Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security and Cryptology

ICISC 2014: Information Security and Cryptology - ICISC 2014 pp 271–285Cite as

A Collision Attack on a Double-Block-Length Compression Function Instantiated with Round-Reduced AES-256

  • Conference paper
  • First Online:

  • 841 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8949))

Abstract

This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: \(f_0(h_0\Vert h_1,M)\Vert f_1(h_0\Vert h_1,M)\) such that

$$\begin{aligned} f_0(h_0 \Vert h_1,M)&=E_{h_1\Vert M}(h_0)\oplus h_0 ,\\ f_1(h_0 \Vert h_1,M)&=E_{h_1\Vert M}(h_0\oplus c)\oplus h_0\oplus c , \end{aligned}$$

where \(\Vert \) represents concatenation, \(E\) is AES-256 and \(c\) is a non-zero constant. The proposed attack is a free-start collision attack. It uses the rebound attack proposed by Mendel et al. It finds a collision with time complexity \(2^{8}\), \(2^{64}\) and \(2^{120}\) for the instantiation with 6-round, 8-round and 9-round AES-256, respectively. The space complexity is negligible. The attack is effective against the instantiation with 6-/8-round AES-256 if the \(16\)-byte constant \(c\) has a single non-zero byte. It is effective against the instantiation with 9-round AES-256 if the constant \(c\) has four non-zero bytes at some specific positions.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The complexity to compute admissible inputs of the AES S-box is omitted.

References

  1. Armknecht, F., Fleischmann, E., Krause, M., Lee, J., Stam, M., Steinberger, J.: The preimage security of double-block-length compression functions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 233–251. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  2. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak sponge function family (2008). http://keccak.noekeon.org

  3. Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009). An extended version is “Cryptology ePrint Archive: Report 2009/241” at http://eprint.iacr.org/

    Chapter  Google Scholar 

  4. Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptol. 23(4), 519–545 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  5. Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash functions and RFID tags: mind the gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  6. Brachtl, B.O., Coppersmith, D., Hyden, M.M., Matyas Jr., S.M., Meyer, C.H.W., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one-way encryption function, March 1990. US Patent # 4,908,861

    Google Scholar 

  7. Canteaut, A. (ed.): FSE 2012. LNCS, vol. 7549. Springer, Heidelberg (2012)

    MATH  Google Scholar 

  8. Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2002)

    Book  MATH  Google Scholar 

  9. Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut [7], pp. 402–421

    Google Scholar 

  10. Ferguson, N.: Observations on H-PRESENT-128. CRYPTO 2011 Rump Session (2011). http://www.iacr.org/cryptodb/archive/2011/CRYPTO/video/rump/

  11. FIPS PUB 180–4. Secure hash standard (SHS), March 2012

    Google Scholar 

  12. FIPS PUB 197. Advanced encryption standard (AES) (2001)

    Google Scholar 

  13. Fleischmann, E., Gorski, M., Lucks, S.: Security of cyclic double block length hash functions. In: Parker [28], pp. 153–175

    Google Scholar 

  14. Hirose, S.: Provably secure double-block-length hash functions in a black-box model. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  15. Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  16. Jean, J., Naya-Plasencia, M., Peyrin, T.: Multiple limited-birthday distinguishers and applications. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 533–550. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  17. Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced skein. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 1–19. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  18. Knudsen, L.R., Gauravaram, P., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate (2008). http://www.groestl.info

  19. Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 389–404. Springer, Heidelberg (1991)

    Google Scholar 

  20. Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)

    Google Scholar 

  21. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The rebound attack and subspace distinguishers: application to Whirlpool. Cryptology ePrint Archive, Report 2010/198 (2010). http://eprint.iacr.org/

  22. Lee, J., Kwon, D.: The security of Abreast-DM in the ideal cipher model. IEICE Trans. 94–A(1), 104–109 (2011)

    Article  Google Scholar 

  23. Lee, J., Stam, M.: MJH: a faster alternative to MDC-2. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 213–236. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  24. Lee, J., Stam, M., Steinberger, J.: The collision security of Tandem-DM in the ideal cipher model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  25. Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  26. Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  27. Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker [28], pp. 176–201

    Google Scholar 

  28. Parker, M.G. (ed.): Cryptography and Coding 2009. LNCS, vol. 5921. Springer, Heidelberg (2009)

    MATH  Google Scholar 

  29. Peyrin, T., Gilbert, H., Muller, F., Robshaw, M.J.B.: Combining compression functions and block cipher-based hash functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 315–331. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)

    Google Scholar 

  31. Rijmen, V., Barreto, P.S.L.M.: The Whirlpool hash function (2000). http://www.larc.usp.br/pbarreto/WhirlpoolPage.html

  32. Rijmen, V., Toz, D., Varıcı, K.: Rebound attack on reduced-round versions of JH. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 286–303. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  33. Rivest, R.: The MD5 message-digest algorithm. Request for Comments 1321 (RFC 1321), The Internet Engineering Task Force (1992)

    Google Scholar 

  34. Sasaki, Y.: Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. IEICE Trans. Fundam. E96–A(1), 121–130 (2013)

    Article  Google Scholar 

  35. Wei, L., Peyrin, T., Sokołowski, P., Ling, S., Pieprzyk, J., Wang, H.: On the (in)security of IDEA in various hashing modes. In: Canteaut [7], pp. 163–179. The full version is “Cryptology ePrint Archive: Report 2012/264” at http://eprint.iacr.org/

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers for their valuable comments. This work was supported by JSPS KAKENHI Grant Numbers 21240001 and 25330150.

Author information

Authors and Affiliations

  1. School of Information Science, Japan Advanced Institute of Science and Technology, Nomi, Japan

    Jiageng Chen & Atsuko Miyaji

  2. Graduate School of Engineering, University of Fukui, Fukui, Japan

    Shoichi Hirose

  3. Faculty of Informatics, Kansai University, Suita, Japan

    Hidenori Kuwakado

Authors
  1. Jiageng Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shoichi Hirose
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hidenori Kuwakado
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Atsuko Miyaji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shoichi Hirose .

Editor information

Editors and Affiliations

  1. Sejong University, Seoul, Korea, Republic of (South Korea)

    Jooyoung Lee

  2. Kookmin University, Seoul, Korea, Republic of (South Korea)

    Jongsung Kim

A Example of Collision for \(f_0\) Instantiated with 6-Round AES-256

A Example of Collision for \(f_0\) Instantiated with 6-Round AES-256

Table 2 gives an example of collision for \(f_0\) instantiated with 6-round AES-256.

Table 2. An example of collision for \(f_0\) instantiated with 6-round AES-256
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Chen, J., Hirose, S., Kuwakado, H., Miyaji, A. (2015). A Collision Attack on a Double-Block-Length Compression Function Instantiated with Round-Reduced AES-256. In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham. https://doi.org/10.1007/978-3-319-15943-0_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15943-0_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15942-3

  • Online ISBN: 978-3-319-15943-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation