The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

Authors:
Florian Mendel;Christian Rechberger;Martin Schläffer;Søren S. Thomsen
Affiliations:
Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010;Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010;Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria A-8010;Department of Mathematics, Technical University of Denmark, Kgs. Lyngby, Denmark DK-2800
Venue:
Fast Software Encryption
Year:
2009

Citing 0
Cited 47

Cryptanalysis of Twister

ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Rebound Attack on the Full Lane Compression Function

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Rebound Distinguishers: Results on the Full Whirlpool Compression Function

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Improved Cryptanalysis of Skein

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Whirlwind: a new cryptographic hash function

Designs, Codes and Cryptography
Cryptanalysis of ESSENCE

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Rebound attack on reduced-round versions of JH

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Super-Sbox cryptanalysis: improved attacks for AES-like permutations

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Improved differential attacks for ECHO and Grøstl

CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Practical rebound attack on 12-round cheetah-256

ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Known-key attacks on Rijndael with large blocks and strengthening shiftrow parameter

IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Improved collision attacks on the reduced-round Grøstl hash function

ISC'10 Proceedings of the 13th international conference on Information security
Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Cryptanalysis of Luffa v2 components

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Analysis of reduced-SHAvite-3-256 v2

FSE'11 Proceedings of the 18th international conference on Fast software encryption
Practical near-collisions and collisions on round-reduced ECHO-256 compression function

FSE'11 Proceedings of the 18th international conference on Fast software encryption
Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool

FSE'11 Proceedings of the 18th international conference on Fast software encryption
Known-key distinguishers on 11-round Feistel and collision attacks on its hashing modes

FSE'11 Proceedings of the 18th international conference on Fast software encryption
Practical attacks on the maelstrom-0 compression function

ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Collisions of MMO-MD5 and their impact on original MD5

AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa
Hyper-Sbox view of AES-like permutations: a generalized distinguisher

Inscrypt'10 Proceedings of the 6th international conference on Information security and cryptology
How to improve rebound attacks

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Known and chosen key differential distinguishers for block ciphers

ICISC'10 Proceedings of the 13th international conference on Information security and cryptology
SPONGENT: a lightweight hash function

CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
The LED block cipher

CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Experimental verification of super-sbox analysis: confirmation of detailed attack complexity

IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others

EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Rebound attacks on the reduced grøstl hash function

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Rebound attack on JH42

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Second-Order differential collisions for reduced SHA-256

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Biclique cryptanalysis of the full AES

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Known-Key distinguisher on round-reduced 3d block cipher

WISA'11 Proceedings of the 12th international conference on Information Security Applications
Improved analysis of ECHO-256

SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Boomerang distinguisher for the SIMD-512 compression function

INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions

ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Improved known-key distinguishers on Feistel-SP ciphers and application to camellia

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Improved rebound attack on the finalist grøstl

FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Bicliques for preimages: attacks on skein-512 and the SHA-2 family

FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Unaligned rebound attack: application to keccak

FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
New attacks on keccak-224 and keccak-256

FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Differential analysis of the LED block cipher

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Analysis of differential attacks in ARX constructions

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Bicliques for permutations: collision and preimage attacks in stronger settings

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
On bruteforce-like cryptanalysis: new meet-in-the-middle attacks in symmetric cryptanalysis

ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Multi-differential cryptanalysis on reduced DM-PRESENT-80: collisions and other differential properties

ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Internal differential collision attacks on the reduced-round GrØstl-0 hash function

Designs, Codes and Cryptography

Quantified Score

Hi-index	0.01

Visualization

Abstract

In this work, we propose the rebound attack, a new tool for the cryptanalysis of hash functions. The idea of the rebound attack is to use the available degrees of freedom in a collision attack to efficiently bypass the low probability parts of a differential trail. The rebound attack consists of an inbound phase with a match-in-the-middle part to exploit the available degrees of freedom, and a subsequent probabilistic outbound phase. Especially on AES based hash functions, the rebound attack leads to new attacks for a surprisingly high number of rounds.We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit hash function Whirlpool with a complexity of 2120 compression function evaluations and negligible memory requirements. The attack can be extended to a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 rounds of the similar hash function Maelstrom. Additionally, we apply the rebound attack to the SHA-3 submission Grøstl, which leads to an attack on 6 rounds of the Grøstl-256 compression function with a complexity of 2120 and memory requirements of about 264.