A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is
This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: where ∥ represents concatenation, E is AES-256 and c is a 16-byte nonzero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and theirdoi:10.1587/transfun.e99.a.14 fatcat:z2hucpb3dnhotai2ubqs5kcepe