Article

Meet-in-the-Middle Attacks Revisited: Key-Recovery, Collision, and Preimage Attacks

Authors:

Lei HuAuthors Info & Claims

Advances in Cryptology – CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part III

Pages 278 - 308

https://doi.org/10.1007/978-3-030-84252-9_10

Published: 16 August 2021 Publication History

Abstract

At EUROCRYPT 2021, Bao et al. proposed an automatic method for systematically exploring the configuration space of meet-in-the-middle (MITM) preimage attacks. We further extend it into a constraint-based framework for finding exploitable MITM characteristics in the context of key-recovery and collision attacks by taking the subtle peculiarities of both scenarios into account. Moreover, to perform attacks based on MITM characteristics with nonlinear constrained neutral words, which have not been seen before, we present a procedure for deriving the solution spaces of neutral words without solving the corresponding nonlinear equations or increasing the overall time complexities of the attack. We apply our method to concrete symmetric-key primitives, including SKINNY, ForkSkinny, Romulus-H, Saturnin, Grøstl, WHIRLPOOL, and hashing modes with AES-256. As a result, we identify the first 23-round key-recovery attack on SKINNY-n-3n and the first 24-round key-recovery attack on ForkSkinny-n-3n in the single-key model. Moreover, improved (pseudo) preimage or collision attacks on round-reduced WHIRLPOOL, Grøstl, and hashing modes with AES-256 are obtained. In particular, employing the new representation of the AES key schedule due to Leurent and Pernot (EUROCRYPT 2021), we identify the first preimage attack on 10-round AES-256 hashing.

References

[1]

AlTawy R and Youssef AM Pointcheval D and Vergnaud D Preimage attacks on reduced-round stribog Progress in Cryptology – AFRICACRYPT 2014 2014 Cham Springer 109-125

[2]

Aoki K, Guo J, Matusiewicz K, Sasaki Yu, and Wang L Matsui M Preimages for step-reduced SHA-2 Advances in Cryptology – ASIACRYPT 2009 2009 Heidelberg Springer 578-597

Digital Library

[3]

Aoki K and Sasaki Yu Avanzi RM, Keliher L, and Sica F Preimage attacks on one-block MD4, 63-step MD5 and more Selected Areas in Cryptography 2009 Heidelberg Springer 103-119

Digital Library

[4]

Aoki K and Sasaki Yu Halevi S Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1 Advances in Cryptology - CRYPTO 2009 2009 Heidelberg Springer 70-89

Digital Library

[5]

Banik Subhadeep, Pandey Sumit Kumar, Peyrin Thomas, Sasaki Yu, Sim Siang Meng, and Todo Yosuke Fischer Wieland and Homma Naofumi GIFT: a small Present - towards reaching the limit of lightweight encryption. Cryptographic Hardware and Embedded Systems – CHES 2017 2017 Cham Springer 321-345

[6]

Bao, Z., et al.: Automatic search of meet-in-the-middle preimage attacks on AES-like hashing. Cryptology ePrint Archive, Report 2020/467 (2020)

[7]

Bariant A, David N, and Leurent G Cryptanalysis of Forkciphers IACR Trans. Symmetric Cryptol. 2020 2020 1 233-265

[8]

Barreto, P.S.L.M., Rijmen, V.: The WHIRLPOOL Hashing Function (2000). Revised in 2003

[9]

Beierle C et al. Robshaw M, Katz J, et al. The SKINNY family of block ciphers and its low-latency variant MANTIS Advances in Cryptology – CRYPTO 2016 2016 Heidelberg Springer 123-153

Digital Library

[10]

Biham E, Dunkelman O, Keller N, and Shamir A New attacks on IDEA with at least 6 rounds J. Cryptol. 2015 28 2 209-239

Digital Library

[11]

Bogdanov A, Khovratovich D, and Rechberger C Lee DH and Wang X Biclique cryptanalysis of the full AES Advances in Cryptology – ASIACRYPT 2011 2011 Heidelberg Springer 344-371

Digital Library

[12]

Bogdanov A and Rechberger C Biryukov A, Gong G, and Stinson DR A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN Selected Areas in Cryptography 2011 Heidelberg Springer 229-240

[13]

Boura C, Canteaut A, and De Cannière C Joux A Higher-order differential properties of Keccak and Luffa Fast Software Encryption 2011 Heidelberg Springer 252-269

[14]

Canteaut A et al. Saturnin: a suite of lightweight symmetric algorithms for post-quantum security IACR Trans. Symmetric Cryptol. 2020 2020 S1 160-207

[15]

Canteaut A, Naya-Plasencia M, and Vayssière B Canetti R and Garay JA Sieve-in-the-middle: improved MITM attacks Advances in Cryptology – CRYPTO 2013 2013 Heidelberg Springer 222-240

