Cryptology ePrint Archive: Report 2015/568

Cryptanalysis of Reduced-Round Whirlwind (Full Version)

Bingke Ma and Bao Li and Ronglin Hao and Xiaoqian Li

Abstract: The \texttt{Whirlwind} hash function, which outputs a 512-bit digest, was designed by Barreto $et\ al.$ and published by \textit{Design, Codes and Cryptography} in 2010. In this paper, we provide a thorough cryptanalysis on \texttt{Whirlwind}. Firstly, we focus on security properties at the hash function level by presenting (second) preimage, collision and distinguishing attacks on reduced-round \texttt{Whirlwind}. In order to launch the preimage attack, we have to slightly tweak the original Meet-in-the-Middle preimage attack framework on \texttt{AES}-like compression functions by partially fixing the values of the state. Based on this slightly tweaked framework, we are able to construct several new and interesting preimage attacks on reduced-round \texttt{Whirlpool} and \texttt{AES} hashing modes as well. Secondly, we investigate security properties of the reduced-round components of \texttt{Whirlwind}, including semi-free-start and free-start (near) collision attacks on the compression function, and a limited-birthday distinguisher on the inner permutation. As far as we know, our results are currently the best cryptanalysis on \texttt{Whirlwind}.

Category / Keywords: secret-key cryptography / cryptanalysis, hash function, Whirlwind, Whirlpool, AES, PGV

Original Publication (with major differences): ACISP 2015

Date: received 9 Jun 2015

Contact author: bkma at is ac cn

Available format(s): PDF | BibTeX Citation

Note: This article is the full version of the paper published at ACISP 2015.

Version: 20150617:002450 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]