Journal of Cryptology

, Volume 28, Issue 2, pp 257–296 | Cite as

The Rebound Attack and Subspace Distinguishers: Application to Whirlpool

  • Mario Lamberger
  • Florian Mendel
  • Martin Schläffer
  • Christian Rechberger
  • Vincent Rijmen
Article
First Online:
Received:

Abstract

We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the 10-round Whirlpool hash function and compression function. Our results are collisions for 5.5 and near-collisions for 7.5 rounds on the hash function, as well as semi-free-start collisions for 7.5 and semi-free-start near-collisions for 9.5 rounds on the compression function. Additionally, we introduce the subspace problem as a generalization of near-collision resistance. Finally, we present the first distinguishers that apply to the full compression function and the full underlying block cipher W of Whirlpool.

Key words

Hash functions Cryptanalysis Near-collision Distinguisher 
This is a preview of subscription content, log in to check access

Notes

Acknowledgements

We thank Willi Meier and the anonymous referees for their comments on this paper. The work in this paper has been supported in part by the Secure Information Technology Center—Austria (A-SIT), by the Austrian Science Fund (FWF), project P21936-N23 and by the KU Leuven Research Fund (OT/13/071).

References

  1. [1]
    P.S.L.M. Barreto, V. Rijmen, The Whirlpool Hashing Function. Submitted to NESSIE (2000). Available online: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
  2. [2]
    E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991) CrossRefMATHMathSciNetGoogle Scholar
  3. [3]
    A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and related-key attack on the full AES-256, in CRYPTO, ed. by S. Halevi. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 231–249 Google Scholar
  4. [4]
    A. Bogdanov, D. Khovratovich, C. Rechberger, Biclique cryptanalysis of the full AES, in ASIACRYPT, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 344–371 Google Scholar
  5. [5]
    C. Bouillaguet, P. Derbez, P.A. Fouque, Automatic search of attacks on round-reduced AES and applications, in CRYPTO, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 169–187 Google Scholar
  6. [6]
    F. Chabaud, A. Joux, Differential collisions in SHA-0, in CRYPTO, ed. by H. Krawczyk. LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 56–71 Google Scholar
  7. [7]
    J. Daemen, V. Rijmen, The wide trail design strategy, in IMA Int. Conf., ed. by B. Honary. LNCS, vol. 2260 (Springer, Berlin, 2001), pp. 222–238 Google Scholar
  8. [8]
    J. Daemen, V. Rijmen, The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, Berlin, 2002) CrossRefGoogle Scholar
  9. [9]
    I. Damgård, A design principle for hash functions, in CRYPTO, ed. by G. Brassard. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 416–427 Google Scholar
  10. [10]
    C. De Cannière, F. Mendel, C. Rechberger, Collisions for 70-step SHA-1: on the full cost of collision search, in Selected Areas in Cryptography, ed. by C.M. Adams, A. Miri, M.J. Wiener. LNCS, vol. 4876 (Springer, Berlin, 2007), pp. 56–73 CrossRefGoogle Scholar
  11. [11]
    C. De Cannière, C. Rechberger, Finding SHA-1 characteristics: general results and applications, in ASIACRYPT, ed. by X. Lai, K. Chen. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 1–20 Google Scholar
  12. [12]
    P. Derbez, P.A. Fouque, J. Jean, Faster chosen-key distinguishers on reduced-round AES, in INDOCRYPT, ed. by S.D. Galbraith, M. Nandi. LNCS, vol. 7668 (Springer, Berlin, 2012), pp. 225–243 Google Scholar
