Abstract
In this work, we revisit the security analysis of hashing modes instantiated with AES-128. We use biclique cryptanalysis as the basis for our evaluation. In Asiacrypt’11, Bogdanov et al. had proposed biclique technique for key recovery attacks on full AES-128. Further, they had shown application of this technique to find preimage for compression function instantiated with AES-128 with a complexity of \(2^{125.56}\). However, this preimage attack on compression function cannot be directly converted to preimage attack on hash function. This is due to the fact that the initialization vector (IV) is a publically known constant in the hash function settings and the attacker is not allowed to change it, whereas the compression function attack using bicliques introduced differences in the chaining variable. We extend the application of biclique technique to the domain of hash functions and demonstrate second preimage attack on all 12 PGV modes.
The complexities of finding second preimages in our analysis differ based on the PGV construction chosen - the lowest being \(2^{126.3}\) and the highest requiring \(2^{126.6}\) compression function calls. We implement C programs to find the best biclique trails (that guarantee the lowest time complexity possible) and calculate the above mentioned values accordingly. Our security analysis requires only 2 message blocks and works on full 10 rounds of AES-128 for all 12 PGV modes. This improves upon the previous best result on AES-128 based hash functions by Sasaki at FSE’11 where the maximum number of rounds attacked is 7. Though our results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions against second preimage attack.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Under hash function settings decryption oracle is replaced by feed-forward operation.
- 2.
\(C_{recomp}\) in turn is measured as: \(2^{128}\) (#S-boxes recomputed in MITM phase/#Total S-boxes required in one full AES encryption) \(\implies \) \(2^{128}\) (#S-boxes recomputed in MITM phase/200).
- 3.
Here, bicliques of dimension d = 8 are constructed. In our attacks, we also construct bicliques of dimension 8.
References
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: Biclique cryptanalysis of the PRESENT and LED lightweight ciphers. IACR Cryptology ePrint Archive, 2012:591 (2012)
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: A framework for automated independent-biclique cryptanalysis. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 561–582. Springer, Heidelberg (2014)
Barreto, P.S.L.M., Rijmen, V.: Whirlpool. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd edn, pp. 1384–1385. Springer US, New York (2011)
Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 proposal: ECHO. Submission to NIST (2008)
Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptology 23(4), 519–545 (2010)
Bogdanov, A., Chang, D., Ghosh, M., Sanadhya, S.K.: Bicliques with minimal data and time complexity for AES. In: Lee, J., Kim, J. (eds.) ICISC 2014. LNCS, vol. 8949, pp. 160–174. Springer, Heidelberg (2011)
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002)
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. In: Symmetric Cryptography, Dagstuhl Seminar Proceedings, Dagstuhl, Germany (2009)
Hong, D., Koo, B., Kwon, D.: Biclique attack on the full HIGHT. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 365–374. Springer, Heidelberg (2012)
Indesteege, S.: The LANE Hash Function. Submission to NIST (2008)
Jean, J., Naya-Plasencia, M., Schläffer, M.: Improved analysis of ECHO-256. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 19–36. Springer, Heidelberg (2011)
Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012)
Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The rebound attack and subspace distinguishers: application to whirlpool. IACR Cryptology ePrint Archive, 2010:198 (2010)
Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009)
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Rebound attacks on the reduced Grøstl hash function. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 350–365. Springer, Heidelberg (2010)
Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)
Sasaki, Y., Yasuda, K.: Known-key distinguishers on 11-round feistel and collision attacks on its hashing modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 397–415. Springer, Heidelberg (2011)
Schläffer, M.: Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 369–387. Springer, Heidelberg (2011)
Tao, B., Wu, H.: Improving the biclique cryptanalysis of AES. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 39–56. Springer, Heidelberg (2015)
Wu, S., Feng, D., Wu, W.: Cryptanalysis of the LANE hash function. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 126–140. Springer, Heidelberg (2009)
Chen, S.Z., Xu, T.M.: Biclique attack of the full ARIA-256. IACR Cryptology ePrint Archive, 2012:11 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
In this section, we will prove how the base structure which we chose for bicliques in Sect. 5.1 produce non-overlapping keys/messages within a same group and between groups.
