Skip to main content
SpringerLink
Log in

Cryptanalysis of hash functions based on blockciphers suitable for IoT service platform security

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

It is well-known that blockcipher-based hash functions may be attacked when adopting blockciphers having related-key differential properties. However, all forms of related-key differentials are not always effective to attack them. In this paper we provide the general frameworks for collision and second-preimage attacks on hash functions by using related-key differential properties of instantiated blockciphers, and show their various applications. In the literature, there have been several provably secure blockcipher-based hash functions such as 12 PGV schemes, MDC-2, MJH, Abreast-DM, Tandem-DM, and HIROSE. However, their security cannot be guaranteed when they are instantiated with specific blockciphers. In this paper, we first observe related-key differential properties of some blockciphers such as Even-Mansour (EM), Single-key Even-Mansour (SEM), XPX with a fixed tweak (XPX1111), Chaskey cipher, and LOKI, which are suitable for IoT service platform security. We then present how these properties undermine the security of the aforementioned blockcipher-based hash functions. In our analysis, the collision and second-preimage attacks can be applied to several PGV schemes, MDC-2, MJH instantiated with SEM, XPX1111, Chaskey cipher, to PGV no.5, MJH, HIROSE, Abreast-DM, Tandem-DM instantiated with EM. Furthermore, LOKI-based MDC-2 is vulnerable to the collision attack. We also provide the necessary conditions for related-key differentials of blockciphers in order to attack each of the hash functions. To the best of our knowledge, this study is the first comprehensive analysis of hash functions based on blockciphers having related-key differential properties. Our cryptanalytic results support the well-known claim that blockcipher-based hash functions should avoid adopting blockciphers with related-key differential properties, such as the fixed point property in compression functions. We believe that this study provides a better understanding of the security of blockcipher-based hash functions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. Several generic second-preimage attacks on MD construction have been presented that require less than 2n work [2, 3, 17].

  2. A permutation-based hash function construction has been also presented, in which a small set of permutations is used instead of a blockcipher in the hash functions.

  3. Our cryptanalytic target hash functions can be applied for IoT service platform security, as their base blockciphers can be implemented with limited computing resources.

  4. This model assumes that the key and the plaintext are accessible to the attacker. The property induced from such kind of model is sometimes called a known-key or chosen-key distinguisher [5, 19].

  5. In [17], Kelsey and Schneier proposed a method for constructing (l, 2l + l − 1) expandable messages. In their method, \(|{M_{i}^{a}}|_{bl}\) and \(|{M_{i}^{b}}|_{bl}\) are used as 1 and 2i− 1 + 1, while we use 2 and 2i− 1 + 2 instead. We adopted such numbers (≥ 2) to use our rk-dp s for constructing expandable messages.

  6. We can apply our second-preimage attack on MDC-2-LOKI with better attack complexity than the generic attack in [17], however it is inferior to the best generic attacks of MDC-2 [18].

  7. The rk-dp s of blockciphers can be also combined with the Andreeva et al.’s second-preimage attack presented in [2, 3]. However, in our analysis, it requires more computations than the attacks in Section 5.

References

  1. Andreeva E, Bogdanov A, Dodis Y, Mennink B, Steinberger JP (2013) On the indifferentiability of key-alternating ciphers. In: Advances in Cryptology - Proceedings of CRYPTO’13, LNCS 8042. Springer, pp 531–550

  2. Andreeva E, Bouillaguet C, Dunkelman O, Fouque PA, Hoch J, Kelsey J, Shamir A, Zimmer S (2016) New second-preimage attacks on hash functions. J Cryptol 29(4):657–696

    Article  MathSciNet  Google Scholar 

  3. Andreeva E, Bouillaguet C, Dunkelman O, Kelsey J (2009) Herding, second preimage and trojan message attacks beyond merkle-damgård. In: International Workshop on Selected Areas in Cryptography, LNCS 5867. Springer, pp 393–414

  4. Biham E, Shamir A (1991) Differential cryptanalysis of snefru, khafre, redoc-ii, LOKI and lucifer. In: Advances in Cryptology - Proceedings of CRYPTO ’91, LNCS 576. Springer, pp 156–171