[16]

Demirci H and Selçuk AA Nyberg K A meet-in-the-middle attack on 8-round AES Fast Software Encryption 2008 Heidelberg Springer 116-126

Digital Library

[17]

Derbez P, Fouque P-A, and Jean J Johansson T and Nguyen PQ Improved key recovery attacks on reduced-round, in the single-key setting Advances in Cryptology – EUROCRYPT 2013 2013 Heidelberg Springer 371-387

[18]

Diffie W and Hellman ME Special feature exhaustive cryptanalysis of the NBS data encryption standard Computer 1977 10 6 74-84

Digital Library

[19]

Dinur I, Dunkelman O, Keller N, and Shamir A Sako K and Sarkar P Key recovery attacks on 3-round even-mansour, 8-step LED-128, and full AES2 Advances in Cryptology - ASIACRYPT 2013 2013 Heidelberg Springer 337-356

Digital Library

[20]

Dinur I, Dunkelman O, Keller N, and Shamir A Sarkar P and Iwata T Cryptanalysis of iterated even-mansour schemes with two keys Advances in Cryptology – ASIACRYPT 2014 2014 Heidelberg Springer 439-457

[21]

Dinur I, Dunkelman O, Keller N, and Shamir A Gennaro R and Robshaw M New attacks on feistel structures with improved memory complexities Advances in Cryptology – CRYPTO 2015 2015 Heidelberg Springer 433-454

Digital Library

[22]

Dong, X., Hua, J., Sun, S., Li, Z., Wang, X., Hu, L.: Meet-in-the-middle attacks revisited: Key-recovery, collision, and preimage attacks. Cryptology ePrint Archive, Report 2021/427 (2021). https://eprint.iacr.org/2021/427

[23]

Dong X, Sun S, Shi D, Gao F, Wang X, and Hu L Moriai S and Wang H Quantum collision attacks on AES-like hashing with low quantum random access memories Advances in Cryptology – ASIACRYPT 2020 2020 Cham Springer 727-757

Digital Library

[24]

Dunkelman O, Keller N, and Shamir A Abe M Improved single-key attacks on 8-round AES-192 and AES-256 Advances in Cryptology - ASIACRYPT 2010 2010 Heidelberg Springer 158-176

[25]

Dunkelman O, Sekar G, and Preneel B Srinathan K, Rangan CP, and Yung M Improved meet-in-the-middle attacks on reduced-round DES Progress in Cryptology – INDOCRYPT 2007 2007 Heidelberg Springer 86-100

[26]

Espitau T, Fouque P-A, and Karpman P Gennaro R and Robshaw M Higher-order differential meet-in-the-middle preimage attacks on SHA-1 and BLAKE Advances in Cryptology – CRYPTO 2015 2015 Heidelberg Springer 683-701

Digital Library

[27]

Fuhr T and Minaud B Match box meet-in-the-middle attack against KATAN FSE 2014 2014 61-81

[28]

Gauravaram, P., et al.: Grøstl - a SHA-3 candidate. In: Symmetric Cryptography (2009)

[29]

Gilbert H and Peyrin T Super-Sbox cryptanalysis: improved attacks for AES-like permutations FSE 2010 2010 365-383

[30]

Guo J, Ling S, Rechberger C, and Wang H Abe M Advanced meet-in-the-middle preimage attacks: first results on full tiger, and improved results on MD4 and SHA-2 Advances in Cryptology - ASIACRYPT 2010 2010 Heidelberg Springer 56-75

[31]

Hong D, Koo B, and Sasaki Yu Lee D and Hong S Improved preimage attack for 68-step HAS-160 Information, Security and Cryptology – ICISC 2009 2010 Heidelberg Springer 332-348

[32]

Hosoyamada A and Sasaki Yu Canteaut A and Ishai Y Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound Advances in Cryptology – EUROCRYPT 2020 2020 Cham Springer 249-279

Digital Library

[33]

Isobe T A single-key attack on the full GOST block cipher J. Cryptol. 2013 26 1 172-189

Digital Library

[34]

Isobe T and Shibutani K Susilo W, Mu Y, and Seberry J Security analysis of the lightweight block ciphers XTEA, LED and piccolo Information Security and Privacy 2012 Heidelberg Springer 71-86

Digital Library

[35]

Isobe T and Shibutani K Sako K and Sarkar P Generic key recovery attack on feistel scheme Advances in Cryptology - ASIACRYPT 2013 2013 Heidelberg Springer 464-485

Digital Library

[36]

Iwata, T., Khairallah, M., Minematsu, K., Peyrin, T.: Romulus for Round 3. NIST Lightweight Crypto Standardization process (Round 2) (2020)

