Key-Recovery Attacks Against the MAC Algorithm Chaskey

Abstract

Chaskey is a Message Authentication Code (MAC) for 32-bit microcontrollers proposed by Mouha et al. at SAC 2014. Its underlying blockcipher uses an Even-Mansour construction with a permutation based on the ARX methodology. In this paper, we present key-recovery attacks against Chaskey in the single and multi-user setting. These attacks are based on recent work by Fouque, Joux and Mavromati presented at Asiacrypt 2014 on Even-Mansour based constructions. We first show a simple attack on the classical single-user setting which confirms the security properties of Chaskey. Then, we describe an attack in the multi-user setting and we recover all keys of \(2^{43}\) users by doing \(2^{43}\) queries per user. Finally, we show a variant of this attack where we are able to recover keys of two users in a smaller group of \(2^{32}\) users.

1 Introduction

A Message Authentication Code (MAC) algorithm is a basic component in many cryptographic systems and its goal is to provide integrity and data authentication. For this, it takes as input a message M and a n-bit secret key K, and outputs a tag \(\tau \) which is usually appended to M. In general, MAC algorithms are built from universal hash functions, hash functions or block ciphers. The first security property of a MAC is that it should be impossible to recover the key K faster than \(2^{n}\) operations (key recovery attack). It should also be impossible for an attacker to forge a tag for any unseen message without knowing the key (MAC forgery). Here, the attacker selects a message and simply guesses the correct MAC value without any knowledge of the key. The probability that the guess will be correct is \(2^{-t}\) where t is the size of the tag \(\tau \). However, such attacks can be avoided by making the tag sufficiently large. MACs based on universal hash functions compute the universal hash of the message to authenticate and then encrypt this value. MAC algorithms based on block ciphers are usually given as a mode of operation for the block cipher. Typically, CBC-MAC is very similar to the CBC encryption mode of operation and is one of the most commonly used MACs.

The implementation of a MAC algorithm on a typical microcontroller is a challenging issue as many problems may appear. More precisely, the use of a MAC based on a hash function or a block cipher might have a negative impact on the speed of the microcontroller due to the computational cost of the operations required by the underlying functions.

Recently, at SAC 2014, a new MAC algorithm named Chaskey has been introduced by Mouha et al. [8]. It is a permutation-based MAC algorithm and its underlying permutation relies on the ARX design. The designers claim that Chaskey is a lightweight algorithm which overcomes the implementation issues of a MAC on a microcontroller. The construction of Chaskey is based on some simple variants of the CBC-MAC proposed by Black et al. [3]. As CBC-MAC is not secure when used with messages of variable length, these variants were designed to authenticate arbitrary length messages. Alternatively, Chaskey can also be seen as an iterated Even-Mansour construction where the same subkey is xored in the input and output of the last permutation round.

In Asiacrypt 2014, Fouque et al. [6] presented new techniques to attack the Even-Mansour scheme in the multi-user setting. Based on this work, we present here some key-recovery attacks against the MAC algorithm Chaskey in the single and multi-user setting.

The paper is organized as follows: in Sect. 2 we recall the necessary background, present the multi-user setting, the Even-Mansour scheme and the general principle of collision-based attacks using the distinguished points method, in Sect. 3 we present the main specifications of the Chaskey MAC algorithm and finally, in Sect. 4, we describe new attacks against Chaskey.

2 Preliminaries

2.1 The Multi-user Setting

The security of most schemes in cryptography is usually studied when we have a single recipient of encrypted data: the single-user model. However, this setting ignores an important dimension of the real world where there are many users, who are all using the same algorithms, but each one has its own key. In this setting, the attacker tries to recover all or fraction of keys more efficiently than the complexity of the attack in the single-user model times the number of users. This can be done by amortizing the cost of the attack among the users.

In [7], Menezes studies the security of MAC algorithms in the multi-user setting. He shows that the security degrades when we pass from one to many users. The scenario attack against MAC algorithms in the multi-user setting can be seen as follows. Let \(H_{K} : \{0,1\}^{*} \rightarrow \{0,1\}^{t}\) be a family of MACs where \(K \in \{0,1\}^{k}\). In the single-user model, it should be hard for an attacker who has access to an oracle \(H_{K}\) to generate a valid message-tag pair \((m, \tau )\) without knowing the key K. In the multi-user setting, we suppose that we have L users with keys \(K^{(i)} \in \{0,1\}^k\) where \(0 \le i \le (L-1)\). Then for an attacker who has access to oracles for \(H_{K^{(i)}}\), it should be difficult to produce a triplet \((i,m,\tau )\).