  5. Biryukov A, Khovratovich D, Nikolic I (2009) Distinguisher and related-key attack on the full AES-256. In: Advances in Cryptology - Proceedings of CRYPTO ’09, LNCS 5677. Springer, pp 231–249

  6. Black J, Rogaway P, Shrimpton T (2002) Black-box analysis of the block-cipher-based hash-function constructions from pgv. In: Advances in Cryptology - Proceedings of CRYPTO ’02, LNCS 2442. Springer, pp 320–335

  7. Black J, Cochran M, Shrimpton T (2005) On the impossibility of highly-efficient blockcipher-based hash functions. In: Advances in Cryptology - Proceedings of EUROCRYPT ’05, LNCS 3494. Springer, pp 526–541

  8. Brachtl BO, Coppersmith D, Hyden MM, Matyas Jr SM, Meyer CH, Oseas J, Pilpel S, Schilling M (1990) Data authentication using modification detection codes based on a public one way encryption function. US Patent 4,908,861

  9. Brown L, Pieprzyk J, Seberry J (1990) LOKI - A cryptographic primitive for authentication and secrecy applications. In: Proceedings of AUSCRYPT ’90, LNCS 453. Springer, pp 229–236

  10. Dunkelman O, Keller N, Shamir A (2012) Minimalism in cryptography: The even-mansour scheme revisited. In: Advances in Cryptology - Proceedings of EUROCRYPT ’12, LNCS 7237. Springer, pp 336–354

  11. Even S, Mansour Y (1991) A construction of a cipher from a single pseudorandom permutation. In: Proceedings of ASIACRYPT ’91, LNCS 739. Springer, pp 210–224

  12. Hirose S (2006) Some plausible constructions of double-block-length hash functions. In: FSE’06, LNCS 4047. Springer, pp 210–225

  13. Hong D, Koo B, Kim D (2012) Preimage and second-preimage attacks on PGV hashing modes of round-reduced aria, camellia, and serpent. IEICE Trans 95-A (1):372–380

    Article  Google Scholar 

  14. Hong D, Kwon D (2012) Cryptanalysis of double-block-length hash mode MJH. IACR Cryptol ePrint Archive 2012:634. http://eprint.iacr.org/2012/634

    Google Scholar 

  15. Hong D, Kim D, Kwon D, Kim J (2016) Improved preimage attacks on hash modes of 8-round AES-256, vol 75, pp 14,525–14,539

  16. Jiageng C, Hirose S, Kuwakado H, Miyaji A (2016) A collision attack on a double-block-length compression function instantiated with 8-/9-round aes-256. IEICE Trans Fundam Electron Communications and Computer Sciences 99(1):14–21

    MATH  Google Scholar 

  17. Kelsey J, Schneier B (2005) Second preimages on n-bit hash functions for much less than 2n work. In: Advances in Cryptology - Proceedings of EUROCRYPT ’05, LNCS 3494. Springer, pp 474–490

  18. Knudsen LR, Mendel F, Rechberger C, Thomsen SS (2009) Cryptanalysis of MDC-2. In: Advances in Cryptology - Proceedings of EUROCRYPT ’09, LNCS 5479. Springer, pp 106–120

  19. Knudsen LR, Rijmen V (2007) Known-key distinguishers for some block ciphers. In: Advances in Cryptology - Proceedings of ASIACRYPT ’07, LNCS 4833. Springer, pp 315–324

  20. Lai X, Massey JL (1992) Hash function based on block ciphers. In: Advances in Cryptology - Proceedings of EUROCRYPT ’92, LNCS 658. Springer, pp 55–70

  21. Lee J, Kwon D (2011) The security of abreast-dm in the ideal cipher model. IEICE Trans 94-A(1):104–109

    Article  Google Scholar 

  22. Lee J, Stam M (2011) MJH: A faster alternative to MDC-2. In: Proceedings of CT-RSA ’11, LNCS 6558. Springer, pp 213–236

  23. Lee J, Stam M, Steinberger JP (2011) The collision security of tandem-dm in the ideal cipher model. In: Advances in Cryptology - Proceedings of CRYPTO ’11, LNCS 6841. Springer, pp 561–577

