Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks

In this paper, improved cryptanalyses for the ISO standard hash function Whirlpool are presented with respect to the fundamental security notions. While a subspace distinguisher was presented on full version (10 rounds) of the compression function, its impact to the security of the hash function seems limited. In this paper, we discuss the (second) preimage and collision attacks for the hash function and the compression function of Whirlpool. Regarding the preimage attack, 6 rounds of the hash function are attacked with 2 computations while the previous best attack is for 5 rounds with 2 computations. Regarding the collision attack, 8 rounds of the compression function are attacked with 2 computations, while the previous best attack is for 7 rounds with 2 computations. To verify the correctness, especially for the rebound attack on the Sbox with an unbalanced Differential Distribution Table (DDT), the attack is partially implemented, and the differences from attacking the Sbox with balanced DDT are reported.