The Rebound Attack and Subspace Distinguishers: Application to Whirlpool
- 491 Downloads
- 6 Citations
Abstract
We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the 10-round Whirlpool hash function and compression function. Our results are collisions for 5.5 and near-collisions for 7.5 rounds on the hash function, as well as semi-free-start collisions for 7.5 and semi-free-start near-collisions for 9.5 rounds on the compression function. Additionally, we introduce the subspace problem as a generalization of near-collision resistance. Finally, we present the first distinguishers that apply to the full compression function and the full underlying block cipher W of Whirlpool.
Key words
Hash functions Cryptanalysis Near-collision DistinguisherNotes
Acknowledgements
We thank Willi Meier and the anonymous referees for their comments on this paper. The work in this paper has been supported in part by the Secure Information Technology Center—Austria (A-SIT), by the Austrian Science Fund (FWF), project P21936-N23 and by the KU Leuven Research Fund (OT/13/071).
References
- [1]P.S.L.M. Barreto, V. Rijmen, The Whirlpool Hashing Function. Submitted to NESSIE (2000). Available online: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
- [2]E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991) CrossRefMATHMathSciNetGoogle Scholar
- [3]A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and related-key attack on the full AES-256, in CRYPTO, ed. by S. Halevi. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 231–249 Google Scholar
- [4]A. Bogdanov, D. Khovratovich, C. Rechberger, Biclique cryptanalysis of the full AES, in ASIACRYPT, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 344–371 Google Scholar
- [5]C. Bouillaguet, P. Derbez, P.A. Fouque, Automatic search of attacks on round-reduced AES and applications, in CRYPTO, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 169–187 Google Scholar
- [6]F. Chabaud, A. Joux, Differential collisions in SHA-0, in CRYPTO, ed. by H. Krawczyk. LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 56–71 Google Scholar
- [7]J. Daemen, V. Rijmen, The wide trail design strategy, in IMA Int. Conf., ed. by B. Honary. LNCS, vol. 2260 (Springer, Berlin, 2001), pp. 222–238 Google Scholar
- [8]J. Daemen, V. Rijmen, The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, Berlin, 2002) CrossRefGoogle Scholar
- [9]I. Damgård, A design principle for hash functions, in CRYPTO, ed. by G. Brassard. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 416–427 Google Scholar
- [10]C. De Cannière, F. Mendel, C. Rechberger, Collisions for 70-step SHA-1: on the full cost of collision search, in Selected Areas in Cryptography, ed. by C.M. Adams, A. Miri, M.J. Wiener. LNCS, vol. 4876 (Springer, Berlin, 2007), pp. 56–73 CrossRefGoogle Scholar
- [11]C. De Cannière, C. Rechberger, Finding SHA-1 characteristics: general results and applications, in ASIACRYPT, ed. by X. Lai, K. Chen. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 1–20 Google Scholar
- [12]P. Derbez, P.A. Fouque, J. Jean, Faster chosen-key distinguishers on reduced-round AES, in INDOCRYPT, ed. by S.D. Galbraith, M. Nandi. LNCS, vol. 7668 (Springer, Berlin, 2012), pp. 225–243 Google Scholar
- [13]I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems, in CRYPTO, ed. by R. Safavi-Naini, R. Canetti. LNCS, vol. 7417 (Springer, Berlin, 2012), pp. 719–740 Google Scholar
- [14]H. Dobbertin, The status of MD5 after a recent attack. CryptoBytes 2(2), 1–6 (1996) MathSciNetGoogle Scholar
- [15]H. Dobbertin, Cryptanalysis of MD4. J. Cryptol. 11(4), 253–271 (1998) CrossRefMATHGoogle Scholar
- [16]A. Duc, J. Guo, T. Peyrin, L. Wei, Unaligned rebound attack: application to Keccak, in FSE, ed. by A. Canteaut. LNCS, vol. 7549 (Springer, Berlin, 2012), pp. 402–421 Google Scholar
- [17]S. Fisher, Classroom notes: matrices over a finite field. Am. Math. Mon. 73(6), 639–641 (1966) CrossRefMATHGoogle Scholar
- [18]P.A. Fouque, J. Jean, T. Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in CRYPTO (1), ed. by R. Canetti, J.A. Garay. LNCS, vol. 8042 (Springer, Berlin, 2013), pp. 183–203 Google Scholar
- [19]H. Gilbert, M. Minier, A collision attack on 7 rounds of Rijndael, in AES Candidate Conference, (2000), pp. 230–241 Google Scholar