1.1 A.1 Biclique Structure When IV Is Known and Acts as the Message Input to Block Cipher E
For the base message (shown in Fig. 10) that is used for the biclique structure in Fig. 9(a), our aim is to prove that when \(\varDelta _i\) and \(\nabla _j\) differences are injected in this base message (as shown in Fig. 19), we are able to partition the message space into \(2^{112}\) groups with \(2^{16}\) messages in each and the inter and intra group messages generated are non-overlapping. The \(\nabla {j_1}\), \(\nabla {j_2}\), \(\nabla {j_3}\) and \(\nabla {j_4}\) are differences produced from \(\nabla j\) as shown in Fig. 20.
Here, \(b_{i,j}\) and \(c_{i,j}\) (0 \(\le \) i,j \(\le \) 3) represent the base values of corresponding bytes in the intermediate states #B and #C respectively as shown in Fig. 21. #B and #C are #3 and #4 states in Fig. 9(a).
Aim: Given any two base messages B, \(B'\), any two \(\varDelta _i\) differences i, \(i'\), any two \(\nabla _j\) differences j, \(j'\) (0 \(\le \) i,j \(\le 2^8\)), we want to prove that B[i,j] \(\ne \) \(B[i',j']\) i.e., messages generated are non-overlapping. We will prove this statement case-by-case. Cases (1–4) cover inter group messages whereas Cases (5–7) cover within group messages. For all the proofs discussed below, we will refer to Figs. 22, 23 and 24 for better understanding.
Case 1. Given \(B \ne B'\), \(i=i', j=j'\), \(b_{00}\)=\(b_{10}\)=\(b'_{00}\)=\(b'_{10}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: We will prove this setting by ‘proof by contraposition’, i.e., if \(B[i,j] = B'[i',j']\), \(i=i', j=j'\), \(b_{00}\)=\(b_{10}\)=\(b'_{00}\)=\(b'_{10}\)=0, \(\implies B = B'\)
In Fig. 24, if \(B[i,j] = B'[i',j'] \implies C[i,j] = C'[i',j'] \implies \) \(c_{0,2}\) = \(c'_{0,2}\), \(c_{0,3}\) = \(c'_{0,3}\), \(c_{1,1}\) = \(c'_{1,1}\), \(c_{1,2}\) = \(c'_{1,2}\), \(c_{1,3}\) = \(c'_{1,3}\), \(c_{2,1}\) = \(c'_{2,1}\), \(c_{2,2}\) = \(c'_{2,2}\),\(c_{2,3}\) = \(c'_{2,3}\), \(c_{3,1}\) = \(c'_{3,1}\), \(c_{3,2}\) = \(c'_{3,2}\) and \(c_{3,3}\) = \(c'_{3,3}\). Since \(C[i,j] = C'[i',j'] \implies \) \(c_{0,1} \oplus j\) = \(c'_{0,1} \oplus j' \). As \(j = j' \implies \) \(c_{0,1}\) = \(c'_{0,1}\). Hence, \(\mathbf {12}\) bytes in state C and corresponding bytes in state \(C'\) share equal values. This relation automatically transcends to related byte positions in B and \(B'\) after application of InvMixColumns, InvShiftRows and InvSubBytes (as shown in Fig. 22), i.e., \(b_{0,1}\) = \(b'_{0,1}\), \(b_{0,2}\) = \(b'_{0,2}\), \(b_{0,3}\) = \(b'_{0,3}\), \(b_{1,0}\) = \(b'_{1,0}\), \(b_{1,2}\) = \(b'_{1,2}\), \(b_{1,3}\) = \(b'_{1,3}\), \(b_{2,0}\) = \(b'_{2,0}\), \(b_{2,1}\) = \(b'_{2,1}\), \(b_{2,3}\) = \(b'_{2,3}\), \(b_{3,0}\) = \(b'_{3,0}\), \(b_{3,1}\) = \(b'_{3,1}\) and \(b_{3,2}\) = \(b'_{3,2}\), 12 bytes in B and \(B'\) respectively also have same base values). As we have assumed \(B[i,j] = B'[i',j'] \implies \) \(b_{1,1}\) = \(b'_{1,1}\), \(b_{2,2}\) = \(b'_{2,2}\) and \(b_{3,3}\) = \(b'_{3,3}\) as these base values are not affected by \(\varDelta _i\) and \(\nabla _j\) differences (as seen in Fig. 24). Since in states B and \(B'\), \(b_{0,0}\) = \(b'_{0,0}\) = 0, hence all \(\mathbf {16}\) byte positions in B and corresponding byte positions in \(B'\) share same base values. Hence \(B = B'\). This proves that our initial proposition is correct.
