A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256

Jiageng CHEN  Shoichi HIROSE  Hidenori KUWAKADO  Atsuko MIYAJI  

Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E99-A   No.1   pp.14-21
Publication Date: 2016/01/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E99.A.14
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
Category: 
Keyword: 
double-block-length compression function,  free-start collision attack,  rebound attack,  AES-256,  

Full Text: PDF(1.3MB)>>
Buy this Article




Summary: 
This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: f0(h0||h1,M)||f1(h0||h1,M) such that
f0(h0||h1, M) = Eh1||M(h0)⊕h0 ,
f1(h0||h1,M) = Eh1||M(h0c)⊕h0c ,
where || represents concatenation, E is AES-256 and c is a 16-byte non-zero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and their positions. For the instantiation with AES-256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four non-zero bytes at some specific positions, and the time complexity is 264 or 296. For the instantiation with AES-256 reduced to 9 rounds, it is effective if the constant c has four non-zero bytes at some specific positions, and the time complexity is 2120. The space complexity is negligible in both cases.