Sums of Permutations in the Grøstl Hash FunctionLiljana Babinkostova1, Dmitriy Sergeyevich Khripkov2, Nicholas Lacasse3, Bai Lin4, and Michelle Mastrianni5

1Boise State University, 2University of California - Berkeley, 3University of Maine at Farmington, 4University of Rochester, 5Carleton College

Introduction

A hash function is any function that can be used to map dig-ital data of arbitrary size to digital data of fixed size. Hashfunctions are a basic building block in cryptography. An es-tablished practice in the design of hash functions is to firstconstruct a fixed input length compression function, and theniterate it to allow the processing of arbitrarily long strings. Inthe last few years the cryptanalysis of hash functions has be-come an important topic within the cryptographic community,especially the collision attacks.

Grøstl is a cryptographic hash function submitted to the NISThash function competition for SHA-3 candidate during 2007-2012 and it was one of the five finalists in this competition.Grøstl is an iterated hash function over GF(28) with a com-pression function that is built using a sum of two fixed, distinctpermutations, shown in Figure 1. The sum of the permuta-tion P and Q on GF(28) is crucial for preserving the securityof Grøstl (see, e.g.[3]).

h1

h2

m1m2

Figure 1: The Grøstl Compression Function

Although these permutations are constructed using the widetrail design strategy, it is not known yet whether they are"ideal" permutations, in which case there is a proof for thesecurity of this hash function.Moreover, the question about the existence and the numberof permutations on GF(pr) whose sum is a permutation itselfis still open.

Objectives

• Determine when the sum of two permutations on a finitegroup G is a permutation or a near permutation.

• If the sum of two permutations on G is not a permutation,determine its nearness to being a permutation.

• If they exist, determine the number of permutations (ornear permutations) on a finite group G that can expressedas a sum of two permutations on G.

Sum of Permutations On Groups

We will denote permutations on a set G as n-tuples(α1, · · · , αn) where αi ∈ G, and all αi are distinct.

Sum of Permutations

Let G be a finite group of order n, the group opera-tion being addition. The sum of two permutations α =(α1, · · · , αn) and β = (β1, · · · , βn) on G, denoted by α + β,is the n-tuple (α1 + β1, α2 + β2, · · · , αn + βn).

Permutations On Z/nZIn many cases, it is difficult to construct secure cryptographic hash functions which utilize "ideal" permutations. Thebest that can be done is to use approximate permutations. Such functions are called near permutations.

k-Near Permutations

Let G be a finite group of order n and α, β two permutations on G. The sum f = α + β is called a k-nearpermutation over G if |Range(f )| = n− k.

Example: A 3-near permutation which is a sum of two permutations over Z/8Z.(1 2 3 4 5 6 7 8

)+(

3 5 6 4 1 1 2 8)

=(

4 7 1 8 6 7 1 8)

Sum of Permutations on Z/nZ

Let f be a sum of two permutations on Z/nZ. Then• For n odd there exist permutations α and β over Z/nZ such that α + β is a permutation on Z/nZ.• For n even there exist permutations α = (α1, · · · , αn) and β = (b1, · · · , βn) on Z/nZ such that α + β is a 1-nearpermutation on Z/nZ.

Terminal Size of Near Permutations

Let f be an (n− k)-near permutation which is a sum of two permutations on a finite group G of order n. We saythat f has a terminal size m if |Range(fk−1)| = m.

(6 1 7 6 5 1 1

)

1

32

5

6 4

7

(2 3 4 5 6 7 7

)

1

23

4

5 6

7

Figure 2: An illustrative example of a terminal size of permutations

Periodic Near Permutations

Let f = α+θ where α is any permutationon Z/nZ and θ is the identity permuta-tion on Z/nZ.If f is a (n − 2)-near permutation onZ/nZ, then f is a periodic (n − 2)-nearpermutation.

Counting (n− 2)-Near Permutations

The number of (n− 2)-near permutations over Z/nZ is at most

n · n! ·

∑i∈{4···n}

gcd(i−2,n) 6=1

2n

|<i−2>|−2

+

∑l|nl>2

(2nl−2 − 1)φ(n

l)

Counting 1-Near Permutations

The number of 1-near permutations on Z/nZ that are sum of two permutations is equal to (n2)n!. The number of1-near permutations on Z/nZ with terminal size n− 1 that are sum of two permutations is equal to n!.

Permutations On GF(pr)Finding pairs of permutations on a group G whose sum isa permutation is equivalent to determining transversals (see,e.g. [2]) of the Latin square of G.

(3 6 8 5 2 9 7 4 1)+ (1 2 3 4 5 6 7 8 9)

(4 8 2 9 7 6 5 3 1)

Figure 3: A transversal of a Latin square and its permutations sum

Using the theory of Latin squares and partial transversalswe were able obtain some results for k-near permutations onthe additive group of GF(pr).

Counting Permutations on GF(pr)

Let p be a prime and r positive integer. Then the num-ber of (pr − 2)-near permutations on the additive group ofGF(pr) is

(2pr−1 − 2)(pr

2

).

Future Work

• Generalize the results for the number of permutations andk-near permutations, in particular in the case of GF(pr).

• Generalize the Grøstl Hash Function and study its securitybased on the number of collisions of its compressionfunction.

References

[1] L. Euler, Recherches sur une nouvelle espèce de quarrésmagiques.,Opera Omnia, Ser. I, Vol 7: 291–392, (1782).

[2] P. Hatami and P.W. Shor, A lower bound for the length ofa partial transversal in a latin square, J. Combin. TheorySer. A 115 1103–1113, (2008).

[3] F. Mendel et al., Collision Attack on 5 Rounds of Grøstl,IACR Cryptology ePrint Archive 2014: 305, (2014).

AcknowledgmentsThis research was supported by the National Science Foundation un-der the Grant No. DMS 1359425 and Boise State University. We thankSamuel Simon, REU alumnus and PhD candidate at Simon Fraser Uni-versity, for his valuable comments.