Fast Software Encryption

Volume 6733 of the series Lecture Notes in Computer Science pp 378-396

Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool

  • Yu SasakiAffiliated withNTT Information Sharing Platform Laboratories, NTT Corporation


We study the security of AES in the open-key setting by showing an analysis on hash function modes instantiating AES including Davies-Meyer, Matyas-Meyer-Oseas, and Miyaguchi-Preneel modes. In particular, we propose preimage attacks on these constructions, while most of previous work focused their attention on collision attacks or distinguishers using non-ideal differential properties. This research is based on the motivation that we should evaluate classical and important security notions for hash functions and avoid complicated attack models that seem to have little relevance in practice. We apply a recently developed meet-in-the-middle preimage approach. As a result, we obtain a preimage attack on 7 rounds of Davies-Meyer AES and a second preimage attack on 7 rounds of Matyas-Meyer-Oseas and Miyaguchi-Preneel AES. Considering that the previous best collision attack only can work up to 6 rounds, the number of attacked rounds reaches the best in terms of the classical security notions. In our attacks, the key is regarded as a known constant, and the attacks thus can work for any key length in common.


AES hash function Davies-Meyer Matyas-Meyer-Oseas Miyaguchi-Preneel PGV preimage meet-in-the-middle Whirlpool