Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks

In this paper, improved cryptanalyses for the ISO standard hash function Whirlpool are presented with respect to the fundamental security notions. While a subspace distinguisher was presented on full version (10 rounds) of the compression function, its impact to the security of the hash function seems limited. In this paper, we discuss the (second) preimage and collision attacks for the hash function and the compression function of Whirlpool. Regarding the preimage attack, 6 rounds of the hash function are attacked with 2481 computations while the previous best attack is for 5 rounds with 2481.5 computations. Regarding the collision attack, 8 rounds of the compression function are attacked with 2120 computations, while the previous best attack is for 7 rounds with 2184 computations. To verify the correctness, especially for the rebound attack on the Sbox with an unbalanced Differential Distribution Table (DDT), the attack is partially implemented, and the differences from attacking the Sbox with balanced DDT are reported.

[1]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[2]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[3]  Yu Sasaki,et al.  Rebound Attack on the Full Lane Compression Function , 2009, ASIACRYPT.

[4]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[5]  G. Leopold The Federal Register. , 1979, Journal of clinical ultrasound : JCU.

[6]  Vincent Rijmen,et al.  The Rebound Attack and Subspace Distinguishers: Application to Whirlpool , 2015, Journal of Cryptology.

[7]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[8]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[9]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[10]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[11]  Thomas Peyrin,et al.  Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher , 2009, Selected Areas in Cryptography.

[12]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[13]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[14]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[15]  Shuang Wu,et al.  (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others , 2012, FSE.

[16]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[17]  Kazuo Ohta,et al.  A Switching Closure Test to Analyze Cryptosystems , 1991, CRYPTO.

[18]  Jérémy Jean,et al.  Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function , 2010, IACR Cryptol. ePrint Arch..

[19]  Shuang Wu,et al.  Practical Rebound Attack on 12-Round Cheetah-256 , 2009, ICISC.

[20]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[21]  Thomas Peyrin,et al.  Improved Rebound Attack on the Finalist Grøstl , 2012, FSE.

[22]  Yu Sasaki,et al.  Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl , 2010, ASIACRYPT.

[23]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[24]  María Naya-Plasencia,et al.  How to Improve Rebound Attacks , 2011, IACR Cryptol. ePrint Arch..

[25]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[26]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[27]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool , 2011, FSE.

[28]  Shuang Wu,et al.  Hyper-Sbox View of AES-like Permutations: A Generalized Distinguisher , 2010, Inscrypt.

[29]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.