Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes
Pages 3 - 21
Abstract
In this work, we revisit the security analysis of hashing modes instantiated with AES-128. We use biclique cryptanalysis as the basis for our evaluation. In Asiacrypt'11, Bogdanov et al. had proposed biclique technique for key recovery attacks on full AES-128. Further, they had shown application of this technique to find preimage for compression function instantiated with AES-128 with a complexity of $$2^{125.56}$$2125.56. However, this preimage attack on compression function cannot be directly converted to preimage attack on hash function. This is due to the fact that the initialization vector IV is a publically known constant in the hash function settings and the attacker is not allowed to change it, whereas the compression function attack using bicliques introduced differences in the chaining variable. We extend the application of biclique technique to the domain of hash functions and demonstrate second preimage attack on all 12 PGV modes.
The complexities of finding second preimages in our analysis differ based on the PGV construction chosen - the lowest being $$2^{126.3}$$2126.3 and the highest requiring $$2^{126.6}$$2126.6 compression function calls. We implement C programs to find the best biclique trails that guarantee the lowest time complexity possible and calculate the above mentioned values accordingly. Our security analysis requires only 2 message blocks and works on full 10 rounds of AES-128 for all 12 PGV modes. This improves upon the previous best result on AES-128 based hash functions by Sasaki at FSE'11 where the maximum number of rounds attacked is 7. Though our results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions against second preimage attack.
References
[1]
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: Biclique cryptanalysis of the PRESENT and LED lightweight ciphers. IACR Cryptology ePrint Archive, 2012:591 2012
[2]
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: A framework for automated independent-biclique cryptanalysis. In: Moriai, S. ed. FSE 2013. LNCS, vol. 8424, pp. 561---582. Springer, Heidelberg 2014
[3]
Barreto, P.S.L.M., Rijmen, V.: Whirlpool. In: van Tilborg, H.C.A., Jajodia, S. eds. Encyclopedia of Cryptography and Security, 2nd edn, pp. 1384---1385. Springer US, New York 2011
[4]
Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 proposal: ECHO. Submission to NIST 2008
[5]
Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptology 234, 519---545 2010
[6]
Bogdanov, A., Chang, D., Ghosh, M., Sanadhya, S.K.: Bicliques with minimal data and time complexity for AES. In: Lee, J., Kim, J. eds. ICISC 2014. LNCS, vol. 8949, pp. 160---174. Springer, Heidelberg 2011
[7]
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. eds. ASIACRYPT 2011. LNCS, vol. 7073, pp. 344---371. Springer, Heidelberg 2011
[8]
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg 2002
[9]
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: GrØstl - a SHA-3 candidate. In: Symmetric Cryptography, Dagstuhl Seminar Proceedings, Dagstuhl, Germany 2009
[10]
Hong, D., Koo, B., Kwon, D.: Biclique attack on the full HIGHT. In: Kim, H. ed. ICISC 2011. LNCS, vol. 7259, pp. 365---374. Springer, Heidelberg 2012
[11]
Indesteege, S.: The LANE Hash Function. Submission to NIST 2008
[12]
Jean, J., Naya-Plasencia, M., Schläffer, M.: Improved analysis of ECHO-256. In: Miri, A., Vaudenay, S. eds. SAC 2011. LNCS, vol. 7118, pp. 19---36. Springer, Heidelberg 2011
[13]
Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on skein-512 and the SHA-2 family. In: Canteaut, A. ed. FSE 2012. LNCS, vol. 7549, pp. 244---263. Springer, Heidelberg 2012
[14]
Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: The rebound attack and subspace distinguishers: application to whirlpool. IACR Cryptology ePrint Archive, 2010:198 2010
[15]
Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. ed. ASIACRYPT 2009. LNCS, vol. 5912, pp. 106---125. Springer, Heidelberg 2009
[16]
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Rebound attacks on the reduced GrØstl hash function. In: Pieprzyk, J. ed. CT-RSA 2010. LNCS, vol. 5985, pp. 350---365. Springer, Heidelberg 2010
[17]
Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. ed. CRYPTO 1993. LNCS, vol. 773, pp. 368---378. Springer, Heidelberg 1994
[18]
Sasaki, Y., Yasuda, K.: Known-key distinguishers on 11-round feistel and collision attacks on its hashing modes. In: Joux, A. ed. FSE 2011. LNCS, vol. 6733, pp. 397---415. Springer, Heidelberg 2011
[19]
Schläffer, M.: Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function. In: Biryukov, A., Gong, G., Stinson, D.R. eds. SAC 2010. LNCS, vol. 6544, pp. 369---387. Springer, Heidelberg 2011
[20]
Tao, B., Wu, H.: Improving the biclique cryptanalysis of AES. In: Foo, E., Stebila, D. eds. ACISP 2015. LNCS, vol. 9144, pp. 39---56. Springer, Heidelberg 2015
[21]
Wu, S., Feng, D., Wu, W.: Cryptanalysis of the LANE hash function. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. eds. SAC 2009. LNCS, vol. 5867, pp. 126---140. Springer, Heidelberg 2009
[22]
Chen, S.Z., Xu, T.M.: Biclique attack of the full ARIA-256. IACR Cryptology ePrint Archive, 2012:11 2012
- Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes
Recommendations
Biclique cryptanalysis on lightweight block cipher: HIGHT and Piccolo
Advanced Computer Mathematics based Cryptography and Security TechnologiesBiclique cryptanalysis is an attack that improves the computational complexity by finding a biclique which is a kind of bipartite graph. We present a single-key full-round attack of lightweight block ciphers, HIGHT and Piccolo by using biclique ...
Biclique cryptanalysis of the full AES
ASIACRYPT'11: Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information SecuritySince Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most ...
Non-isomorphic biclique cryptanalysis of full-round Crypton
The block cipher Crypton is a 128-bit block cipher was proposed by Lim as a candidate for the Advanced Encryption Standard (AES) competition. So far, a variety of cryptanalytic methods have been used to mount attacks on reduced-round versions of ...
Comments
Information & Contributors
Information
Published In
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 November 2015
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Jan 2025