Difference between revisions of "Whirlpool"
From The ECRYPT Hash Function Website
Mschlaeffer (talk | contribs) |
m (fixed bibtex entry) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Specification == | == Specification == | ||
− | + | * digest size: 512 bits | |
− | * digest size: | ||
* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||
− | * compression function: 512-bit message block, | + | * compression function: 512-bit message block, 512-bit chaining variable |
− | + | * Specification: [http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html The Whirlpool Homepage] | |
− | * Specification: [http:// | ||
== Cryptanalysis == | == Cryptanalysis == | ||
Line 21: | Line 19: | ||
=== Collision Attacks === | === Collision Attacks === | ||
+ | |||
+ | <bibtex> | ||
+ | @inproceedings{fseMRST09, | ||
+ | author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen}, | ||
+ | title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl}, | ||
+ | url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359}, | ||
+ | booktitle = {FSE}, | ||
+ | editor = {Orr Dunkelman}, | ||
+ | year = {2009}, | ||
+ | publisher = {Springer}, | ||
+ | series = {LNCS}, | ||
+ | volume = {5665}, | ||
+ | pages = {260-276}, | ||
+ | note = {To appear} | ||
+ | abstract = {In this work, we propose the rebound attack, a new tool for the cryptanalysis of | ||
+ | hash functions. The idea of the rebound attack is to use the available degrees | ||
+ | of freedom in a collision attack to efficiently bypass the low probability parts | ||
+ | of a differential trail. The rebound attack consists of an inbound phase with a | ||
+ | match-in-the-middle part to exploit the available degrees of freedom, and a | ||
+ | subsequent probabilistic outbound phase. Especially on AES based hash | ||
+ | functions, the rebound attack leads to new attacks for a surprisingly high | ||
+ | number of rounds. | ||
+ | We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit | ||
+ | hash function Whirlpool with a complexity of $2^{120}$ compression function | ||
+ | evaluations and negligible memory requirements. The attack can be extended to | ||
+ | a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 | ||
+ | rounds of the similar hash function Maelstrom. Additionally, we apply the | ||
+ | rebound attack to the SHA-3 submission Grøstl, which leads to an attack on | ||
+ | 6 rounds of the Grøstl-256 compression function with a complexity of $2^{120}$ | ||
+ | and memory requirements of about $2^{64}$.} | ||
+ | </bibtex> | ||
---- | ---- |
Latest revision as of 13:30, 9 July 2009
Contents
1 Specification
- digest size: 512 bits
- max. message length: < 264 bits
- compression function: 512-bit message block, 512-bit chaining variable
- Specification: The Whirlpool Homepage
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
2.3 Collision Attacks
Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
- FSE 5665:260-276,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359
BibtexAuthor : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : FSE -
Address :
Date : 2009