Whirlpool 512-bit collisions?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Whirlpool 512-bit collisions?

From: Alan <a__l__a__n@hotmail.com>
Date: Tue Jun 14 2005 - 20:39:06 CEST



Does Whirlpool have any collisions among 512-bit input blocks?



Bear with me while I attempt to describe Whirlpool in the limited 512-bit


message scenario, so I can state my question more specifically.



I'm willing to accept that the Whirlpool cipher function W does not have


collisions (based on its similarity to Rijndael-512).  A required property


of any *encryption* function F is that for a given key K, every message


block M must encrypt to a distinct ciphertext C.  (Otherwise you could not


unambiguously decrypt C to get M).   (However, this would need to be proven


somehow for W. Since it is presumably known to be true for Rijndael I


presume it can be proven for W).



In the limited case of 512 bit blocks M, padding is identical for every


value of M.  A second 512 bit block M2 is added, consisting of a 1 bit


followed by 255 0 bits, followed by the length of the message (always the


value 512 in our case) expressed as a 256-bit integer.



Also, by definition Whirlpool always encrypts the first message block using


a known constant key K0 consisting of 512 zero bits.  For 2^512 diferent


input blocks, there are presumed to be 2^512 different ciphertexts C=W(K0,M)


based on my assumption about W.



HOWEVER, Whirlpool will XOR C with M and K0 to get the intermediate hash


value H1.  Of course XOR with 512 zero bits will leave the original value


unchanged, so effectively we just XOR the ciphertext with the message


itself.  I don't know whether this introduces collisions or not, but I


suspect that it does.



The result H1 (maybe already with collisions?) is used as the encryption key


for the second block M2 (which, as we noted, is a known constant for all 512


bit blocks).   We take the resulting ciphertext and XOR with H1 and M2.



Back to the original question, are there collisions in the 512-bit message


space?  In order for the answer to be NO, it seems that the following must


be true:



1) There must be no collisions in H1 (ie, no collisions in W(K0,M) XOR M for


all 512 bit values of M)  But how can we know that???



2) There must not exist two keys K1 and K2 such that W(K1,M) = W(K2,M), at


least for our known constant M2.



Am I understanding this correctly?  And is it possible to prove that there


are no Whirlpool collisions in the 512-bit message space (other than by


brute


force which doesn't qualify as possible!)?  Is there any way to know how


large the result set of all Whirlpool hashes of 512 bit inputs would be?



I hope that makes sense...



Thanks for any comments / enlightenment etc



Alan


Received on Thu Sep 29 21:43:49 2005