  13. [13]
    I. Dinur, O. Dunkelman, N. Keller, A. Shamir, Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems, in CRYPTO, ed. by R. Safavi-Naini, R. Canetti. LNCS, vol. 7417 (Springer, Berlin, 2012), pp. 719–740 Google Scholar
  14. [14]
    H. Dobbertin, The status of MD5 after a recent attack. CryptoBytes 2(2), 1–6 (1996) MathSciNetGoogle Scholar
  15. [15]
    H. Dobbertin, Cryptanalysis of MD4. J. Cryptol. 11(4), 253–271 (1998) CrossRefMATHGoogle Scholar
  16. [16]
    A. Duc, J. Guo, T. Peyrin, L. Wei, Unaligned rebound attack: application to Keccak, in FSE, ed. by A. Canteaut. LNCS, vol. 7549 (Springer, Berlin, 2012), pp. 402–421 Google Scholar
  17. [17]
    S. Fisher, Classroom notes: matrices over a finite field. Am. Math. Mon. 73(6), 639–641 (1966) CrossRefMATHGoogle Scholar
  18. [18]
    P.A. Fouque, J. Jean, T. Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in CRYPTO (1), ed. by R. Canetti, J.A. Garay. LNCS, vol. 8042 (Springer, Berlin, 2013), pp. 183–203 Google Scholar
  19. [19]
    H. Gilbert, M. Minier, A collision attack on 7 rounds of Rijndael, in AES Candidate Conference, (2000), pp. 230–241 Google Scholar
  20. [20]
    H. Gilbert, T. Peyrin, Super-Sbox cryptanalysis: improved attacks for AES-like permutations, in FSE, ed. by S. Hong, T. Iwata. LNCS, vol. 6147 (Springer, Berlin, 2010), pp. 365–383 Google Scholar
  21. [21]
    N. Haller, The S/KEY One-Time Password System. IETF Request for Comments (RFC) 1760 (1995). Available online: http://www.faqs.org/rfcs/rfc1760.html
  22. [22]
    N. Haller, C. Metz, P. Nesser, M. Straw, A One-Time Password System. IETF Request for Comments (RFC) 2289 (1998). Available online: http://www.faqs.org/rfcs/rfc2289.html
  23. [23]
    K. Ideguchi, E. Tischhauser, B. Preneel, Improved collision attacks on the reduced-round Grøstl hash function, in ISC, ed. by M. Burmester, G. Tsudik, S.S. Magliveras, I. Ilic. LNCS, vol. 6531 (Springer, Berlin, 2010), pp. 1–16 Google Scholar
  24. [24]
    International Organization for Standardization: Information Technology—Security Techniques—Hash-Functions. Part 3: Dedicated Hash-Functions. ISO/IEC 10118-3:2004 (2004) Google Scholar
  25. [25]
    J. Jean, P.A. Fouque, Practical near-collisions and collisions on round-reduced ECHO-256 compression function, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 107–127 Google Scholar
  26. [26]
    J. Jean, M. Naya-Plasencia, T. Peyrin, Improved rebound attack on the finalist Grøstl, in FSE, ed. by A. Canteaut. LNCS, vol. 7549 (Springer, Berlin, 2012), pp. 110–126 Google Scholar
  27. [27]
    J. Jean, M. Naya-Plasencia, M. Schläffer, Improved analysis of ECHO-256, in Selected Areas in Cryptography, ed. by A. Miri, S. Vaudenay. LNCS, vol. 7118 (Springer, Berlin, 2011), pp. 19–36 CrossRefGoogle Scholar
  28. [28]
    J. Kelsey, S. Lucks, Collisions and near-collisions for reduced-round Tiger, in FSE, ed. by M.J.B. Robshaw. LNCS, vol. 4047 (Springer, Berlin, 2006), pp. 111–125 Google Scholar
  29. [29]
    D. Khovratovich, M. Naya-Plasencia, A. Röck, M. Schläffer, Cryptanalysis of Luffa v2 components, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. LNCS, vol. 6544 (Springer, Berlin, 2010), pp. 388–409 CrossRefGoogle Scholar
  30. [30]
    D. Khovratovich, I. Nikolić, C. Rechberger, Rotational rebound attacks on reduced Skein, in ASIACRYPT, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 1–19 Google Scholar
  31. [31]
    L.R. Knudsen, Truncated and higher order differentials, in FSE, ed. by B. Preneel. LNCS, vol. 1008 (Springer, Berlin, 1994), pp. 196–211 Google Scholar
