A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256
-
- CHEN Jiageng
- Computer School, Central China Normal University
-
- HIROSE Shoichi
- Graduate School of Engineering, University of Fukui
-
- KUWAKADO Hidenori
- Faculty of Informatics, Kansai University
-
- MIYAJI Atsuko
- Graduate School of Engineering, Osaka University School of Information Science, Japan Advanced Institute of Science and Technology CREST, JST
抄録
This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: f0(h0||h1,M)||f1(h0||h1,M) such that f0(h0||h1, M) = Eh<sub>1||M</sub>(h0)⊕h0 , f1(h0||h1,M) = Eh<sub>1||M</sub>(h0⊕c)⊕h0⊕c , where || represents concatenation, E is AES-256 and c is a 16-byte non-zero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and their positions. For the instantiation with AES-256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four non-zero bytes at some specific positions, and the time complexity is 264 or 296. For the instantiation with AES-256 reduced to 9 rounds, it is effective if the constant c has four non-zero bytes at some specific positions, and the time complexity is 2120. The space complexity is negligible in both cases.
収録刊行物
-
- IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
-
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E99.A (1), 14-21, 2016
一般社団法人 電子情報通信学会
- Tweet
詳細情報 詳細情報について
-
- CRID
- 1390282681287796992
-
- NII論文ID
- 130005115228
-
- ISSN
- 17451337
- 09168508
-
- 本文言語コード
- en
-
- データソース種別
-
- JaLC
- Crossref
- CiNii Articles
- KAKEN
-
- 抄録ライセンスフラグ
- 使用不可