Journal of Cryptology

, Volume 28, Issue 2, pp 257–296 | Cite as

The Rebound Attack and Subspace Distinguishers: Application to Whirlpool

  • Mario Lamberger
  • Florian Mendel
  • Martin Schläffer
  • Christian Rechberger
  • Vincent Rijmen
Article

Abstract

We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the 10-round Whirlpool hash function and compression function. Our results are collisions for 5.5 and near-collisions for 7.5 rounds on the hash function, as well as semi-free-start collisions for 7.5 and semi-free-start near-collisions for 9.5 rounds on the compression function. Additionally, we introduce the subspace problem as a generalization of near-collision resistance. Finally, we present the first distinguishers that apply to the full compression function and the full underlying block cipher W of Whirlpool.

Key words

Hash functions Cryptanalysis Near-collision Distinguisher 

References

  1. [1]
    P.S.L.M. Barreto, V. Rijmen, The Whirlpool Hashing Function. Submitted to NESSIE (2000). Available online: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
  2. [2]
    E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991) CrossRefMATHMathSciNetGoogle Scholar
  3. [3]
    A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and related-key attack on the full AES-256, in CRYPTO, ed. by S. Halevi. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 231–249 Google Scholar
  4. [4]
    A. Bogdanov, D. Khovratovich, C. Rechberger, Biclique cryptanalysis of the full AES, in ASIACRYPT, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 344–371 Google Scholar
  5. [5]
    C. Bouillaguet, P. Derbez, P.A. Fouque, Automatic search of attacks on round-reduced AES and applications, in CRYPTO, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 169–187 Google Scholar
  6. [6]
    F. Chabaud, A. Joux, Differential collisions in SHA-0, in CRYPTO, ed. by H. Krawczyk. LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 56–71 Google Scholar
  7. [7]
    J. Daemen, V. Rijmen, The wide trail design strategy, in IMA Int. Conf., ed. by B. Honary. LNCS, vol. 2260 (Springer, Berlin, 2001), pp. 222–238 Google Scholar
  8. [8]
    J. Daemen, V. Rijmen, The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, Berlin, 2002) CrossRefGoogle Scholar
  9. [9]
    I. Damgård, A design principle for hash functions, in CRYPTO, ed. by G. Brassard. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 416–427 Google Scholar
  10. [10]
    C. De Cannière, F. Mendel, C. Rechberger, Collisions for 70-step SHA-1: on the full cost of collision search, in Selected Areas in Cryptography, ed. by C.M. Adams, A. Miri, M.J. Wiener. LNCS, vol. 4876 (Springer, Berlin, 2007), pp. 56–73 CrossRefGoogle Scholar
  11. [11]
    C. De Cannière, C. Rechberger, Finding SHA-1 characteristics: general results and applications, in ASIACRYPT, ed. by X. Lai, K. Chen. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 1–20 Google Scholar
  12. [12]
    P. Derbez, P.A. Fouque, J. Jean, Faster chosen-key distinguishers on reduced-round AES, in INDOCRYPT, ed. by S.D. Galbraith, M. Nandi. LNCS, vol. 7668 (Springer, Berlin, 2012), pp. 225–243 Google Scholar
  13. [13]
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems, in CRYPTO, ed. by R. Safavi-Naini, R. Canetti. LNCS, vol. 7417 (Springer, Berlin, 2012), pp. 719–740 Google Scholar
  14. [14]
    H. Dobbertin, The status of MD5 after a recent attack. CryptoBytes 2(2), 1–6 (1996) MathSciNetGoogle Scholar
  15. [15]
    H. Dobbertin, Cryptanalysis of MD4. J. Cryptol. 11(4), 253–271 (1998) CrossRefMATHGoogle Scholar
  16. [16]
    A. Duc, J. Guo, T. Peyrin, L. Wei, Unaligned rebound attack: application to Keccak, in FSE, ed. by A. Canteaut. LNCS, vol. 7549 (Springer, Berlin, 2012), pp. 402–421 Google Scholar
  17. [17]
    S. Fisher, Classroom notes: matrices over a finite field. Am. Math. Mon. 73(6), 639–641 (1966) CrossRefMATHGoogle Scholar
  18. [18]
    P.A. Fouque, J. Jean, T. Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in CRYPTO (1), ed. by R. Canetti, J.A. Garay. LNCS, vol. 8042 (Springer, Berlin, 2013), pp. 183–203 Google Scholar
  19. [19]
    H. Gilbert, M. Minier, A collision attack on 7 rounds of Rijndael, in AES Candidate Conference, (2000), pp. 230–241 Google Scholar
  20. [20]
    H. Gilbert, T. Peyrin, Super-Sbox cryptanalysis: improved attacks for AES-like permutations, in FSE, ed. by S. Hong, T. Iwata. LNCS, vol. 6147 (Springer, Berlin, 2010), pp. 365–383 Google Scholar
  21. [21]
