Difference between revisions of "Whirlpool"

From The ECRYPT Hash Function Website
m (Specification)
m (added results for Whirlpool)
Line 4: Line 4:
 
* max. message length: < 2<sup>64</sup> bits
 
* max. message length: < 2<sup>64</sup> bits
 
* compression function: 512-bit message block, 512-bit chaining variable
 
* compression function: 512-bit message block, 512-bit chaining variable
* Specification: [http://paginas.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html The Whirlpool Homepage]
+
* Specification: [http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html The Whirlpool Homepage]
  
 
== Cryptanalysis ==
 
== Cryptanalysis ==
Line 19: Line 19:
  
 
=== Collision Attacks ===
 
=== Collision Attacks ===
 
+
<bibtex>
 +
@misc{fseMRST09,
 +
  author    = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},
 +
  title    = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},
 +
  url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359},
 +
  howpublished = {In Proceedings of FSE, Springer, To appear},
 +
  year = {2009},
 +
  abstract = {In this work, we propose the rebound attack, a new tool for the cryptanalysis of
 +
hash functions. The idea of the rebound attack is to use the available degrees
 +
of freedom in a collision attack to efficiently bypass the low probability parts
 +
of a differential trail. The rebound attack consists of an inbound phase with a
 +
match-in-the-middle part to exploit the available degrees of freedom, and a
 +
subsequent probabilistic outbound phase. Especially on AES based hash
 +
functions, the rebound attack leads to new attacks for a surprisingly high
 +
number of rounds.
 +
We use the rebound attack to construct collisions for 4.5 rounds of the 512-bit
 +
hash function Whirlpool with a complexity of $2^{120}$ compression function
 +
evaluations and negligible memory requirements. The attack can be extended to
 +
a near-collision on 7.5 rounds of the compression function of Whirlpool and 8.5
 +
rounds of the similar hash function Maelstrom. Additionally, we apply the
 +
rebound attack to the SHA-3 submission Grøstl, which leads to an attack on
 +
6 rounds of the Grøstl-256 compression function with a complexity of $2^{120}$
 +
and memory requirements of about $2^{64}$.}
 +
</bibtex>
 
----
 
----
  

Revision as of 14:04, 8 April 2009

1 Specification

  • digest size: 512 bits
  • max. message length: < 264 bits
  • compression function: 512-bit message block, 512-bit chaining variable
  • Specification: The Whirlpool Homepage

2 Cryptanalysis

2.1 Best Known Results


2.2 Generic Attacks


2.3 Collision Attacks

Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl

,2009
http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=99359
Bibtex
Author : Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen
Title : The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl
In : -
Address :
Date : 2009

2.4 Second Preimage Attacks


2.5 Preimage Attacks


2.6 Others