Skip to main content
SpringerLink
Log in

Exploring Formal Methods for Cryptographic Hash Function Implementations

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13915))

Included in the following conference series:

  • 590 Accesses

Abstract

Cryptographic hash functions are used inside many applications that critically rely on their resistance against cryptanalysis attacks and the correctness of their implementations. Nevertheless, vulnerabilities in cryptographic hash function implementations can remain unnoticed for more than a decade, as shown by the recent discovery of a buffer overflow in the implementation of SHA-3 in the eXtended Keccak Code Package (XKCP), impacting Python, PHP, and several other software projects. This paper explains how this buffer overflow vulnerability in XKCP was found. More generally, we explore the application of formal methods to the five finalist submission packages to the NIST SHA-3 competition, allowing us to (re-)discover vulnerabilities in the implementations of Keccak and BLAKE, and also discover a previously undisclosed vulnerability in the implementation of Grøstl. We also show how the same approach rediscovers a vulnerability affecting 11 out of the 12 implemented cryptographic hash functions in Apple’s CoreCrypto library. Our approach consists of removing certain lines of code and then using KLEE as a tool to prove functional equivalence. We discuss the advantages and limitations of our approach and hope that our attempt to consolidate some earlier approaches can lead to new insights.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AdaCore, Thales: Implementation Guidance for the Adoption of SPARK (2020). https://www.adacore.com/uploads/books/pdf/Spark-Guidance-1.2-web.pdf

  2. Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. submission to the NIST SHA-3 competition (round 3) (2010). https://www.aumasson.jp/blake/blake.pdf

  3. Aumasson, J.P., Romailler, Y.: Automated testing of crypto software using differential fuzzing. Black Hat USA 2017 (2017). https://yolan.romailler.ch/ddl/talks/CDF-wp_BHUSA2017.pdf

  4. Aumasson, J.P.: SHA-3 proposal BLAKE (2015). https://web.archive.org/web/20150921185010/https://131002.net/blake/

  5. Ball, T., Cook, B., Levin, V., Rajamani, S.K.: SLAM and static driver verifier: technology transfer of formal methods inside Microsoft. In: Boiten, E.A., Derrick, J., Smith, G. (eds.) IFM 2004. LNCS, vol. 2999, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24756-2_1

    Chapter  Google Scholar 

  6. Benmocha, G., Biham, E., Perle, S.: Unintended features of APIs: cryptanalysis of incremental HMAC. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 301–325. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_12

    Chapter  Google Scholar 

  7. Bernstein, D.J., Lange, T.: eBACS: ECRYPT benchmarking of cryptographic systems (2022). https://bench.cr.yp.to

  8. Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: eXtended Keccak code package (2022). https://github.com/XKCP/XKCP

  9. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to the NIST SHA-3 competition (round 3) (2011). https://keccak.team/files/Keccak-submission-3.pdf

  10. Bleichenbacher, D., Duong, T., Kasper, E., Nguyen, Q.: Project Wycheproof (2019). https://github.com/google/wycheproof

  11. Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Draves, R., van Renesse, R. (eds.) OSDI 2008, pp. 209–224. USENIX Association (2008)

    Google Scholar 

  12. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) CCS 2006, pp. 322–335. ACM (2006). https://doi.org/10.1145/1180405.1180445

  13. Chapman, R., Botcazou, E., Wallenburg, A.: SPARKSkein: a formal and fast reference implementation of skein. In: Simao, A., Morgan, C. (eds.) SBMF 2011. LNCS, vol. 7021, pp. 16–27. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25032-3_2

    Chapter  Google Scholar 

  14. Chong, N., et al.: Code-level model checking in the software development workflow at Amazon web services. Softw. Pract. Exp. 51(4), 772–797 (2021). https://doi.org/10.1002/spe.2949

  15. Chudnov, A., et al.: Continuous formal verification of Amazon s2n. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10982, pp. 430–446. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96142-2_26

    Chapter  Google Scholar 

  16. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_15

    Chapter  MATH  Google Scholar 

  17. Ferguson, N., et al.: The skein hash function family. Submission to the NIST SHA-3 competition (round 3) (2010). https://www.schneier.com/wp-content/uploads/2015/01/skein.pdf

  18. Forsythe, J., Held, D.: NIST SHA-3 competition security audit results (2009). https://web.archive.org/web/20120222155656if_/http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf

  19. Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73368-3_52

    Chapter  Google Scholar 

  20. Gauravaram, P., et al.: Grøstl - a SHA-3 candidate. Submission to the NIST SHA-3 competition (round 3) (2011). https://www.groestl.info/Groestl.pdf