[37]

Jean J, Naya-Plasencia M, and Peyrin T Canteaut A Improved rebound attack on the finalist Grøstl Fast Software Encryption 2012 Heidelberg Springer 110-126

Digital Library

[38]

Jean J, Nikolić I, and Peyrin T Sarkar P and Iwata T Tweaks and keys for block ciphers: the TWEAKEY framework Advances in Cryptology – ASIACRYPT 2014 2014 Heidelberg Springer 274-288

[39]

Khovratovich D, Rechberger C, and Savelieva A Bicliques for preimages: attacks on Skein-512 and the SHA-2 family IACR Cryptol. ePrint Arch. 2011 2011 286

[40]

Knellwolf S and Khovratovich D Safavi-Naini R and Canetti R New preimage attacks against reduced SHA-1 Advances in Cryptology – CRYPTO 2012 2012 Heidelberg Springer 367-383

Digital Library

[41]

Kölbl S, Lauridsen MM, Mendel F, and Rechberger C Haraka v2 - efficient short-input hashing for post-quantum applications IACR Trans. Symmetric Cryptol. 2016 2016 2 1-29

[42]

Lamberger M, Mendel F, Rechberger C, Rijmen V, and Schläffer M Matsui M Rebound distinguishers: results on the full whirlpool compression function Advances in Cryptology – ASIACRYPT 2009 2009 Heidelberg Springer 126-143

Digital Library

[43]

Li J, Isobe T, and Shibutani K Canteaut A Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2 Fast Software Encryption 2012 Heidelberg Springer 264-286

[44]

Mendel F, Rechberger C, Schläffer M, and Thomsen SS The rebound attack: cryptanalysis of reduced WHIRLPOOL and Grøstl FSE 2009 2009 260-276

[45]

Mendel F, Rijmen V, and Schläffer M Collision attack on 5 rounds of Grøstl FSE 2014 2014 509-521

[46]

Sasaki Yu Joux A Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool Fast Software Encryption 2011 Heidelberg Springer 378-396

[47]

Sasaki Yu Inomata A and Yasuda K Integer linear programming for three-subset meet-in-the-middle attacks: application to GIFT Advances in Information and Computer Security 2018 Cham Springer 227-243

[48]

Sasaki Yu and Aoki K Pieprzyk J Preimage attacks on 3, 4, and 5-pass HAVAL Advances in Cryptology - ASIACRYPT 2008 2008 Heidelberg Springer 253-271

Digital Library

[49]

Sasaki Yu and Aoki K Joux A Finding preimages in full MD5 faster than exhaustive search Advances in Cryptology - EUROCRYPT 2009 2009 Heidelberg Springer 134-152

[50]

Sasaki, Y., Li, Y., Wang, L., Sakiyama, K., Ohta,K.: Non-full-active super-sbox analysis: applications to ECHO and Grøstl. In: ASIACRYPT 2010, Proceedings, pp. 38–55 (2010)

[51]

Sasaki Yu, Wang L, Sakai Y, Sakiyama K, and Ohta K Mitrokotsa A and Vaudenay S Three-subset meet-in-the-middle attack on reduced XTEA Progress in Cryptology - AFRICACRYPT 2012 2012 Heidelberg Springer 138-154

Digital Library

[52]

Sasaki Yu, Wang L, Wu S, and Wu W Wang X and Sako K Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks Advances in Cryptology – ASIACRYPT 2012 2012 Heidelberg Springer 562-579

Digital Library

[53]

Schläffer, M.: Updated differential analysis of Grøstl. In: Grøstl Website (2011)

[54]

Shi D, Sun S, Derbez P, Todo Y, Sun B, and Hu L Peyrin T and Galbraith S Programming the Demirci-Selçuk meet-in-the-middle attack with constraints Advances in Cryptology – ASIACRYPT 2018 2018 Cham Springer 3-34

Digital Library

[55]

Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis of reduced-round SKINNY. In: AFRICACRYPT 2017, Proceedings, vol. 10239, pp. 117–134 (2017)

[56]

Wang L and Sasaki Yu Hong S and Iwata T Finding preimages of tiger Up to 23 Steps Fast Software Encryption 2010 Heidelberg Springer 116-133

[57]

Wang L, Sasaki Yu, Komatsubara W, Ohta K, and Sakiyama K Kiayias A (Second) preimage attacks on step-reduced RIPEMD/RIPEMD-128 with a new local-collision approach Topics in Cryptology – CT-RSA 2011 2011 Heidelberg Springer 197-212

[58]

