A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256
نویسندگان
چکیده
f0(h0∥h1,M) = Eh1∥M(h0) ⊕ h0 , f1(h0∥h1,M) = Eh1∥M(h0 ⊕ c) ⊕ h0 ⊕ c , where ∥ represents concatenation, E is AES-256 and c is a 16-byte nonzero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and their positions. For the instantiation with AES256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four non-zero bytes at some specific positions, and the time complexity is 264 or 296. For the instantiation with AES-256 reduced to 9 rounds, it is effective if the constant c has four non-zero bytes at some specific positions, and the time complexity is 2120. The space complexity is negligible in both cases. key words: double-block-length compression function, free-start collision attack, rebound attack, AES-256
منابع مشابه
A Collision Attack on a Double-Block-Length Compression Function Instantiated with Round-Reduced AES-256
This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: f0(h0∥h1,M)∥f1(h0∥h1,M) such that f0(h0∥h1,M) = Eh1∥M (h0)⊕ h0 , f1(h0∥h1,M) = Eh1∥M (h0 ⊕ c)⊕ h0 ⊕ c , where ∥ represents concatenation, E is AES-256 and c is a non-zero constant. The proposed attack is a free-start collision ...
متن کاملSecurity of Cyclic Double Block Length Hash Functions
We provide the first proof of security for Abreast-DM, one of the oldest and most wellknown constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic hash function. In particular, we prove that when Abreast-DM is instantiated with AES-256, i.e. a block cipher with 128-bit block length and 256-bit key length, any adversary that asks less t...
متن کاملCollision Attack on 4-Branch, Type-2 GFN Based Hash Functions Using Sliced Biclique Cryptanalysis Technique
In this work, we apply the sliced biclique cryptanalysis technique to show 8-round collision attack on a hash function H based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN). This attack is generic and works on 4-branch, Type-2 GFN with any parameters including the block size, type of round function, the number of S-boxes in each round and the number of SP layers inside the round ...
متن کاملCryptanalysis of Twister
In this paper, we present a pseudo-collision attack on the compression function of all Twister variants (224,256,384,512) with complexity of about 2 compression function evaluations. Furthermore, we show how the compression function attack can be extended to construct collisions for Twister-512 with complexity of about 2. 1 Description of Twister The hash function Twister is an iterated hash fu...
متن کاملNon-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl
In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal properties of a class of AES-based permutations with a low complexity. We apply this framework to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round) ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several observation...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IEICE Transactions
دوره 99-A شماره
صفحات -
تاریخ انتشار 2016