  21. Lattner, C., Adve, V.S.: LLVM: a compilation framework for lifelong program analysis & transformation. In: CGO 2004, pp. 75–88. IEEE Computer Society (2004). https://doi.org/10.1109/CGO.2004.1281665

  22. Mouha, N., Celi, C.: Extending NIST’s CAVP testing of cryptographic hash function implementations. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 129–145. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_7

    Chapter  Google Scholar 

  23. Mouha, N., Celi, C.: A vulnerability in implementations of SHA-3, SHAKE, EdDSA, and other NIST-approved algorithms. In: Rosulek, M. (ed.) CT-RSA 2023. LNCS, vol. 13871, pp. 3–28. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30872-7_1

    Chapter  Google Scholar 

  24. Mouha, N., Raunak, M.S., Kuhn, D.R., Kacker, R.: Finding bugs in cryptographic hash function implementations. IEEE Trans. Reliab. 67(3), 870–884 (2018). https://doi.org/10.1109/TR.2018.2847247

    Article  Google Scholar 

  25. National Bureau of Standards: Validating the Correctness of Hardware Implementations of the NBS Data Encryption Standard. NBS Special Publication 500-20 (1977). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nbsspecialpublication500-20e1977.pdf

  26. National Institute of Standards and Technology: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. 72 Fed. Reg. (2007). https://www.federalregister.gov/d/E7-21581

  27. National Institute of Standards and Technology: ANSI C Cryptographic API Profile for SHA-3 Candidate Algorithm Submissions (2008). https://csrc.nist.gov/CSRC/media/Projects/Hash-Functions/documents/SHA3-C-API.pdf

  28. National Institute of Standards and Technology: Description of Known Answer Test (KAT) and Monte Carlo Test (MCT) for SHA-3 Candidate Algorithm Submissions (2008). https://csrc.nist.gov/CSRC/media/Projects/Hash-Functions/documents/SHA3-KATMCT1.pdf

  29. National Institute of Standards and Technology: Hash Functions: SHA-3 Project (2020). https://csrc.nist.gov/projects/hash-functions/sha-3-project

  30. National Vulnerability Database: CVE-2019-8741 (2020). https://nvd.nist.gov/vuln/detail/CVE-2019-8741

  31. National Vulnerability Database: CVE-2022-37454 (2022). https://nvd.nist.gov/vuln/detail/CVE-2022-37454

  32. Polubelova, M., et al.: HACLxN: verified generic SIMD crypto (for all your favourite platforms). In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) CCS 2020, pp. 899–918. ACM (2020). https://doi.org/10.1145/3372297.3423352

  33. Protzenko, J., Ho, S.: Functional pearl: zero-cost, meta-programmed, dependently-typed stateful functors in F\(^*\). CoRR abs/2102.01644 (2021). https://arxiv.org/abs/2102.01644

  34. Saarinen, M.J.O.: BRUTUS (2016). https://github.com/mjosaarinen/brutus

  35. Vranken, G.: Cryptofuzz - differential cryptography fuzzing (2022). https://github.com/guidovranken/cryptofuzz

  36. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2

    Chapter  Google Scholar 

  37. Wu, H.: The hash function JH. Submission to the NIST SHA-3 competition (round 3) (2011). https://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf

  38. Zinzindohoué, J.K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL\(^*\): a verified modern cryptographic library. In: Thuraisingham, B., Evans, D., Malkin, T., Xu, D. (eds.) CCS 2017, pp. 1789–1806. ACM (2017). https://doi.org/10.1145/3133956.3134043

Download references

Author information

Authors and Affiliations

  1. Strativia, Largo, MD, USA

    Nicky Mouha

Authors
  1. Nicky Mouha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicky Mouha .

Editor information

Editors and Affiliations

  1. Queensland University of Technology, Brisbane, QLD, Australia

    Leonie Simpson

  2. Queensland University of Technology, Brisbane, QLD, Australia

    Mir Ali Rezazadeh Baee

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mouha, N. (2023). Exploring Formal Methods for Cryptographic Hash Function Implementations. In: Simpson, L., Rezazadeh Baee, M.A. (eds) Information Security and Privacy. ACISP 2023. Lecture Notes in Computer Science, vol 13915. Springer, Cham. https://doi.org/10.1007/978-3-031-35486-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35486-1_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35485-4

  • Online ISBN: 978-3-031-35486-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation