Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes

Abstract

In this work, we revisit the security analysis of hashing modes instantiated with AES-128. We use biclique cryptanalysis as the basis for our evaluation. In Asiacrypt’11, Bogdanov et al. had proposed biclique technique for key recovery attacks on full AES-128. Further, they had shown application of this technique to find preimage for compression function instantiated with AES-128 with a complexity of \(2^{125.56}\). However, this preimage attack on compression function cannot be directly converted to preimage attack on hash function. This is due to the fact that the initialization vector (IV) is a publically known constant in the hash function settings and the attacker is not allowed to change it, whereas the compression function attack using bicliques introduced differences in the chaining variable. We extend the application of biclique technique to the domain of hash functions and demonstrate second preimage attack on all 12 PGV modes.

The complexities of finding second preimages in our analysis differ based on the PGV construction chosen - the lowest being \(2^{126.3}\) and the highest requiring \(2^{126.6}\) compression function calls. We implement C programs to find the best biclique trails (that guarantee the lowest time complexity possible) and calculate the above mentioned values accordingly. Our security analysis requires only 2 message blocks and works on full 10 rounds of AES-128 for all 12 PGV modes. This improves upon the previous best result on AES-128 based hash functions by Sasaki at FSE’11 where the maximum number of rounds attacked is 7. Though our results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions against second preimage attack.

A Proofs

In this section, we will prove how the base structure which we chose for bicliques in Sect. 5.1 produce non-overlapping keys/messages within a same group and between groups.

1.1 A.1 Biclique Structure When IV Is Known and Acts as the Message Input to Block Cipher E

For the base message (shown in Fig. 10) that is used for the biclique structure in Fig. 9(a), our aim is to prove that when \(\varDelta _i\) and \(\nabla _j\) differences are injected in this base message (as shown in Fig. 19), we are able to partition the message space into \(2^{112}\) groups with \(2^{16}\) messages in each and the inter and intra group messages generated are non-overlapping. The \(\nabla {j_1}\), \(\nabla {j_2}\), \(\nabla {j_3}\) and \(\nabla {j_4}\) are differences produced from \(\nabla j\) as shown in Fig. 20.

Here, \(b_{i,j}\) and \(c_{i,j}\) (0 \(\le \) i,j \(\le \) 3) represent the base values of corresponding bytes in the intermediate states #B and #C respectively as shown in Fig. 21. #B and #C are #3 and #4 states in Fig. 9(a).

Aim: Given any two base messages B, \(B'\), any two \(\varDelta _i\) differences i, \(i'\), any two \(\nabla _j\) differences j, \(j'\) (0 \(\le \) i,j \(\le 2^8\)), we want to prove that B[i,j] \(\ne \) \(B[i',j']\) i.e., messages generated are non-overlapping. We will prove this statement case-by-case. Cases (1–4) cover inter group messages whereas Cases (5–7) cover within group messages. For all the proofs discussed below, we will refer to Figs. 22, 23 and 24 for better understanding.

Case 1. Given \(B \ne B'\), \(i=i', j=j'\), \(b_{00}\)=\(b_{10}\)=\(b'_{00}\)=\(b'_{10}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Fig. 19.

\(\varDelta _i\) and \(\nabla _j\) differences in base message

Fig. 20.

Relation between \(\nabla j, \nabla {j_1}, \nabla {j_2}, \nabla {j_3}, \nabla {j_4}\)

Fig. 21.

Relation between #B and #C states

Proof: We will prove this setting by ‘proof by contraposition’, i.e., if \(B[i,j] = B'[i',j']\), \(i=i', j=j'\), \(b_{00}\)=\(b_{10}\)=\(b'_{00}\)=\(b'_{10}\)=0, \(\implies B = B'\)