2.2 Collision-Based Attacks Using the Distinguished Point Technique Against the Even-Mansour Scheme

The Distinguished Point Technique. The distinguished point technique allows to find collisions in a very efficient way. For this, we first have to define a function f on a set S of size N and then define a distinguished subset \(S_{0}\) of S with \(\mathcal {D}\) distinguished points. The distinguished points should be easy to recognize and generate. For example, we can choose our distinguished points to be n-bits values with d zeros at the end. So, in a set of cardinality \(N=2^n\) our distinguished subset contains \(\mathcal {D}=2^{n-d}\) elements. Starting from a random point \(x_{0} \in S\) we build chains by evaluating the function f:

$$\begin{aligned} x_{i+1} = f(x_{i}). \end{aligned}$$

When a distinguished point is detected, i.e. \(x_{\ell } \in S_{0}\), the construction of the chain stops. To be able to recover the chain we need to store the starting point \(x_{0}\), the distinguished point \(x_{\ell }\) and the length of the chain \(\ell \) which corresponds to the number of iterations of the function f. Two chains that pass through the same point necessarily end at the same distinguished point. To detect a collision we use the inverse result: two chains that end at the same distinguished point necessarily merge at some point unless one chain is a subchain of the other. Once a collision in the distinguished points set is detected, the real collision can easily be recovered. We assume that we have two colliding chains of length \(\ell \) and \(\ell ^{'}\) and that \(\ell \ge \ell ^{'}\). Then, starting from the longer chain, we rebuild the chain by taking exactly \(\ell - \ell ^{'}\) steps. From that point, it now suffices to build both chains in parallel until a collision is reached.

Collision-Based Attacks Against Even-Mansour. The Even-Mansour scheme is a minimalistic very efficient design of a block cipher proposed at Asiacrypt 91 [5]. The main idea is the construction of a keyed permutation family \(\varPi _{K_{1}, K_{2}}\) by a public permutation \(\pi \) that operates on n-bit values (\(N = 2^n\)):

$$\begin{aligned} \varPi _{K_1,K_2} = \pi (m \oplus K_1) \oplus K_2, \end{aligned}$$

where m is the plaintext and \(K_{1}\) and \(K_{2}\) are the two whitening keys. There is also a simpler version presented by Dunkelman et al. [4], the Single-key Even-Mansour, where \(K_1 = K_2\). Even and Mansour showed that this simple block-cipher is secure up to \(\mathcal {O}(2^{n/2})\) queries of the adversary to the keyed permutation \(\varPi \) and to the public permutation \(\pi \). It has also been proved [4] that the Single-key Even-Mansour has the same security bound as the original version.

In [6], Fouque et al. describe a new technique for collision-based attacks using the distinguished point technique. They use this method to form attacks against the Even-Mansour scheme in the multi-user setting. The main idea is to find a collision between two chains, one constructed from the public permutation \(\pi \) and one from the keyed permutation \(\varPi \). For this, as we cannot use permutations to detect collisions, we have to construct two functions F and f, one based on \(\varPi \) and one based on \(\pi \). In previous attacks on Even-Mansour [2, 4], these functions have been constructed by using the Davies-Meyer construction: \(F(m) = \varPi (m) \oplus \varPi (m \oplus \delta ) \ \ \text {and} \ \ f(m) = \pi (m) \oplus \pi (m \oplus \delta ).\) However, these functions cannot be used with the distinguished point technique as chains built by F and f defined as previously can eventually cross but they cannot merge as they consist of evaluations of two different functions. As a consequence, they use a different definition of F and f to solve this problem:

$$\begin{aligned} F(m) = m \oplus \varPi (m) \oplus \varPi (m \oplus \delta ) \ \ \text {and} \ \ f(m) = m \oplus \pi (m) \oplus \pi (m \oplus \delta ). \end{aligned}$$

For two messages m and \(m^{'}\) such as \(m^{'} = m \oplus K_1\), they remark that \(F(m^{'}) = f(m) \oplus K_{1}\) and so they get two parallel chains, i.e. two chains that have a constant difference between them.

They also remark that, for two different users i and j, two chains constructed by using \(F_\varPi ^{(i)}\) and \(F_{\varPi }^{(j)}\), where \(F_\varPi ^{(i)}(m) = m \oplus \varPi ^{(i)}(m) \oplus \varPi ^{(i)}(m \oplus \delta )\) and \(F_\varPi ^{(j)}(m) = m \oplus \varPi ^{(j)}(m) \oplus \varPi ^{(j)}(m \oplus \delta )\), can also become parallel and their constant difference would be equal to the XOR of the users keys, i.e. \(K_{1}^{(i)} \oplus K_{1}^{(j)}\).

To attack Even-Mansour using the distinguished point technique in the multi-user setting, they build a set of chains for the public user using the function f and a small number of chains for every user by using the keyed permutation F. Whenever a collision \(F^{(i)}(x) = F^{(j)}(y)\) for two points x and y, where \(x = y \oplus K_1\), is detected between two users \(U_{i}\) and \(U_{j}\), it yields \(K_{1}^{(i)} \oplus K_{1}^{(j)}\). From these collisions it is possible to construct a graph whose vertices are the users and the edges represent the xor of the first keys of the users with two colliding chains, i.e. \(K_{1}^{(i)} \oplus K_{1}^{(j)}\). When enough edges are present a giant component appears in the graph. Then, it suffices to find a single collision \(F^{(i)}(x) = f(y)\) between a user and the public user to reveal all keys of the users in the giant component.