  24. Mennink B (2016) XPX: generalized tweakable even-mansour with improved security guarantees. In: Advances in Cryptology - Proceedings of CRYPTO ’16, LNCS 9814. Springer, pp 64–94

  25. Mouha N, Mennink B, Herrewege AV, Watanabe D, Preneel B, Verbauwhede I (2014) Chaskey: An efficient MAC algorithm for 32-bit microcontrollers. In: Selected Areas in Cryptography - SAC ’14, LNCS 8781. Springer, pp 306–323

  26. Preneel B, Govaerts R, Vandewalle J (1993) Hash functions based on block ciphers: A synthetic approach. In: Advances in Cryptology - Proceedings of CRYPTO ’93, LNCS 773. Springer, pp 368–378

  27. Rivest R (1992) The md5 message-digest algorithm

  28. Rogaway P, Steinberger JP (2008) Security/efficiency tradeoffs for permutation-based hashing. In: Advances in Cryptology - Proceedings of EUROCRYPT ’08, LNCS 4965. Springer, pp 220–236

  29. Sasaki Y (2011) Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool. In: FSE ’11, LNCS 6733. Springer, pp 378–396

  30. Secure hash standard (shs) (2012) FIPS PUB 180-4

  31. Stam M (2008) Beyond uniformity: Better security/efficiency tradeoffs for compression functions. In: Advances in Cryptology - Proceedings of CRYPTO ’08, LNCS 5157. Springer, pp 397–412

  32. Steil M (2005) 17 mistakes microsoft made in the xbox security system. In: 22nd Chaos Communication Congr

  33. Steinberger JP (2007) The collision intractability of MDC-2 in the ideal-cipher model. In: Advances in Cryptology - Proceedings of EUROCRYPT ’07, LNCS 4515. Springer, pp 34–51

  34. Steinberger JP (2010) Stam’s collision resistance conjecture. In: Advances in Cryptology - Proceedings of EUROCRYPT ’10, LNCS 6110. Springer, pp 597–615

  35. Steinberger JP, Sun X, Yang Z (2012) Stam’s conjecture and threshold phenomena in collision resistance. In: Advances in Cryptology - Proceedings of CRYPTO ’12, LNCS 7417. Springer, pp 384–405

  36. Wei L, Peyrin T, Sokolowski P, Ling S, Pieprzyk J, Wang H (2012) On the (in)security of IDEA in various hashing modes. In: FSE ’12, LNCS 7549. Springer, pp 163–179

  37. Winternitz RS (1984) A secure one-way hash function built from DES. In: Proceedings of the 1984 IEEE Symposium on Security and Privacy. IEEE Computer Society, pp 88–90

Download references

Acknowledgments

This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No.2017-0-00520, Development of SCR-Friendly Symmetric Key Cryptosystem and Its Application Modes).

Author information

Authors and Affiliations

  1. Department of Financial Information Security, Kookmin University, Seoul, Korea

    Hangi Kim

  2. Cryptography Technology Team, Korea Internet & Security Agency, Naju, Korea

    Do-won Kim

  3. Department of Information Security, Cryptology, and Mathematics and Department of Financial Information Security, Kookmin University, Seoul, Korea

    Okyeon Yi & Jongsung Kim

Authors
  1. Hangi Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Do-won Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Okyeon Yi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jongsung Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jongsung Kim.

Appendix: Experimental Results: Colliding Message Pairs

Appendix: Experimental Results: Colliding Message Pairs

We implemented our collision attacks on SEM, Chaskey cipher, or XPX1111-based PGV no.1. In our implementations, the f functions in SEM and XPX1111 are set to AES-128 with the key 0x000000000x000000000x000000000x00000000. Moreover, IV is fixed as 0x012345670x89abcdef0xfedcba980x76543210. Table 8 shows examples of our simulations. Given that the attack complexity is negligible, these colliding message pairs are found immediately.

Table 8 Example of our colliding message pairs
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, H., Kim, Dw., Yi, O. et al. Cryptanalysis of hash functions based on blockciphers suitable for IoT service platform security. Multimed Tools Appl 78, 3107–3130 (2019). https://doi.org/10.1007/s11042-018-5630-4

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-018-5630-4

Keywords

Search

Navigation