Internet Archive Scholar

A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256

Jiageng CHEN, Shoichi HIROSE, Hidenori KUWAKADO, Atsuko MIYAJI
2016 IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (1.2 MB)
https://web.archive.org/web/20190321004400/https://core.ac.uk/download/pdf/61372423.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL. The file type is application/pdf.

This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: where ∥ represents concatenation, E is AES-256 and c is a 16-byte nonzero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and their
more » ... s. For the instantiation with AES-256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four non-zero bytes at some specific positions, and the time complexity is 2 64 or 2 96 . For the instantiation with AES-256 reduced to 9 rounds, it is effective if the constant c has four non-zero bytes at some specific positions, and the time complexity is 2 120 . The space complexity is negligible in both cases. key words: double-block-length compression function, free-start collision attack, rebound attack,
doi:10.1587/transfun.e99.a.14 fatcat:z2hucpb3dnhotai2ubqs5kcepe
Citation

Jiageng CHEN, Shoichi HIROSE, Hidenori KUWAKADO, Atsuko MIYAJI. "A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256." IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences E99.A.1 (2016) 14-21