  32. [32]
    L.R. Knudsen, Non-random properties of reduced-round Whirlpool. NESSIE public report, NES/DOC/UIB/WP5/017/1 (2002) Google Scholar
  33. [33]
    L.R. Knudsen, V. Rijmen, Known-key distinguishers for some block ciphers, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 315–324 Google Scholar
  34. [34]
    S. Kölbl, F. Mendel, Practical attacks on the Maelstrom-0 compression function, in ACNS, ed. by J. Lopez, G. Tsudik. LNCS, vol. 6715, (2011), pp. 449–461 Google Scholar
  35. [35]
    M. Lamberger, F. Mendel, C. Rechberger, V. Rijmen, M. Schläffer, Rebound distinguishers: results on the full whirlpool compression function, in ASIACRYPT, ed. by M. Matsui. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 126–143 Google Scholar
  36. [36]
    G. Leurent, Construction of differential characteristics in ARX designs application to Skein, in CRYPTO (1), ed. by R. Canetti, J.A. Garay. LNCS, vol. 8042 (Springer, Berlin, 2013), pp. 241–258 Google Scholar
  37. [37]
    R. Lidl, H. Niederreiter, Finite fields, in Encyclopedia of Mathematics and Its Applications, vol. 20, 2nd edn. (Cambridge University Press, Cambridge, 1997). With a foreword by P.M. Cohn Google Scholar
  38. [38]
    K. Matusiewicz, M. Naya-Plasencia, I. Nikolić, Y. Sasaki, M. Schläffer, Rebound attack on the full lane compression function, in ASIACRYPT, ed. by M. Matsui. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 106–125 Google Scholar
  39. [39]
    F. Mendel, T. Peyrin, C. Rechberger, M. Schläffer, Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 16–35 CrossRefGoogle Scholar
  40. [40]
    F. Mendel, B. Preneel, V. Rijmen, H. Yoshida, D. Watanabe, Update on Tiger, in INDOCRYPT, ed. by R. Barua, T. Lange. LNCS, vol. 4329 (Springer, Berlin, 2006), pp. 63–79 Google Scholar
  41. [41]
    F. Mendel, C. Rechberger, M. Schläffer, Cryptanalysis of Twister, in ACNS, ed. by M. Abdalla, D. Pointcheval, P.A. Fouque, D. Vergnaud. LNCS, vol. 5536, (2009), pp. 342–353 Google Scholar
  42. [42]
    F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, The rebound attack: cryptanalysis of reduced whirlpool and Grøstl, in FSE, ed. by O. Dunkelman. LNCS, vol. 5665 (Springer, Berlin, 2009), pp. 260–276 Google Scholar
  43. [43]
    F. Mendel, C. Rechberger, M. Schläffer, S.S. Thomsen, Rebound attacks on the reduced Grøstl hash function, in CT-RSA, ed. by J. Pieprzyk. LNCS, vol. 5985 (Springer, Berlin, 2010), pp. 350–365 Google Scholar
  44. [44]
    F. Mendel, V. Rijmen, Cryptanalysis of the Tiger hash function, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 536–550 Google Scholar
  45. [45]
    R.C. Merkle, One way hash functions and DES, in CRYPTO, ed. by G. Brassard. LNCS, vol. 435 (Springer, Berlin, 1989), pp. 428–446 Google Scholar
  46. [46]
    M. Minier, M. Naya-Plasencia, T. Peyrin, Analysis of Reduced-SHAvite-3-256 v2, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 68–87 Google Scholar
  47. [47]
    National Institute of Standards and Technology: Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register 27(212), 62212–62220 (November 2007). Available online: http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
  48. [48]
    M. Naya-Plasencia, How to improve rebound attacks, in CRYPTO, ed. by P. Rogaway. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 188–205 Google Scholar
  49. [49]
    M. Naya-Plasencia, D. Toz, K. Varici, Rebound attack on JH42, in ASIACRYPT, ed. by D.H. Lee, X. Wang. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 252–269 Google Scholar
  50. [50]
