This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: f0(h0║h1,M)║f1(h0║h1,M) such that where ║ represents concatenation, E is AES-256 and c is a non-zero constant. The proposed attack is a free-start collision attack. It uses the rebound attack proposed by Mendel et al. It finds a collision with time complexity 28, 264and 2120 for the instantiation with 6-round, 8-round and 9-round AES-256, respectively. The space complexity is negligible. The attack is effective against the instantiation with 6-/8-round AES- 256 if the 16-byte constant c has a single non-zero byte. It is effective against the instantiation with 9-round AES-256 if the constant c has four non-zero bytes at some specific positions.
CITATION STYLE
Chen, J., Hirose, S., Kuwakado, H., & Miyaji, A. (2014). A collision attack on a double-block-length compression function instantiated with round-reduced AES-256. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8949, pp. 271–285). Springer Verlag. https://doi.org/10.1007/978-3-319-15943-0_17
Mendeley helps you to discover research relevant for your work.