorithm was chosen as a tribute to Sébastien Chabal.^[1]

Description

Shabal uses a mode of operation that can be considered as a variant of a wide-pipe, Merkle–Damgård hash construction. The internal state of Shabal consists of three parts, denoted as A, B and C. The keyed permutation of Shabal updates A and B using nonlinear feedback shift registers that interact with each other. The main loop of the permutation uses modular multiplication by three and five, modular addition, XOR, complementation, and AND operations.

Shabal function mode of operation Shabal.png — Shabal function mode of operation

The chaining mode of Shabal works as follows: (A, B) ← PM,C

(A, B, C) ← (A, C – M, B),

(A ⊕ W, B + M),

where M is the message block, and W is the counter. After processing all message blocks, three finalization rounds are applied in which the message block and the counter values are fixed. Two tunable parameters (p, r) are defined for Shabal, where p is the number of loops performed within the key permutation, and r is the size of A. The default value of (p, r) is (3, 12). Additionally, p and r should satisfy 16p ≡ 0 mod r. The same internal function is used for all output sizes of Shabal.^[2]

Output sizes of Shabal

Output sizes of Shabal, based on length of the digest are:

Shabal-192
Shabal-224
Shabal-256
Shabal-384
Shabal-512^[1]

Outputs of Shabal

Example Shabal hashes:

Shabal-192: CB6E700F CE4DCF97 D2BBBF00 0C5364FB B40C8732 0D733948
Shabal-224: 14A6DD99 E8D207F9 F7187681 326F6930 8BCAAE00 25F4855F 3120BA43
Shabal-256: C0088FDA 9ABA672A 79D0BD56 07AE488E 095E2114 06855B3B 1877A349 A2543F99
Shabal-384: 3312DE9D DA850D91 03785C3A C611B112 5D1BCAFC 033755D2 3B8EE05E 15251E4E 636A724F F0A8E584 4AABEAAF 122FC0C4
Shabal-512: C6168015 0A3F1FC8 688DD952 8E9E2FED 23EF9578 BCE2A7CB A5D80961 E6C9E632 9701A5A6 F037B89F 20C6C44E DC7931E7 2BB5AB82 B3ADCD32 9CE25056 22305E98^[1]

Security

Various distinguishers have been proposed for the permutation of Shabal. Using cube testers, a statistical non-randomness property of Shabal's key permutation was described with time complexity 2³⁰⁰.^[3]
A rotational distinguisher to the keyed permutation of Shabal using 2¹⁷¹ calls was presented. The distinguisher is based on the observation that most of the operations in P preserve rotational relationships between inputs. However, the attack cannot be extended to the hash algorithm, due to the non-symmetric IV, the addition of the block counter and the existence of the finalization rounds.^[4]^[5]
Another distinguisher was presented, based on the observation that multiplication by three preserves the difference in the most significant bit with probability one. Using this observation, the authors presented a method to find semi-equivalent keys for the keyed permutation. Under the related-key model, the authors also presented a method that distinguishes P from a random permutation using a single query. The method can be generalized to any security parameter. The authors also presented a method to find pseudo-collisions and pseudosecond-preimages for a variant of Shabal in which the number of iterations in the finalization is 24N (N ≥ 2), instead of 36. However, this attack does not work for the original Shabal, since it is not possible to cancel out the differences when the number of iterations is 36.^[6]
Some non-randomness properties were shown for the keyed permutation P that are easy to verify. The authors proposed a simple method to find fixed points in P. The inputs to the permutation were selected so that they are not affected by the loops in the permutation. The method is independent of the number of words in A and the number of rounds; therefore, the method works for any choice of the tunable security parameters. The authors also showed a way to construct many, large multi-collisions, where the only difference is in the key input.^[2]
A distinguisher was presented over some of the biased output bits using differential analysis with 2²³ data complexity.^[7]
A low weight (45-bit) pseudo-collision attack on the Shabal compression function with time complexity 2⁸⁴ was presented. A preimage attack with 2⁴⁹⁷ time and 2⁴⁰⁰ memory complexity for Shabal 512 using security parameters (2, 12).^[8]
None of the distinguishers directly threatens the claimed security of the hash algorithm. Moreover, the designers have modified the indifferentiability security proof of their chaining mode to require weaker assumptions than ideal ciphers.^[2]

Implementations

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications hash algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as RFC 1321.

In cryptography, SHA-1 is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. The algorithm has been cryptographically broken but is still widely used.

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

In cryptography, a random oracle is an oracle that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time that query is submitted.

<span class="mw-page-title-main">MD4</span> Cryptographic hash function

The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" stands for "Message Digest".

In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage.

In cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified.

SHA-2 is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher.

RadioGatún is a cryptographic hash primitive created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. It was first publicly presented at the NIST Second Cryptographic Hash Workshop, held in Santa Barbara, California, on August 24–25, 2006, as part of the NIST hash function competition. The same team that developed RadioGatún went on to make considerable revisions to this cryptographic primitive, leading to the Keccak SHA-3 algorithm.

