Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks
Yu Sasaki, Lei Wang, Shuang Wu*, Wenling Wu
December 13, 2012
*: supported by the National Natural Science Foundation of China Under Grant No.61202421. Outline Whirlpool Improved Preimage Attacks Improved Collision Attacks Conclusion The Whirlpool hash function Designed by Rijmen and Barreto in 2000 ISO standard and recommended by NESSIE The only standardized AES-like hash function Secure? Full-round distinguisher on the compression function Impact seems limited Still secure under fundamental security notions Preimage resistance Second preimage resistance Collision resistance Specification of Whirlpool 512-bit chaining value and hash size 512-bit message block Use block cipher W in Miyaguchi-Preneel (MP) mode Specification of Whirlpool Round function and compression function 10 rounds in total
Outline Whirlpool Improved Preimage Attacks Improved Collision Attacks Conclusion Previous Preimage attack on Whirlpool Meet-in-the-Middle Application of previous techniques Splice-and-cut Initial structure Partial-matching Fixed-key and work on AES-based permutation Our Idea (1) Application of Guess-and-Determine The attackable number of rounds is increased Our Idea (1) Application of Guess-and-Determine Attack one more round Our Idea (2) Adopting the fact that key schedule is almost identical with the data processing More free bits from key (doubled) Summary of Our Preimage Attacks Main result 6-round preimage attack on the hash function
Round Time Memory Source 5 2481.5 264 Wu et al. 5 2448 296 Ours 5 2465 O(1) Ours 6 2481 2256 Ours 6 2504 O(1) Ours Outline Whirlpool Improved Preimage Attacks Improved Collision Attacks Conclusion Previous Attack No difference in the key The same input and output differences
Key 1st R 2nd R 3rd R 4th R
Data 1st R 2nd R 3rd R 4th R Our Approach Introduce differences to the key schedule The input and output differences can be different
Key 1st R 2nd R 3rd R 4th R
Data 1st R 2nd R 3rd R 4th R Message pair finding tool The rebound attack Proposed by Mendel et al. in FSE 2009 A powerful tool for analysis of hash function with AES-like structure
Choose difference Choose difference Match
S-box
Outbound steps Inbound steps Outbound steps
AES-like structure
15 The 4-Round Differential Path Key: 64-8-1-8-64 Data: 0-8-1-8-0 The 8-Round Differential Path Key: 64-8-1-8-64-8-1-8-64 Data: 0-8-1-8-0-8-1-8-0
2-56
2-64 Summary of Our Collision Attacks Main results 8-round collision attack on the compression function
Targets Round Time Memory Source 64 8 Hash 4 2 2 Mendel et al. Function 5 2120 264 Gilbert et al. 7 2184 28 Lamberger et al. 128 128 Compression 7 2 2 Lamberger et al. Function 7 264 28 Ours 8 2120 28 Ours Experimental Results
Practical results 4-Round Collision Complexity : (Time, Memory) = ( 28, 28 ) 7-Round Near-Collision (320-bit collision) Complexity : (Time, Memory) = ( 240, 28 )
Outline Whirlpool Improved Preimage Attacks Improved Collision Attacks Conclusion Conclusion We proposed: Preimage attack on Whirlpool Guess-and-Determine Freedom degrees in the key 6-round preimage attack on the hash function One more round than previous attack Collision attack on Whirlpool Differences in the key schedule Local collision 8-round collision attack on the compression function (free-start collision) One more round than previous attack Questions?