    N. Haller, The S/KEY One-Time Password System. IETF Request for Comments (RFC) 1760 (1995). Available online: http://www.faqs.org/rfcs/rfc1760.html
  22. [22]
    N. Haller, C. Metz, P. Nesser, M. Straw, A One-Time Password System. IETF Request for Comments (RFC) 2289 (1998). Available online: http://www.faqs.org/rfcs/rfc2289.html
  23. [23]
    K. Ideguchi, E. Tischhauser, B. Preneel, Improved collision attacks on the reduced-round Grøstl hash function, in ISC, ed. by M. Burmester, G. Tsudik, S.S. Magliveras, I. Ilic. LNCS, vol. 6531 (Springer, Berlin, 2010), pp. 1–16 Google Scholar
  24. [24]
    International Organization for Standardization: Information Technology—Security Techniques—Hash-Functions. Part 3: Dedicated Hash-Functions. ISO/IEC 10118-3:2004 (2004) Google Scholar
  25. [25]
    J. Jean, P.A. Fouque, Practical near-collisions and collisions on round-reduced ECHO-256 compression function, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 107–127 Google Scholar
  26. [26]
    J. Jean, M. Naya-Plasencia, T. Peyrin, Improved rebound attack on the finalist Grøstl, in FSE, ed. by A. Canteaut. LNCS, vol. 7549 (Springer, Berlin, 2012), pp. 110–126 Google Scholar
  27. [27]
    J. Jean, M. Naya-Plasencia, M. Schläffer, Improved analysis of ECHO-256, in Selected Areas in Cryptography, ed. by A. Miri, S. Vaudenay. LNCS, vol. 7118 (Springer, Berlin, 2011), pp. 19–36 CrossRefGoogle Scholar
  28. [28]
    J. Kelsey, S. Lucks, Collisions and near-collisions for reduced-round Tiger, in FSE, ed. by M.J.B. Robshaw. LNCS, vol. 4047 (Springer, Berlin, 2006), pp. 111–125 Google Scholar
  29. [29]
    D. Khovratovich, M. Naya-Plasencia, A. Röck, M. Schläffer, Cryptanalysis of Luffa v2 components, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. LNCS, vol. 6544 (Springer, Berlin, 2010), pp. 388–409 CrossRefGoogle Scholar
  30. [30]
    D. Khovratovich, I. Nikolić, C. Rechberger, Rotational rebound attacks on reduced Skein, in ASIACRYPT, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 1–19 Google Scholar
  31. [31]
    L.R. Knudsen, Truncated and higher order differentials, in FSE, ed. by B. Preneel. LNCS, vol. 1008 (Springer, Berlin, 1994), pp. 196–211 Google Scholar
  32. [32]
    L.R. Knudsen, Non-random properties of reduced-round Whirlpool. NESSIE public report, NES/DOC/UIB/WP5/017/1 (2002) Google Scholar
  33. [33]
    L.R. Knudsen, V. Rijmen, Known-key distinguishers for some block ciphers, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 315–324 Google Scholar
  34. [34]
    S. Kölbl, F. Mendel, Practical attacks on the Maelstrom-0 compression function, in ACNS, ed. by J. Lopez, G. Tsudik. LNCS, vol. 6715, (2011), pp. 449–461 Google Scholar
  35. [35]
    M. Lamberger, F. Mendel, C. Rechberger, V. Rijmen, M. Schläffer, Rebound distinguishers: results on the full whirlpool compression function, in ASIACRYPT, ed. by M. Matsui. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 126–143 Google Scholar
  36. [36]
    G. Leurent, Construction of differential characteristics in ARX designs application to Skein, in CRYPTO (1), ed. by R. Canetti, J.A. Garay. LNCS, vol. 8042 (Springer, Berlin, 2013), pp. 241–258 Google Scholar
  37. [37]
    R. Lidl, H. Niederreiter, Finite fields, in Encyclopedia of Mathematics and Its Applications, vol. 20, 2nd edn. (Cambridge University Press, Cambridge, 1997). With a foreword by P.M. Cohn Google Scholar
  38. [38]
    K. Matusiewicz, M. Naya-Plasencia, I. Nikolić, Y. Sasaki, M. Schläffer, Rebound attack on the full lane compression function, in ASIACRYPT, ed. by M. Matsui. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 106–125 Google Scholar
  39. [39]
    F. Mendel, T. Peyrin, C. Rechberger, M. Schläffer, Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 16–35 CrossRefGoogle Scholar
  40. [40]
    F. Mendel, B. Preneel, V. Rijmen, H. Yoshida, D. Watanabe, Update on Tiger, in INDOCRYPT, ed. by R. Barua, T. Lange. LNCS, vol. 4329 (Springer, Berlin, 2006), pp. 63–79 Google Scholar
  41. [41]
    F. Mendel, C. Rechberger, M. Schläffer, Cryptanalysis of Twister, in ACNS, ed. by M. Abdalla, D. Pointcheval, P.A. Fouque, D. Vergnaud. LNCS, vol. 5536, (2009), pp. 342–353 Google Scholar
  42. [42]
    F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, The rebound attack: cryptanalysis of reduced whirlpool and Grøstl, in FSE, ed. by O. Dunkelman. LNCS, vol. 5665 (Springer, Berlin, 2009), pp. 260–276 Google Scholar
  43. [43]
    F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, Rebound attacks on the reduced Grøstl hash function, in CT-RSA, ed. by J. Pieprzyk. LNCS, vol. 5985 (Springer, Berlin, 2010), pp. 350–365 Google Scholar