Case 2. Given \(B \ne B'\), \(i=i'\), \(j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: We will prove this setting by ‘proof by contradiction’, i.e., let us assume if \(B \ne B'\), \(i=i'\), \(j=j'\), \(b_{00}\)=\(b_{10}\)=\(b'_{00}\)=\(b'_{10}\)=0, \(\implies \) \(B[i,j] = B'[i',j']\)
In Fig. 24, if \(B[i,j] = B'[i',j'] \implies \) \(C[i,j] = C'[i',j']\) \(\implies \) \(c_{0,1} \oplus j\) = \(c'_{0,1} \oplus j' \). Since j \(\ne \) j’ \(\implies \) \(c_{0,1} \ne c'_{0,1}\). As a result after applying InvMixColumns and InvSubBytes on them the bytes generated i.e., \(b_{0,1}\) and \(b'_{0,1}\) should also satisfy the relation - \(b_{0,1} \ne b'_{0,1}\). But \(b_{0,1}\) = \(b'_{0,1}\) = 0 (as seen in Fig. 21). Hence, a contradiction arises implying our assumed proposition is wrong. Therefore, our initial proposition is correct.
Case 3. Given \(B \ne B'\), \(i\ne i'\), \(j = j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: In this setting since \(i \ne i'\), hence \(B[i,j] \ne B'[i',j']\) always as they will always differ at zeroth byte position (Fig. 24).
Case 4. Given \(B \ne B'\), \(i \ne i'\), \(j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: Proof similar to as discussed in Case 3.
Case 5. Given \(B = B'\), \(i \ne i'\), \(j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: Proof similar to as discussed in Case 3.
Case 6. Given \(B = B'\), \(i \ne i'\), \(j = j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: Proof similar to as discussed in Case 3.
Case 7. Given \(B = B',~i = i',~j \ne j'\), \(b_{00}\)=\(b_{01}\)=\(b'_{00}\)=\(b'_{01}\)=0, to show: \(B[i,j] \ne B'[i',j']\)
Proof: Since \(B = B' \implies \) \(C = C' \implies \) \(c_{0,1}\) = \(c'_{0,1}\). As \(j \ne j'\) \(\implies \) \(c_{0,1} \oplus j \ne c'_{0,1} \oplus j'\) \(\implies \) C[i, j] \(\ne \) \(C'[i',j']\) always as they will everytime differ at fourth byte position (Fig. 24). As a result \(B[i,j] \ne B'[i',j']\) always due to bijection relation between states B and C.
Hence we proved that in all cases M[i, j]’s so generated are non-overlapping.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Chang, D., Ghosh, M., Sanadhya, S.K. (2016). Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-38898-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-38897-7
Online ISBN: 978-3-319-38898-4
eBook Packages: Computer ScienceComputer Science (R0)