A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256

Abstract

This paper presents the first non-trivial collision attack on the double-block-length compression function presented at FSE 2006 instantiated with round-reduced AES-256: f₀(h₀||h₁,M)||f₁(h₀||h₁,M) such that   f₀(h₀||h₁, M) = E_h1||M(h₀)⊕h₀ ,   f₁(h₀||h₁,M) = E_h1||M(h₀⊕c)⊕h₀⊕c ,   where || represents concatenation, E is AES-256 and c is a 16-byte non-zero constant. The proposed attack is a free-start collision attack using the rebound attack proposed by Mendel et al. The success of the proposed attack largely depends on the configuration of the constant c: the number of its non-zero bytes and their positions. For the instantiation with AES-256 reduced from 14 rounds to 8 rounds, it is effective if the constant c has at most four non-zero bytes at some specific positions, and the time complexity is 2⁶⁴ or 2⁹⁶. For the instantiation with AES-256 reduced to 9 rounds, it is effective if the constant c has four non-zero bytes at some specific positions, and the time complexity is 2¹²⁰. The space complexity is negligible in both cases.