
A Collision Attack on a DoubleBlockLength Compression Function Instantiated with RoundReduced AES256A Collision Attack on a DoubleBlockLength Compression Function Instantiated with RoundReduced AES256 
"/Chen, Jiageng/"Chen, Jiageng ,
"/Hirose, Shoichi/"Hirose, Shoichi ,
"/Kuwakado, Hidenori/"Kuwakado, Hidenori ,
"/Miyaji, Atsuko/"Miyaji, Atsuko
8949pp.271

285 , 20150317 , Springer
ISSN:03029743
Description
This paper presents the first nontrivial collision attack on the doubleblocklength compression function presented at FSE 2006 instantiated with roundreduced AES256: f_0(h_0∥h_1,M)∥f_1(h_0∥h_1,M) such that f_0(h_0∥h_1,M) =E_<h1∥M>(h_0)⊕h_0, f_1(h_0∥h_1,M) =E_<h_1∥M>(h_0⊕c)⊕h_0⊕c, where ∥ represents concatenation, E is AES256 and c is a nonzero constant. The proposed attack is a freestart collision attack. It uses the rebound attack proposed by Mendel et al. It finds a collision with time complexity 2^8 , 2^<64> and 2^<120> for the instantiation with 6round, 8round and 9round AES256, respectively. The space complexity is negligible. The attack is effective against the instantiation with 6/8round AES256 if the 16byte constant c has a single nonzero byte. It is effective against the instantiation with 9round AES256 if the constant c has four nonzero bytes at some specific positions.
17th International Conference, Seoul, South Korea, December 35, 2014, Revised Selected Papers
FullText
https://dspace.jaist.ac.jp/dspace/bitstream/10119/13465/1/21386.pdf