1 Department of Applied Mathematics and Computer Science, Technical University of Denmark2 Cryptology, Department of Applied Mathematics and Computer Science, Technical University of Denmark3 NXP Semiconductors Austria4 Graz University of Technology5 Katholieke Universiteit6 Graz University of Technology
We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the 10-round Whirlpool hash function and compression function. Our results are collisions for 5.5 and near-collisions for 7.5 rounds on the hash function, as well as semi-free-start collisions for 7.5 and semi-free-start near-collisions for 9.5 rounds on the compression function. Additionally, we introduce the subspace problem as a generalization of near-collision resistance. Finally, we present the first distinguishers that apply to the full compression function and the full underlying block cipher W of Whirlpool.
Journal of Cryptology, 2015, Vol 28, Issue 2, p. 257-296