
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

A Collision Attack on a DoubleBlockLength Compression Function Instantiated with 8/9Round AES256
Jiageng CHEN Shoichi HIROSE Hidenori KUWAKADO Atsuko MIYAJI
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E99A
No.1
pp.1421 Publication Date: 2016/01/01
Online ISSN: 17451337
DOI: 10.1587/transfun.E99.A.14
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Keyword: doubleblocklength compression function, freestart collision attack, rebound attack, AES256,
Full Text: PDF(1.3MB)>>
Summary:
This paper presents the first nontrivial collision attack on the doubleblocklength compression function presented at FSE 2006 instantiated with roundreduced AES256: f_{0}(h_{0}h_{1},M)f_{1}(h_{0}h_{1},M) such that f_{0}(h_{0}h_{1}, M) = E_{h1M}(h_{0})⊕h_{0} , f_{1}(h_{0}h_{1},M) = E_{h1M}(h_{0}⊕c)⊕h_{0}⊕c , where  represents concatenation, E is AES256 and c is a 16byte nonzero constant. The proposed attack is a freestart collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its nonzero bytes and their positions. For the instantiation with AES256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four nonzero bytes at some specific positions, and the time complexity is 2^{64} or 2^{96}. For the instantiation with AES256 reduced to 9 rounds, it is effective if the constant c has four nonzero bytes at some specific positions, and the time complexity is 2^{120}. The space complexity is negligible in both cases.