- [20]H. Gilbert, T. Peyrin, Super-Sbox cryptanalysis: improved attacks for AES-like permutations, in FSE, ed. by S. Hong, T. Iwata. LNCS, vol. 6147 (Springer, Berlin, 2010), pp. 365–383 Google Scholar
- [21]N. Haller, The S/KEY One-Time Password System. IETF Request for Comments (RFC) 1760 (1995). Available online: http://www.faqs.org/rfcs/rfc1760.html
- [22]N. Haller, C. Metz, P. Nesser, M. Straw, A One-Time Password System. IETF Request for Comments (RFC) 2289 (1998). Available online: http://www.faqs.org/rfcs/rfc2289.html
- [23]K. Ideguchi, E. Tischhauser, B. Preneel, Improved collision attacks on the reduced-round Grøstl hash function, in ISC, ed. by M. Burmester, G. Tsudik, S.S. Magliveras, I. Ilic. LNCS, vol. 6531 (Springer, Berlin, 2010), pp. 1–16 Google Scholar
- [24]International Organization for Standardization: Information Technology—Security Techniques—Hash-Functions. Part 3: Dedicated Hash-Functions. ISO/IEC 10118-3:2004 (2004) Google Scholar
- [25]J. Jean, P.A. Fouque, Practical near-collisions and collisions on round-reduced ECHO-256 compression function, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 107–127 Google Scholar
- [26]J. Jean, M. Naya-Plasencia, T. Peyrin, Improved rebound attack on the finalist Grøstl, in FSE, ed. by A. Canteaut. LNCS, vol. 7549 (Springer, Berlin, 2012), pp. 110–126 Google Scholar
- [27]J. Jean, M. Naya-Plasencia, M. Schläffer, Improved analysis of ECHO-256, in Selected Areas in Cryptography, ed. by A. Miri, S. Vaudenay. LNCS, vol. 7118 (Springer, Berlin, 2011), pp. 19–36 CrossRefGoogle Scholar
- [28]J. Kelsey, S. Lucks, Collisions and near-collisions for reduced-round Tiger, in FSE, ed. by M.J.B. Robshaw. LNCS, vol. 4047 (Springer, Berlin, 2006), pp. 111–125 Google Scholar
- [29]D. Khovratovich, M. Naya-Plasencia, A. Röck, M. Schläffer, Cryptanalysis of Luffa v2 components, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. LNCS, vol. 6544 (Springer, Berlin, 2010), pp. 388–409 CrossRefGoogle Scholar
- [30]D. Khovratovich, I. Nikolić, C. Rechberger, Rotational rebound attacks on reduced Skein, in ASIACRYPT, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 1–19 Google Scholar
- [31]L.R. Knudsen, Truncated and higher order differentials, in FSE, ed. by B. Preneel. LNCS, vol. 1008 (Springer, Berlin, 1994), pp. 196–211 Google Scholar
- [32]L.R. Knudsen, Non-random properties of reduced-round Whirlpool. NESSIE public report, NES/DOC/UIB/WP5/017/1 (2002) Google Scholar
- [33]L.R. Knudsen, V. Rijmen, Known-key distinguishers for some block ciphers, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 315–324 Google Scholar
- [34]S. Kölbl, F. Mendel, Practical attacks on the Maelstrom-0 compression function, in ACNS, ed. by J. Lopez, G. Tsudik. LNCS, vol. 6715, (2011), pp. 449–461 Google Scholar
- [35]M. Lamberger, F. Mendel, C. Rechberger, V. Rijmen, M. Schläffer, Rebound distinguishers: results on the full whirlpool compression function, in ASIACRYPT, ed. by M. Matsui. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 126–143 Google Scholar
- [36]G. Leurent, Construction of differential characteristics in ARX designs application to Skein, in CRYPTO (1), ed. by R. Canetti, J.A. Garay. LNCS, vol. 8042 (Springer, Berlin, 2013), pp. 241–258 Google Scholar
- [37]R. Lidl, H. Niederreiter, Finite fields, in Encyclopedia of Mathematics and Its Applications, vol. 20, 2nd edn. (Cambridge University Press, Cambridge, 1997). With a foreword by P.M. Cohn Google Scholar
- [38]K. Matusiewicz, M. Naya-Plasencia, I. Nikolić, Y. Sasaki, M. Schläffer, Rebound attack on the full lane compression function, in ASIACRYPT, ed. by M. Matsui. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 106–125 Google Scholar
- [39]F. Mendel, T. Peyrin, C. Rechberger, M. Schläffer, Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 16–35 CrossRefGoogle Scholar
- [40]F. Mendel, B. Preneel, V. Rijmen, H. Yoshida, D. Watanabe, Update on Tiger, in INDOCRYPT, ed. by R. Barua, T. Lange. LNCS, vol. 4329 (Springer, Berlin, 2006), pp. 63–79 Google Scholar
- [41]F. Mendel, C. Rechberger, M. Schläffer, Cryptanalysis of Twister, in ACNS, ed. by M. Abdalla, D. Pointcheval, P.A. Fouque, D. Vergnaud. LNCS, vol. 5536, (2009), pp. 342–353 Google Scholar
