Second Preimage Analysis of Whirlwind

Whirlwind is a keyless AES-like hash function that adopts the Sponge model. According to its designers, the function is designed to resist most of the recent cryptanalytic attacks. In this paper, we evaluate the second preimage resistance of the Whirlwind hash function. More precisely, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of \(2^{385}\) and memory complexity of \(2^{128}\). We also employ a guess and determine approach to extend the attack to 6 rounds with time and memory complexities of \(2^{496}\) and \(2^{112}\), respectively. Finally, by adopting another meet in the middle attack, we are able to generate n-block message second preimages of the 5 and 6-round reduced hash function with time complexity of \(2^{449}\) and \(2^{505}\) and memory complexity of \(2^{128}\) and \(2^{112}\), respectively.

[1]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[2]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[3]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[4]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[5]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[6]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool , 2011, FSE.

[7]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[8]  Paulo S. L. M. Barreto,et al.  Whirlwind: a new cryptographic hash function , 2010, Des. Codes Cryptogr..

[9]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[10]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[11]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[12]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[13]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[14]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[15]  David Pointcheval,et al.  Progress in Cryptology – AFRICACRYPT 2014 , 2014, Lecture Notes in Computer Science.

[16]  Bart Preneel,et al.  The Lane hash function , 2009, Symmetric Cryptography.

[17]  Arenberg Doctoral,et al.  Mathematical aspects of symmetric-key cryptography , 2012 .

[18]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[19]  Dong Hoon Lee,et al.  Information, Security and Cryptology - ICISC 2009, 12th International Conference, Seoul, Korea, December 2-4, 2009, Revised Selected Papers , 2010, ICISC.

[20]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[21]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[22]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[23]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[24]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[25]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[26]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[27]  Shuang Wu,et al.  (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others , 2012, FSE.

[28]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[29]  Yu Sasaki,et al.  Improved Preimage Attack for 68-Step HAS-160 , 2009, ICISC.

[30]  Amr M. Youssef,et al.  Preimage Attacks on Reduced-Round Stribog , 2014, AFRICACRYPT.

[31]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[32]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[33]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[34]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[35]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[36]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[37]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[38]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[39]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[40]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[41]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.