Cryptanalysis of Twister

In this paper, we present a pseudo-collision attack on the compression function of all Twister variants (224,256,384,512) with complexity of about 2 compression function evaluations. Furthermore, we show how the compression function attack can be extended to construct collisions for Twister-512 with complexity of about 2. 1 Description of Twister The hash function Twister is an iterated hash function based on the Merkle-Damg̊ard design principle. It processes message blocks of 512 bits and produces a hash value of 224, 256, 384, or 512 bits. If the message length is not a multiple of 512, an unambiguous padding method is applied. For the description of the padding method we refer to [1]. Let m = m1‖m2‖ · · · ‖mt be a t-block message (after padding). The hash value h = H(m) is computed as follows: H0 = IV Hi = f(Hi−1, Mi) for 0 < i ≤ t Ht+1 = f(Ht, C) = h , where IV is a predefined initial value and C is the value of the checksum. It is computed from the intermediate values of the internal state after each Mini-Round. Note that while for Twister-224/256 the checksum is optional it is mandatory for Twister-384/512. The compression function of Twister basically consists of 3 Maxi-Rounds. Each Maxi-Rounds consist of 3 or 4 Mini-Rounds (depending on the output size of Twister) and is followed by a feed-forward XORoperation. MiniMiniMiniMiniMiniMiniMiniMiniMini0 Maxi-Round Maxi-Round Maxi-Round r1 r2 r3 r4 r5 r6 r7 r8 r9 Ht-1 Ht Round Round Round Round Round Round Round Round Round M1 0M21 0M31 M4 M5 M6 M7 M8 + + + Fig. 1. The compression function of Twister-224/256. MiniMiniMiniMiniMiniMiniMiniMiniMiniMini0 0 Maxi-Round Maxi-Round Maxi-Round r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 Ht-1 Ht Round Round Round Round Round Round Round Round Round Round M1 0M21 0M31 M4 M5 M6 M7 M8 + + + Fig. 2. The compression function of Twister-384/512. The Mini-Round of Twister is very similar to the Advanced Encryption Standard (AES) [4]. It updates an 8× 8 state S of 64 bytes as follows: MessageInjection A 8-byte message block M is inserted (via XOR) into the last row of the 8× 8 state S. AddTwistCounter A 8-byte block counter is xored to the second column of the sate S. SubBytes is identical to the SubBytes operation of AES. It applies an S-Box to each byte of the state independently ShiftRows is a cyclic left shift similar to the ShiftRows operation of AES. It rotates row j by (j − 1) (mod 8) bytes to the left. MixColumns is similar to the MixColumns operation of AES. It applies a 8 × 8-MDS matrix A to each column of the state S. After the last message block and /or the checksum has been processed, the final hash value is generated from the last chaining value by an output transformation. For a detailed description of Twister we refer to [1]. 2 Pseudo-collision for the compression function In this section, we present a pseudo-collision attack on the compression function of Twister for all output sizes. The attack has a complexity of about 226.5 compression function evaluations. In the attack we use the characteristic of Figure 3 for the first Maxi-Round (3 Mini-Rounds) of Twister. The 3 Mini-Rounds are denoted by r1, r2 and r3 and the state after the Mini-Round ri is denoted by Si. The initial state or chaining value is denoted by S0. In the attack we add a difference in message word M1 (8 active bytes) to the state S0, which results in a full active state S1 after the first Mini-Round r1. After the MixColumns transformation of the second Mini-Round r2, the differences result in 8 active bytes of the last row of state S2, which can be canceled by the message word M3 in the third Mini-Round r3. S0 S1 S2 S3 r1 r2 r3 Ht-1 M1 0M20 M3 MI ATC SB SR MC MI ATC SB SR MC MI MI ATC SB SR MC + Fig. 3. Characteristic to construct a pseudo-collision in the first Maxi-Round. The message differences and values for the state are found using a meet-in-the-middle approach and Figure 4 shows the characteristic in detail. We start with message word differences in M1 and M3 at states S′ 1 and S2. The differences can be propagated backward and forward through the MixColumns transformation with a probability of one (Step 1). Then, we simply need to find a match for the resulting input and output differences of the SubBytes layer of round r2 (Step 2). Step 1. We start the attack with 8 active bytes in state S′ 1 and S2 (injected by message words M1 and M3) and compute backward and forward to two full active states S′′ 2 and S ′′′ 2 . The is happens with a probability of one due to the properties of the ShiftRows and MixColumns transformations. We repeat the computation 228 times for message word M1 and 228 times for message word M3. Hence, we get 256 pairs of input/output differences for the S-boxes of round r2.