Improved Preimage and Collision Attacks

Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks

Yu Sasaki, Lei Wang, Shuang Wu*, Wenling Wu

December 13, 2012

*: supported by the National Natural Science Foundation of China Under Grant No.61202421. Outline  Whirlpool  Improved Preimage Attacks  Improved Collision Attacks  Conclusion The Whirlpool hash function  Designed by Rijmen and Barreto in 2000  ISO standard and recommended by NESSIE  The only standardized AES-like hash function  Secure?  Full-round distinguisher on the compression function  Impact seems limited  Still secure under fundamental security notions  Preimage resistance  Second preimage resistance  Collision resistance Specification of Whirlpool  512-bit chaining value and hash size  512-bit message block  Use block cipher W in Miyaguchi-Preneel (MP) mode Specification of Whirlpool  Round function and compression function  10 rounds in total

Outline  Whirlpool  Improved Preimage Attacks  Improved Collision Attacks  Conclusion Previous Preimage attack on Whirlpool  Meet-in-the-Middle  Application of previous techniques  Splice-and-cut  Initial structure  Partial-matching  Fixed-key and work on AES-based permutation Our Idea (1)  Application of Guess-and-Determine  The attackable number of rounds is increased Our Idea (1)  Application of Guess-and-Determine  Attack one more round Our Idea (2)  Adopting the fact that key schedule is almost identical with the data processing  More free bits from key (doubled) Summary of Our Preimage Attacks  Main result  6-round preimage attack on the hash function

Round Time Memory Source 5 2481.5 264 Wu et al. 5 2448 296 Ours 5 2465 O(1) Ours 6 2481 2256 Ours 6 2504 O(1) Ours Outline  Whirlpool  Improved Preimage Attacks  Improved Collision Attacks  Conclusion Previous Attack  No difference in the key  The same input and output differences

Key 1st R 2nd R 3rd R 4th R

Data 1st R 2nd R 3rd R 4th R Our Approach  Introduce differences to the key schedule  The input and output differences can be different

Key 1st R 2nd R 3rd R 4th R

Data 1st R 2nd R 3rd R 4th R Message pair finding tool  The rebound attack  Proposed by Mendel et al. in FSE 2009  A powerful tool for analysis of hash function with AES-like structure

Choose difference Choose difference Match

S-box

Outbound steps Inbound steps Outbound steps

AES-like structure

15 The 4-Round Differential Path  Key: 64-8-1-8-64  Data: 0-8-1-8-0 The 8-Round Differential Path  Key: 64-8-1-8-64-8-1-8-64  Data: 0-8-1-8-0-8-1-8-0

2-56

2-64 Summary of Our Collision Attacks  Main results  8-round collision attack on the compression function

Targets Round Time Memory Source 64 8 Hash 4 2 2 Mendel et al. Function 5 2120 264 Gilbert et al. 7 2184 28 Lamberger et al. 128 128 Compression 7 2 2 Lamberger et al. Function 7 264 28 Ours 8 2120 28 Ours Experimental Results

 Practical results  4-Round Collision  Complexity : (Time, Memory) = ( 28, 28 )  7-Round Near-Collision (320-bit collision)  Complexity : (Time, Memory) = ( 240, 28 )

Outline  Whirlpool  Improved Preimage Attacks  Improved Collision Attacks  Conclusion Conclusion  We proposed:  Preimage attack on Whirlpool  Guess-and-Determine  Freedom degrees in the key  6-round preimage attack on the hash function  One more round than previous attack  Collision attack on Whirlpool  Differences in the key schedule  Local collision  8-round collision attack on the compression function (free-start collision)  One more round than previous attack Questions?