Difference between revisions of "Whirlpool"
From The ECRYPT Hash Function Website
m (→Specification) |
m (added results for Whirlpool) |
||
| Line 4: | Line 4: | ||
* max. message length: < 2<sup>64</sup> bits | * max. message length: < 2<sup>64</sup> bits | ||
* compression function: 512-bit message block, 512-bit chaining variable | * compression function: 512-bit message block, 512-bit chaining variable | ||
| − | * Specification: [http:// | + | * Specification: [http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html The Whirlpool Homepage] |
== Cryptanalysis == | == Cryptanalysis == | ||
| Line 19: | Line 19: | ||
=== Collision Attacks === | === Collision Attacks === | ||
| − | + | <bibtex> | |
| + | @misc{fseMRST09, | ||
| + | author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen}, | ||
| + | title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl}, | ||
| + | url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359}, | ||
| + | howpublished = {In Proceedings of FSE, Springer, To appear}, | ||
| + | year = {2009}, | ||
| + | abstract = {In this work, we propose the rebound attack, a new tool for the cryptanalysis of | ||
| + | hash functions. The idea of the rebound attack is to use the available degrees | ||
| + | of freedom in a collision attack to efficiently bypass the low probability parts | ||
| + | of a differential trail. The rebound attack consists of an inbound phase with a | ||
| + | match-in-the-middle part to exploit the available degrees of freedom, and a | ||
| + | subsequent probabilistic outbound phase. Especially on AES based hash | ||
| + | functions, the rebound attack leads to new attacks for a surprisingly high | ||
| + | number of rounds. | ||
| + | We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit | ||
| + | hash function Whirlpool with a complexity of $2^{120}$ compression function | ||
| + | evaluations and negligible memory requirements. The attack can be extended to | ||
| + | a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5 | ||
| + | rounds of the similar hash function Maelstrom. Additionally, we apply the | ||
| + | rebound attack to the SHA-3 submission Grøstl, which leads to an attack on | ||
| + | 6 rounds of the Grøstl-256 compression function with a complexity of $2^{120}$ | ||
| + | and memory requirements of about $2^{64}$.} | ||
| + | </bibtex> | ||
---- | ---- | ||
Revision as of 15:04, 8 April 2009
Contents
1 Specification
- digest size: 512 bits
- max. message length: < 264 bits
- compression function: 512-bit message block, 512-bit chaining variable
- Specification: The Whirlpool Homepage
2 Cryptanalysis
2.1 Best Known Results
2.2 Generic Attacks
2.3 Collision Attacks
Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
- ,2009
- http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359
BibtexAuthor : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : -
Address :
Date : 2009