In Fig. 24, if \(B[i,j] = B'[i',j'] \implies C[i,j] = C'[i',j'] \implies \) \(c_{0,2}\) = \(c'_{0,2}\), \(c_{0,3}\) = \(c'_{0,3}\), \(c_{1,1}\) = \(c'_{1,1}\), \(c_{1,2}\) = \(c'_{1,2}\), \(c_{1,3}\) = \(c'_{1,3}\), \(c_{2,1}\) = \(c'_{2,1}\), \(c_{2,2}\) = \(c'_{2,2}\),\(c_{2,3}\) = \(c'_{2,3}\), \(c_{3,1}\) = \(c'_{3,1}\), \(c_{3,2}\) = \(c'_{3,2}\) and \(c_{3,3}\) = \(c'_{3,3}\). Since \(C[i,j] = C'[i',j'] \implies \) \(c_{0,1} \oplus j\) = \(c'_{0,1} \oplus j' \). As \(j = j' \implies \) \(c_{0,1}\) = \(c'_{0,1}\). Hence, \(\mathbf {12}\) bytes in state C and corresponding bytes in state \(C'\) share equal values. This relation automatically transcends to related byte positions in B and \(B'\) after application of InvMixColumns, InvShiftRows and InvSubBytes (as shown in Fig. 22), i.e., \(b_{0,1}\) = \(b'_{0,1}\), \(b_{0,2}\) = \(b'_{0,2}\), \(b_{0,3}\) = \(b'_{0,3}\), \(b_{1,0}\) = \(b'_{1,0}\), \(b_{1,2}\) = \(b'_{1,2}\), \(b_{1,3}\) = \(b'_{1,3}\), \(b_{2,0}\) = \(b'_{2,0}\), \(b_{2,1}\) = \(b'_{2,1}\), \(b_{2,3}\) = \(b'_{2,3}\), \(b_{3,0}\) = \(b'_{3,0}\), \(b_{3,1}\) = \(b'_{3,1}\) and \(b_{3,2}\) = \(b'_{3,2}\), 12 bytes in B and \(B'\) respectively also have same base values). As we have assumed \(B[i,j] = B'[i',j'] \implies \) \(b_{1,1}\) = \(b'_{1,1}\), \(b_{2,2}\) = \(b'_{2,2}\) and \(b_{3,3}\) = \(b'_{3,3}\) as these base values are not affected by \(\varDelta _i\) and \(\nabla _j\) differences (as seen in Fig. 24). Since in states B and \(B'\), \(b_{0,0}\) = \(b'_{0,0}\) = 0, hence all \(\mathbf {16}\) byte positions in B and corresponding byte positions in \(B'\) share same base values. Hence \(B = B'\). This proves that our initial proposition is correct.

Case 2. Given \(B \ne B'\), \(i=i'\), \(j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Proof: We will prove this setting by ‘proof by contradiction’, i.e., let us assume if \(B \ne B'\), \(i=i'\), \(j=j'\), \(b_{00}\)=\(b_{10}\)=\(b'_{00}\)=\(b'_{10}\)=0, \(\implies \) \(B[i,j] = B'[i',j']\)

In Fig. 24, if \(B[i,j] = B'[i',j'] \implies \) \(C[i,j] = C'[i',j']\) \(\implies \) \(c_{0,1} \oplus j\) = \(c'_{0,1} \oplus j' \). Since j \(\ne \) j’ \(\implies \) \(c_{0,1} \ne c'_{0,1}\). As a result after applying InvMixColumns and InvSubBytes on them the bytes generated i.e., \(b_{0,1}\) and \(b'_{0,1}\) should also satisfy the relation - \(b_{0,1} \ne b'_{0,1}\). But \(b_{0,1}\) = \(b'_{0,1}\) = 0 (as seen in Fig. 21). Hence, a contradiction arises implying our assumed proposition is wrong. Therefore, our initial proposition is correct.

Case 3. Given \(B \ne B'\), \(i\ne i'\), \(j = j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Proof: In this setting since \(i \ne i'\), hence \(B[i,j] \ne B'[i',j']\) always as they will always differ at zeroth byte position (Fig. 24).

Fig. 22.

Relation between base states B and C. The labels inside each box denote the base values of the corresponding byte positions

Fig. 23.

Modification of state \(\#B\) after applying \(\varDelta _i\) and \(\nabla _j\) differences. Same relation exists between \(\#B'\) and \(\#B'[i,j]\)

Fig. 24.

Relation between states \(\#B [i,j ]\), \(\#C [i,j ]\) and \(\#B' [i,j ]\), \(\#C' [i,j ]\)

Case 4. Given \(B \ne B'\), \(i \ne i'\), \(j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Proof: Proof similar to as discussed in Case 3.

Case 5. Given \(B = B'\), \(i \ne i'\), \(j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Proof: Proof similar to as discussed in Case 3.

Case 6. Given \(B = B'\), \(i \ne i'\), \(j = j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Proof: Proof similar to as discussed in Case 3.

Case 7. Given \(B = B',~i = i',~j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)

Proof: Since \(B = B' \implies \) \(C = C' \implies \) \(c_{0,1}\) = \(c'_{0,1}\). As \(j \ne j'\) \(\implies \) \(c_{0,1} \oplus j \ne c'_{0,1} \oplus j'\) \(\implies \) C[i, j] \(\ne \) \(C'[i',j']\) always as they will everytime differ at fourth byte position (Fig. 24). As a result \(B[i,j] \ne B'[i',j']\) always due to bijection relation between states B and C.

Hence we proved that in all cases M[i, j]’s so generated are non-overlapping.