  44. [44]
    F. Mendel, V. Rijmen, Cryptanalysis of the Tiger hash function, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 536–550 Google Scholar
  45. [45]
    R.C. Merkle, One way hash functions and DES, in CRYPTO, ed. by G. Brassard. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 428–446 Google Scholar
  46. [46]
    M. Minier, M. Naya-Plasencia, T. Peyrin, Analysis of Reduced-SHAvite-3-256 v2, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 68–87 Google Scholar
  47. [47]
    National Institute of Standards and Technology: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register 27(212), 62212–62220 (November 2007). Available online: http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
  48. [48]
    M. Naya-Plasencia, How to improve rebound attacks, in CRYPTO, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 188–205 Google Scholar
  49. [49]
    M. Naya-Plasencia, D. Toz, K. Varici, Rebound attack on JH42, in ASIACRYPT, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 252–269 Google Scholar
  50. [50]
    NESSIE, New European Schemes for Signatures, Integrity, and Encryption. IST-1999-12324. Available online: http://cryptonessie.org/
  51. [51]
    T. Peyrin, Cryptanalysis of Grindahl, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 551–567 Google Scholar
  52. [52]
    T. Peyrin, Improved differential attacks for ECHO and Grøstl, in CRYPTO, ed. by T. Rabin. LNCS, vol. 6223 (Springer, Berlin, 2010), pp. 370–392 Google Scholar
  53. [53]
    V. Rijmen, B. Preneel, Improved characteristics for differential cryptanalysis of hash functions based on block ciphers, in FSE, ed. by B. Preneel. LNCS, vol. 1008 (Springer, Berlin, 1994), pp. 242–248 Google Scholar
  54. [54]
    V. Rijmen, D. Toz, K. Varici, Rebound attack on reduced-round versions of JH, in FSE, ed. by S. Hong, T. Iwata. LNCS, vol. 6147 (Springer, Berlin, 2010), pp. 286–303 Google Scholar
  55. [55]
    H. Robbins, A remark on Stirling’s formula. Am. Math. Mon. 62, 26–29 (1955) CrossRefMATHGoogle Scholar
  56. [56]
    Y. Sasaki, Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 378–396 Google Scholar
  57. [57]
    Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, K. Ohta, Non-full-active Super-Sbox analysis: applications to ECHO and Grøstl, in ASIACRYPT, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 38–55 Google Scholar
  58. [58]
    Y. Sasaki, N. Takayanagi, K. Sakiyama, K. Ohta, Experimental verification of Super-Sbox analysis—confirmation of detailed attack complexity, in IWSEC, ed. by T. Iwata, M. Nishigaki. LNCS, vol. 7038 (Springer, Berlin, 2011), pp. 178–192 Google Scholar
  59. [59]
    Y. Sasaki, L. Wang, S. Wu, W. Wu, Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks, in ASIACRYPT, ed. by X. Wang, K. Sako. LNCS, vol. 7658 (Springer, Berlin, 2012), pp. 562–579 Google Scholar
  60. [60]
    M. Schläffer, Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. LNCS, vol. 6544 (Springer, Berlin, 2010), pp. 369–387 CrossRefGoogle Scholar
  61. [61]
    D. Wagner, The boomerang attack, in FSE, ed. by L.R. Knudsen. LNCS, vol. 1636 (Springer, Berlin, 1999), pp. 156–170 Google Scholar
  62. [62]
    X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in CRYPTO, ed. by V. Shoup. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 17–36 Google Scholar
  63. [63]
    X. Wang, H. Yu, How to break MD5 and other hash functions, in EUROCRYPT, ed. by R. Cramer. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 19–35 Google Scholar
  64. [64]
    S. Wu, D. Feng, W. Wu, Cryptanalysis of the LANE hash function, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 126–140 CrossRefGoogle Scholar
  65. [65]
    S. Wu, D. Feng, W. Wu, Practical rebound attack on 12-round Cheetah-256, in ICISC, ed. by D. Lee, S. Hong. LNCS, vol. 5984 (Springer, Berlin, 2009), pp. 300–314 Google Scholar
  66. [66]
    H. Yu, J. Chen, X. Wang, Partial-collision attack on the round-reduced compression function of Skein-256, in FSE, ed. by S. Moriai. LNCS (Springer, Berlin, 2013, to appear) Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Mario Lamberger
    • 1
  • Florian Mendel
    • 2
  • Martin Schläffer
    • 2
  • Christian Rechberger
    • 3
  • Vincent Rijmen
    • 4
  1. 1.NXP Semiconductors AustriaGratkornAustria
  2. 2.IAIKGraz University of TechnologyGrazAustria
  3. 3.DTU ComputeLyngbyDenmark
  4. 4.Dept. of Electrical Engineering ESAT/COSICKU Leuven and iMindsHeverleeBelgium

Personalised recommendations