- [42]F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, The rebound attack: cryptanalysis of reduced whirlpool and Grøstl, in FSE, ed. by O. Dunkelman. LNCS, vol. 5665 (Springer, Berlin, 2009), pp. 260–276 Google Scholar
- [43]F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, Rebound attacks on the reduced Grøstl hash function, in CT-RSA, ed. by J. Pieprzyk. LNCS, vol. 5985 (Springer, Berlin, 2010), pp. 350–365 Google Scholar
- [44]F. Mendel, V. Rijmen, Cryptanalysis of the Tiger hash function, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 536–550 Google Scholar
- [45]R.C. Merkle, One way hash functions and DES, in CRYPTO, ed. by G. Brassard. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 428–446 Google Scholar
- [46]M. Minier, M. Naya-Plasencia, T. Peyrin, Analysis of Reduced-SHAvite-3-256 v2, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 68–87 Google Scholar
- [47]National Institute of Standards and Technology: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register 27(212), 62212–62220 (November 2007). Available online: http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
- [48]M. Naya-Plasencia, How to improve rebound attacks, in CRYPTO, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 188–205 Google Scholar
- [49]M. Naya-Plasencia, D. Toz, K. Varici, Rebound attack on JH42, in ASIACRYPT, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 252–269 Google Scholar
- [50]NESSIE, New European Schemes for Signatures, Integrity, and Encryption. IST-1999-12324. Available online: http://cryptonessie.org/
- [51]T. Peyrin, Cryptanalysis of Grindahl, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 551–567 Google Scholar
- [52]T. Peyrin, Improved differential attacks for ECHO and Grøstl, in CRYPTO, ed. by T. Rabin. LNCS, vol. 6223 (Springer, Berlin, 2010), pp. 370–392 Google Scholar
- [53]V. Rijmen, B. Preneel, Improved characteristics for differential cryptanalysis of hash functions based on block ciphers, in FSE, ed. by B. Preneel. LNCS, vol. 1008 (Springer, Berlin, 1994), pp. 242–248 Google Scholar
- [54]V. Rijmen, D. Toz, K. Varici, Rebound attack on reduced-round versions of JH, in FSE, ed. by S. Hong, T. Iwata. LNCS, vol. 6147 (Springer, Berlin, 2010), pp. 286–303 Google Scholar
- [55]H. Robbins, A remark on Stirling’s formula. Am. Math. Mon. 62, 26–29 (1955) CrossRefMATHGoogle Scholar
- [56]Y. Sasaki, Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 378–396 Google Scholar
- [57]Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, K. Ohta, Non-full-active Super-Sbox analysis: applications to ECHO and Grøstl, in ASIACRYPT, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 38–55 Google Scholar
- [58]Y. Sasaki, N. Takayanagi, K. Sakiyama, K. Ohta, Experimental verification of Super-Sbox analysis—confirmation of detailed attack complexity, in IWSEC, ed. by T. Iwata, M. Nishigaki. LNCS, vol. 7038 (Springer, Berlin, 2011), pp. 178–192 Google Scholar
- [59]Y. Sasaki, L. Wang, S. Wu, W. Wu, Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks, in ASIACRYPT, ed. by X. Wang, K. Sako. LNCS, vol. 7658 (Springer, Berlin, 2012), pp. 562–579 Google Scholar
- [60]M. Schläffer, Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. LNCS, vol. 6544 (Springer, Berlin, 2010), pp. 369–387 CrossRefGoogle Scholar
- [61]D. Wagner, The boomerang attack, in FSE, ed. by L.R. Knudsen. LNCS, vol. 1636 (Springer, Berlin, 1999), pp. 156–170 Google Scholar
- [62]X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in CRYPTO, ed. by V. Shoup. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 17–36 Google Scholar
- [63]X. Wang, H. Yu, How to break MD5 and other hash functions, in EUROCRYPT, ed. by R. Cramer. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 19–35 Google Scholar
- [64]S. Wu, D. Feng, W. Wu, Cryptanalysis of the LANE hash function, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 126–140 CrossRefGoogle Scholar
- [65]S. Wu, D. Feng, W. Wu, Practical rebound attack on 12-round Cheetah-256, in ICISC, ed. by D. Lee, S. Hong. LNCS, vol. 5984 (Springer, Berlin, 2009), pp. 300–314 Google Scholar
- [66]H. Yu, J. Chen, X. Wang, Partial-collision attack on the round-reduced compression function of Skein-256, in FSE, ed. by S. Moriai. LNCS (Springer, Berlin, 2013, to appear) Google Scholar