A Collision Attack on a Double-Block-Length Compression Function Instantiated with Round-Reduced AES-256

  • Jiageng Chen
  • Shoichi Hirose
  • Hidenori Kuwakado
  • Atsuko Miyaji
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8949)


This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: \(f_0(h_0\Vert h_1,M)\Vert f_1(h_0\Vert h_1,M)\) such that
$$\begin{aligned} f_0(h_0 \Vert h_1,M)&=E_{h_1\Vert M}(h_0)\oplus h_0 ,\\ f_1(h_0 \Vert h_1,M)&=E_{h_1\Vert M}(h_0\oplus c)\oplus h_0\oplus c , \end{aligned}$$
where \(\Vert \) represents concatenation, \(E\) is AES-256 and \(c\) is a non-zero constant. The proposed attack is a free-start collision attack. It uses the rebound attack proposed by Mendel et al. It finds a collision with time complexity \(2^{8}\), \(2^{64}\) and \(2^{120}\) for the instantiation with 6-round, 8-round and 9-round AES-256, respectively. The space complexity is negligible. The attack is effective against the instantiation with 6-/8-round AES-256 if the \(16\)-byte constant \(c\) has a single non-zero byte. It is effective against the instantiation with 9-round AES-256 if the constant \(c\) has four non-zero bytes at some specific positions.


Double-block-length compression function Free-start collision attack Rebound attack AES-256 



The authors would like to thank the anonymous reviewers for their valuable comments. This work was supported by JSPS KAKENHI Grant Numbers 21240001 and 25330150.


  1. 1.
    Armknecht, F., Fleischmann, E., Krause, M., Lee, J., Stam, M., Steinberger, J.: The preimage security of double-block-length compression functions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 233–251. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak sponge function family (2008).
  3. 3.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009). An extended version is “Cryptology ePrint Archive: Report 2009/241” at CrossRefGoogle Scholar
  4. 4.
    Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptol. 23(4), 519–545 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  5. 5.
    Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash functions and RFID tags: mind the gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  6. 6.
    Brachtl, B.O., Coppersmith, D., Hyden, M.M., Matyas Jr., S.M., Meyer, C.H.W., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one-way encryption function, March 1990. US Patent # 4,908,861Google Scholar
  7. 7.
    Canteaut, A. (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012) zbMATHGoogle Scholar
  8. 8.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
  9. 9.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut [7], pp. 402–421Google Scholar
  10. 10.
    Ferguson, N.: Observations on H-PRESENT-128. CRYPTO 2011 Rump Session (2011).
  11. 11.
    FIPS PUB 180–4. Secure hash standard (SHS), March 2012Google Scholar
  12. 12.
    FIPS PUB 197. Advanced encryption standard (AES) (2001)Google Scholar
  13. 13.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of cyclic double block length hash functions. In: Parker [28], pp. 153–175Google Scholar
  14. 14.
    Hirose, S.: Provably secure double-block-length hash functions in a black-box model. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  15. 15.
    Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  16. 16.
    Jean, J., Naya-Plasencia, M., Peyrin, T.: Multiple limited-birthday distinguishers and applications. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 533–550. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  17. 17.
    Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced skein. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 1–19. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Knudsen, L.R., Gauravaram, P., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate (2008).
  19. 19.
    Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991) Google Scholar
  20. 20.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993) Google Scholar
  21. 21.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The rebound attack and subspace distinguishers: application to Whirlpool. Cryptology ePrint Archive, Report 2010/198 (2010).
  22. 22.
    Lee, J., Kwon, D.: The security of Abreast-DM in the ideal cipher model. IEICE Trans. 94–A(1), 104–109 (2011)CrossRefGoogle Scholar
  23. 23.
    Lee, J., Stam, M.: MJH: a faster alternative to MDC-2. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 213–236. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  24. 24.
    Lee, J., Stam, M., Steinberger, J.: The collision security of Tandem-DM in the ideal cipher model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  25. 25.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  26. 26.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  27. 27.
    Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker [28], pp. 176–201Google Scholar
  28. 28.
    Parker, M.G. (ed.): Cryptography and Coding 2009. LNCS, vol. 5921. Springer, Heidelberg (2009) zbMATHGoogle Scholar
  29. 29.
    Peyrin, T., Gilbert, H., Muller, F., Robshaw, M.J.B.: Combining compression functions and block cipher-based hash functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 315–331. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  30. 30.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994) Google Scholar
  31. 31.
    Rijmen, V., Barreto, P.S.L.M.: The Whirlpool hash function (2000).
  32. 32.
    Rijmen, V., Toz, D., Varıcı, K.: Rebound attack on reduced-round versions of JH. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 286–303. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  33. 33.
    Rivest, R.: The MD5 message-digest algorithm. Request for Comments 1321 (RFC 1321), The Internet Engineering Task Force (1992)Google Scholar
  34. 34.
    Sasaki, Y.: Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. IEICE Trans. Fundam. E96–A(1), 121–130 (2013)CrossRefGoogle Scholar
  35. 35.
    Wei, L., Peyrin, T., Sokołowski, P., Ling, S., Pieprzyk, J., Wang, H.: On the (in)security of IDEA in various hashing modes. In: Canteaut [7], pp. 163–179. The full version is “Cryptology ePrint Archive: Report 2012/264” at

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Jiageng Chen
    • 1
  • Shoichi Hirose
    • 2
  • Hidenori Kuwakado
    • 3
  • Atsuko Miyaji
    • 1
  1. 1.School of Information ScienceJapan Advanced Institute of Science and TechnologyNomiJapan
  2. 2.Graduate School of EngineeringUniversity of FukuiFukuiJapan
  3. 3.Faculty of InformaticsKansai UniversitySuitaJapan

Personalised recommendations