Shabal Explained

Shabal is a cryptographic hash function submitted by the France-funded research project Saphir to NIST's international competition on hash functions.

Saphir partners

The research partners of Saphir (with the exception of LIENS) initiated the conception of Shabal and were later joined by partners of the research project Saphir2 who actively contributed to the final design of Shabal. Saphir (Security and Analysis of Hash Primitives) is an ANR funded project on hash functions. Saphir has started in March 2006 for a duration of three years and brought five partners together: Cryptolog International, DCSSI, France Telecom (leader), Gemalto and LIENS. Partners of Saphir2 come from both industry and academia; in addition to partners of Saphir, 4 new partners: EADS SN, INRIA, Sagem Sécurité and UVSQ joined and contributed to the project.[1]

History

Shabal was an entry in the NIST hash function competition, where it passed to the second round, but failed to enter the final round. Shabal was not selected as a finalist mainly due to security concerns. Although the security of the full hash algorithm was not compromised, the discovery of non-randomness properties with low time complexities raised concerns among NIST's cryptographers about the possibility of more powerful attacks in the future.[2]

The name of the algorithm was chosen as a tribute to Sébastien Chabal.

Description

Shabal uses a mode of operation that can be considered as a variant of a wide-pipe, Merkle–Damgård hash construction. The internal state of Shabal consists of three parts, denoted as A, B and C. The keyed permutation of Shabal updates A and B using nonlinear feedback shift registers that interact with each other. The main loop of the permutation uses modular multiplication by three and five, modular addition, XOR, complementation, and AND operations.The chaining mode of Shabal works as follows:(A, B) ← PM,C

(A, B, C) ← (A, C – M, B),

(A ⊕ W, B + M),

where M is the message block, and W is the counter. After processing all message blocks, three finalization rounds are applied in which the message block and the counter values are fixed. Two tunable parameters (p, r) are defined for Shabal, where p is the number of loops performed within the key permutation, and r is the size of A. The default value of (p, r) is (3, 12). Additionally, p and r should satisfy 16p ≡ 0 mod r. The same internal function is used for all output sizes of Shabal.

Output sizes of Shabal

Output sizes of Shabal, based on length of the digest are:

Outputs of Shabal

Example Shabal hashes:

Security

Implementations

Notes and References

  1. Bresson. Emmanuel. Clavier. Christophe. Fuhr. Thomas. Icart. Thomas. Misarsky. Jean-Francois. Naya-Plasencia. Maria. Reinhard. Jean-Rene. Thuillet. Celine. Videau. Marion. 2008-10-28. Shabal, a Submission to NIST's Cryptographic Hash Algorithm Competition. 2–3, 20, 22, 32–35.
  2. NIST Interagency Report 7764. February 2011. Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition. 20–21.
  3. Aumasson . Jean-Philippe . On the pseudorandomness of Shabal's keyed permutation . 14 November 2018.
  4. Van Assche . Gilles . A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs . 24 March 2010 .
  5. Aerts . Nieke . Cryptanalysis of Hash Functions In particular the SHA-3 contenders Shabal and Blake . August 2011 . 56–57.
  6. Aumasson . Jean-Philippe . Mashatan . Atefeh . Meier . Willi . More on Shabal's permutation . 14 November 2018.
  7. Novotney . Peter . Distinguisher for Shabal's Permutation Function . 20 July 2010 .
  8. Isobe . Takanori . Shirai . Taizo . Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 . 14 November 2018.