Skein is a cryptographic hash function and one of five finalists in the NIST hash function competition. Entered as a candidate to become the SHA-3 standard, the successor of SHA-1 and SHA-2, it ultimately lost to NIST hash candidate Keccak.

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

The SANDstorm hash is a cryptographic hash function designed in 2008 by Mark Torgerson, Richard Schroeppel, Tim Draelos, Nathan Dautenhahn, Sean Malone, Andrea Walker, Michael Collins, and Hilarie Orman for the NIST SHA-3 competition.

The elliptic curve only hash (ECOH) algorithm was submitted as a candidate for SHA-3 in the NIST hash function competition. However, it was rejected in the beginning of the competition since a second pre-image attack was found.

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

Kupyna is a cryptographic hash function defined in the Ukrainian national standard DSTU 7564:2014. It was created to replace an obsolete GOST hash function defined in the old standard GOST 34.11-95, similar to Streebog hash function standardized in Russia.

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security", where n-bit security means that the attacker would have to perform 2ⁿ operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

Dmitry Khovratovich is a cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research. He developed, together with Alex Biryukov, the Equihash proof-of-work algorithm which is currently being used as consensus mechanism for the Zcash cryptocurrency, and the Argon2 key derivation function, which won the Password Hashing Competition in July 2015.

References

1 2 3 4 Bresson, Emmanuel; Clavier, Christophe; Fuhr, Thomas; Icart, Thomas; Misarsky, Jean-Francois; Naya-Plasencia, Maria; Reinhard, Jean-Rene; Thuillet, Celine; Videau, Marion (2008-10-28). "Shabal, a Submission to NIST's Cryptographic Hash Algorithm Competition" (PDF): 2–3, 20, 22, 32–35.{{cite journal}}: Cite journal requires |journal= (help)
1 2 3 4 NIST Interagency Report 7764 (February 2011). "Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition" (PDF): 20–21.{{cite journal}}: Cite journal requires |journal= (help)
↑ Aumasson, Jean-Philippe. "On the pseudorandomness of Shabal's keyed permutation" (PDF). Retrieved 14 November 2018.{{cite journal}}: Cite journal requires |journal= (help)
↑ Van Assche, Gilles (24 March 2010). "A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
↑ Aerts, Nieke (August 2011). "Cryptanalysis of Hash Functions In particular the SHA-3 contenders Shabal and Blake" (PDF): 56–57.{{cite journal}}: Cite journal requires |journal= (help)
↑ Aumasson, Jean-Philippe; Mashatan, Atefeh; Meier, Willi. "More on Shabal's permutation" (PDF). Retrieved 14 November 2018.{{cite journal}}: Cite journal requires |journal= (help)
↑ Novotney, Peter (20 July 2010). "Distinguisher for Shabal's Permutation Function" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
↑ Isobe, Takanori; Shirai, Taizo. "Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512" (PDF). Retrieved 14 November 2018.{{cite journal}}: Cite journal requires |journal= (help)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:1-1] 1 2 3 4 Bresson, Emmanuel; Clavier, Christophe; Fuhr, Thomas; Icart, Thomas; Misarsky, Jean-Francois; Naya-Plasencia, Maria; Reinhard, Jean-Rene; Thuillet, Celine; Videau, Marion (2008-10-28). "Shabal, a Submission to NIST's Cryptographic Hash Algorithm Competition" (PDF): 2–3, 20, 22, 32–35.{{cite journal}}: Cite journal requires |journal= (help)

[:0-2] 1 2 3 4 NIST Interagency Report 7764 (February 2011). "Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition" (PDF): 20–21.{{cite journal}}: Cite journal requires |journal= (help)

[3] Aumasson, Jean-Philippe. "On the pseudorandomness of Shabal's keyed permutation" (PDF). Retrieved 14 November 2018.{{cite journal}}: Cite journal requires |journal= (help)

[4] Van Assche, Gilles (24 March 2010). "A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs" (PDF).{{cite journal}}: Cite journal requires |journal= (help)

[5] Aerts, Nieke (August 2011). "Cryptanalysis of Hash Functions In particular the SHA-3 contenders Shabal and Blake" (PDF): 56–57.{{cite journal}}: Cite journal requires |journal= (help)

[6] Aumasson, Jean-Philippe; Mashatan, Atefeh; Meier, Willi. "More on Shabal's permutation" (PDF). Retrieved 14 November 2018.{{cite journal}}: Cite journal requires |journal= (help)

[7] Novotney, Peter (20 July 2010). "Distinguisher for Shabal's Permutation Function" (PDF).{{cite journal}}: Cite journal requires |journal= (help)

[8] Isobe, Takanori; Shirai, Taizo. "Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512" (PDF). Retrieved 14 November 2018.{{cite journal}}: Cite journal requires |journal= (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]