Wei L, Rechberger C, Guo J, Wu H, Wang H, and Ling S Parampalli U and Hawkes P Improved meet-in-the-middle cryptanalysis of KTANTAN (poster) Information Security and Privacy 2011 Heidelberg Springer 433-438

[59]

Shuang W, Feng D, Wenling W, Guo J, Dong L, and Zou J (pseudo) Preimage attack on round-reduced Grøstl hash function and others FSE 2012 2012 127-145

Cited By

Dong XZhao BQin LHou QZhang SWang X(2024)Generic MitM Attack Frameworks on Sponge ConstructionsAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68385-5_1(3-37)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68385-5_1
Chen SGuo JList EShi DZhang T(2024)Diving Deep into the Preimage Security of AES-Like HashingAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_14(398-426)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58716-0_14
Ahmadian ZKhalesi AM’Foukh DMoghimi HNaya-Plasencia M(2024)Improved Differential Meet-in-the-Middle CryptanalysisAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_10(280-309)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58716-0_10
Show More Cited By

Index Terms

Meet-in-the-Middle Attacks Revisited: Key-Recovery, Collision, and Preimage Attacks
1. Security and privacy
  1. Cryptography
  2. Security in hardware
    1. Hardware attacks and countermeasures

Index terms have been assigned to the content through auto-classification.

Recommendations

Preimage and pseudo-collision attacks on step-reduced SM3 hash function

SM3 [12] is the Chinese cryptographic hash standard which was announced in 2010 and designed by Wang et al. It is based on the Merkle-Damgard design and its compression function can be seen as a block cipher used in Davies-Meyer mode. It uses message ...
Higher-Order Differential Meet-in-the-middle Preimage Attacks on SHA-1 and BLAKE
Advances in Cryptology -- CRYPTO 2015
Abstract
At CRYPTO 2012, Knellwolf and Khovratovich presented a differential formulation of advanced meet-in-the-middle techniques for preimage attacks on hash functions. They demonstrated the usefulness of their approach by significantly improving the ...
Preimage Attacks on Reduced Tiger and SHA-2
Fast Software Encryption

This paper shows new preimage attacks on reduced Tiger and SHA-2. Indesteege and Preneel presented a preimage attack on Tiger reduced to 13 rounds (out of 24) with a complexity of 2^128.5. Our new preimage attack finds a one-block preimage of Tiger ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Advances in Cryptology – CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part III

Aug 2021

819 pages

ISBN:978-3-030-84251-2

DOI:10.1007/978-3-030-84252-9

Editors:
Tal Malkin
Columbia University, New York City, NY, USA
,
Chris Peikert
University of Michigan, Ann Arbor, MI, USA

© International Association for Cryptologic Research 2021.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 16 August 2021

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dong XZhao BQin LHou QZhang SWang X(2024)Generic MitM Attack Frameworks on Sponge ConstructionsAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68385-5_1(3-37)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68385-5_1
Chen SGuo JList EShi DZhang T(2024)Diving Deep into the Preimage Security of AES-Like HashingAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_14(398-426)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58716-0_14
Ahmadian ZKhalesi AM’Foukh DMoghimi HNaya-Plasencia M(2024)Improved Differential Meet-in-the-Middle CryptanalysisAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_10(280-309)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58716-0_10
Hou QDong XQin LZhang GWang X(2023)Automated Meet-in-the-Middle Attack Goes to FeistelAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8727-6_13(370-404)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8727-6_13
Li HLiu GZhang HTang PQiu W(2023)Automatic Search of Linear Structure: Applications to Keccak and AsconInformation Security and Cryptology10.1007/978-981-97-0945-8_10(172-192)Online publication date: 9-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-97-0945-8_10
Wei YBi LWang KLu X(2023)An Improved BKW Algorithm for Solving LWE with Small SecretsInformation Security10.1007/978-3-031-49187-0_29(578-595)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-49187-0_29
Zhang T(2023)Comprehensive Preimage Security Evaluations on Rijndael-Based HashingApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_2(23-42)Online publication date: 19-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-41181-6_2
Boura CDavid NDerbez PLeander GNaya-Plasencia M(2023)Differential Meet-In-The-Middle CryptanalysisAdvances in Cryptology – CRYPTO 202310.1007/978-3-031-38548-3_9(240-272)Online publication date: 20-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-38548-3_9
Qin LHua JDong XYan HWang X(2023)Meet-in-the-Middle Preimage Attacks on Sponge-Based HashingAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30634-1_6(158-188)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30634-1_6
Shi DSun SSong LHu LYang Q(2023)Exploiting Non-full Key Additions: Full-Fledged Automatic Demirci-Selçuk Meet-in-the-Middle Cryptanalysis of SKINNYAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30634-1_3(67-97)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30634-1_3
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents