Difference between revisions of "Whirlpool"
From The ECRYPT Hash Function Website
Mschlaeffer (talk | contribs) |
m (fixed bibtex entry) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Specification == | == Specification == | ||
| − | + | * digest size: 512 bits | |
| − | * digest size: | ||
* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||
| − | * compression function: 512-bit message block, | + | * compression function: 512-bit message block, 512-bit chaining variable |
| − | + | * Specification: [http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html The Whirlpool Homepage] | |
| − | * Specification: [http:// | ||
== Cryptanalysis == | == Cryptanalysis == | ||
| Line 21: | Line 19: | ||
=== Collision Attacks === | === Collision Attacks === | ||
| + | |||
| + | <bibtex> | ||
| + | @inproceedings{fseMRST09, | ||
| + | author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen}, | ||
| + | title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl}, | ||
| + | url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359}, | ||
| + | booktitle = {FSE}, | ||
| + | editor = {Orr Dunkelman}, | ||
| + | year = {2009}, | ||
| + | publisher = {Springer}, | ||
| + | series = {LNCS}, | ||
| + | volume = {5665}, | ||
| + | pages = {260-276}, | ||
| + | note = {To appear} | ||
| + | abstract = {In this work, we propose the rebound attack, a new tool for the cryptanalysis of | ||
| + | hash functions. The idea of the rebound attack is to use the available degrees | ||
| + | of freedom in a collision attack to efficiently bypass the low probability parts | ||
| + | of a differential trail. The rebound attack consists of an inbound phase with a | ||
| + | match-in-the-middle part to exploit the available degrees of freedom, and a | ||
| + | subsequent probabilistic outbound phase. Especially on AES based hash | ||
| + | functions, the rebound attack leads to new attacks for a surprisingly high | ||
| + | number of rounds. | ||
| + | We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit | ||
| + | hash function Whirlpool with a complexity of $2^{120}$ compression function | ||
| + | evaluations and negligible memory requirements. The attack can be extended to | ||
| + | a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 | ||
| + | rounds of the similar hash function Maelstrom. Additionally, we apply the | ||
| + | rebound attack to the SHA-3 submission Grøstl, which leads to an attack on | ||
| + | 6 rounds of the Grøstl-256 compression function with a complexity of $2^{120}$ | ||
| + | and memory requirements of about $2^{64}$.} | ||
| + | </bibtex> | ||
---- | ---- | ||
Latest revision as of 13:30, 9 July 2009
Contents
1 Specification
- digest size: 512 bits
- max. message length: < 264 bits
- compression function: 512-bit message block, 512-bit chaining variable
- Specification: The Whirlpool Homepage
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
2.3 Collision Attacks
Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
- FSE 5665:260-276,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359
BibtexAuthor : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009
