Open AccessChosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes
Author(s) -
Xiaoyang Dong,
Xiaoyun Wang
Publication year - 2016
Publication title -
iacr transaction on symmetric cryptology
Language(s) - English
Resource type - Journals
ISSN - 2519-173X
DOI - 10.46586/tosc.v2016.i1.13-32
Subject(s) - block cipher , collision attack , hash function , slide attack , computer science , key (lock) , collision , block cipher mode of operation , block (permutation group theory) , cryptography , theoretical computer science , algorithm , mathematics , computer security , cryptographic hash function , stream cipher attack , double hashing , combinatorics
Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).