    NESSIE, New European Schemes for Signatures, Integrity, and Encryption. IST-1999-12324. Available online: http://cryptonessie.org/
  51. [51]
    T. Peyrin, Cryptanalysis of Grindahl, in ASIACRYPT, ed. by K. Kurosawa. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 551–567 Google Scholar
  52. [52]
    T. Peyrin, Improved differential attacks for ECHO and Grøstl, in CRYPTO, ed. by T. Rabin. LNCS, vol. 6223 (Springer, Berlin, 2010), pp. 370–392 Google Scholar
  53. [53]
    V. Rijmen, B. Preneel, Improved characteristics for differential cryptanalysis of hash functions based on block ciphers, in FSE, ed. by B. Preneel. LNCS, vol. 1008 (Springer, Berlin, 1994), pp. 242–248 Google Scholar
  54. [54]
    V. Rijmen, D. Toz, K. Varici, Rebound attack on reduced-round versions of JH, in FSE, ed. by S. Hong, T. Iwata. LNCS, vol. 6147 (Springer, Berlin, 2010), pp. 286–303 Google Scholar
  55. [55]
    H. Robbins, A remark on Stirling’s formula. Am. Math. Mon. 62, 26–29 (1955) CrossRefMATHGoogle Scholar
  56. [56]
    Y. Sasaki, Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool, in FSE, ed. by A. Joux. LNCS, vol. 6733 (Springer, Berlin, 2011), pp. 378–396 Google Scholar
  57. [57]
    Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, K. Ohta, Non-full-active Super-Sbox analysis: applications to ECHO and Grøstl, in ASIACRYPT, ed. by M. Abe. LNCS, vol. 6477 (Springer, Berlin, 2010), pp. 38–55 Google Scholar
  58. [58]
    Y. Sasaki, N. Takayanagi, K. Sakiyama, K. Ohta, Experimental verification of Super-Sbox analysis—confirmation of detailed attack complexity, in IWSEC, ed. by T. Iwata, M. Nishigaki. LNCS, vol. 7038 (Springer, Berlin, 2011), pp. 178–192 Google Scholar
  59. [59]
    Y. Sasaki, L. Wang, S. Wu, W. Wu, Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks, in ASIACRYPT, ed. by X. Wang, K. Sako. LNCS, vol. 7658 (Springer, Berlin, 2012), pp. 562–579 Google Scholar
  60. [60]
    M. Schläffer, Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. LNCS, vol. 6544 (Springer, Berlin, 2010), pp. 369–387 CrossRefGoogle Scholar
  61. [61]
    D. Wagner, The boomerang attack, in FSE, ed. by L.R. Knudsen. LNCS, vol. 1636 (Springer, Berlin, 1999), pp. 156–170 Google Scholar
  62. [62]
    X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in CRYPTO, ed. by V. Shoup. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 17–36 Google Scholar
  63. [63]
    X. Wang, H. Yu, How to break MD5 and other hash functions, in EUROCRYPT, ed. by R. Cramer. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 19–35 Google Scholar
  64. [64]
    S. Wu, D. Feng, W. Wu, Cryptanalysis of the LANE hash function, in Selected Areas in Cryptography, ed. by M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 126–140 CrossRefGoogle Scholar
  65. [65]
    S. Wu, D. Feng, W. Wu, Practical rebound attack on 12-round Cheetah-256, in ICISC, ed. by D. Lee, S. Hong. LNCS, vol. 5984 (Springer, Berlin, 2009), pp. 300–314 Google Scholar
  66. [66]
    H. Yu, J. Chen, X. Wang, Partial-collision attack on the round-reduced compression function of Skein-256, in FSE, ed. by S. Moriai. LNCS (Springer, Berlin, 2013, to appear) Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Mario Lamberger
    • 1
  • Florian Mendel
    • 2
  • Martin Schläffer
    • 2
  • Christian Rechberger
    • 3
  • Vincent Rijmen
    • 4
  1. 1.NXP Semiconductors AustriaGratkornAustria
  2. 2.IAIKGraz University of TechnologyGrazAustria
  3. 3.DTU ComputeLyngbyDenmark
  4. 4.Dept. of Electrical Engineering ESAT/COSICKU Leuven and iMindsHeverleeBelgium

Personalised recommendations