One of the main ideas of their technique is to detect parallel chains by simply testing if \(\pi (y) \oplus \pi (y \oplus \delta ) = \varPi (x) \oplus \varPi (x \oplus \delta )\) for two distinguished point x and y where \(x = y \oplus K_1\). This does not add any extra cost, as values of \(\pi (y) \oplus \pi (y \oplus \delta )\) and \(\varPi (x) \oplus \varPi (x \oplus \delta )\) are needed to calculate the next element of the chain. Also, it does not require to go back and recompute the chains to detect the merging points.

3 The MAC Algorithm Chaskey

Chaskey was proposed at SAC 2014 by Mouha et al. It is a permutation-based MAC algorithm and its underlying permutation is based on the ARX design. Its design is similar to the permutation of the MAC algorithm SipHash [1]. However, in Chaskey, a state of 128-bits (instead of 256-bits in SipHash) is used which is decomposed in 4 words of 32-bits (instead of 64-bits in SipHash). Also, different rotation constants are used.

Chaskey takes as input a message M of arbitrary size and a 128-bit key K. The message M is split into \(\ell \) blocks \(m_{1}, m_{2}, \ldots , m_{\ell }\) of 128 bits each. If the last block is incomplete, a padding is applied. It outputs the t-bit tag \(\tau \) (where \(t \le n\)) that authenticates the message M. The underlying function is a permutation constructed using the ARX design.

Two subkeys \(K_1\) and \(K_2\) are generated from K as follows: \(K_1\) is equal to the result of the multiplication by 2 (binary notation) of K and \(K_2\) is equal to the multiplication by 2 of \(K_1\). In general, we define \(K_1 = \alpha K\) and \(K_2 = \alpha ^{2} K\). To define multiplication in \(GF(2^n)\), we need to specify the irreducible polynomial f(x) of degree n that defines the representation of the field. The designers of Chaskey choose their irreductible polynomial to be \(f(x) = x^{128} + x^{7} + x^{2} + x + 1\).

Chaskey operates in \(\ell +3\) steps. On the first step, we xor the first block \(m_{1}\) with the key K. On the next step, we process the previous result through the permutation \(\pi \) and we xor the output with the next block. This procedure is repeated \(\ell - 1\) times until all blocks are being processed. If the last block \(m_{\ell }\), which has been xored at the end of the \(\ell -1\) step, is a complete block, then, on the \(\ell \)-th step, we simply xor the key \(K_1\). If it is an incomplete block, it should be padded with \(10^{n - |m_{\ell }| -1}\) before being used. Then, on the \(\ell \)-th step, the key \(K_2\) will be used instead of \(K_1\). Then, the state will pass through the permutation \(\pi \) and will be xored with \(K_1\) if \(m_{\ell }\) is complete or with \(K_2\) if incomplete. Finally, the t least significant bits are selected to be used as the tag \(\tau \). The whole procedure can be seen on Fig. 1.

Fig. 1.

The Chaskey MAC algorithm. First line when \(|m_{\ell }| = n\) and second line when \(0 \le |m_{\ell }| \le n\) where \(pad = 10^{n-|m_{\ell }|-1}\).

There is also a variant of Chaskey, called Chaskey-B, where Chaskey can be seen as a MAC algorithm based on the Even-Mansour [5] block cipher. The authors define the block cipher E as \(E_{X||Y}(m) = \pi (m \oplus X) \oplus Y\) and so it suffices to evaluate recursively the function \(h_{i+1} = E_{K||K}(h_{i} \oplus m_{i})\) for \(i=1,...,l-1\) and \(h_{1} = 0^{n}\). If the last block is complete, we calculate \(h_{\ell } = E_{K \oplus K_1||K_1}(h_{\ell } \oplus m_{\ell })\). If not, we calculate \(h_{\ell } = E_{K \oplus K_2||K_2}(h_{\ell } \oplus m_{\ell }||10^{n-|m_{\ell }|-1})\). Finally, the tag \(\tau \) is equal to the t least significant bits. However, in this case, we can easily see that the key K, which is XORed after the application of the permutation \(\pi \), vanishes at each iteration of the block cipher E. As a result, the key K intervenes only on the first block and the keys \(K_1\) or \(K_2\) on the last block:

$$\begin{aligned} \tau = \pi (\pi (\pi (\pi (m_1 \oplus K) \oplus m_2) \oplus \ldots ) \oplus m_{l} \oplus K_{1}) \oplus K_{1}.\end{aligned}$$

The permutation \(\pi \) consists of 8 rounds of a function that follows the ARX design: addition modulo \(2^{32}\), bit rotations and XOR. For constructing this round function, the authors use the same structure as SipHash [1] but instead of 64-bit words they are using words of 32 bits and different rotation constants. They consider that 8 applications of the round function is secure but they suggest that the 16 rounds version (Chaskey-LTS: long term security) should also be implemented in case of security issues.

The authors prove that Chaskey is secure up to \(D = 2^{n/2}\) chosen plaintexts and \(T = 2^{n}/D\) queries to \(\pi \) or \(\pi ^{-1}\).

4 Collision-Based Attacks Against Chaskey

In this section, we show that the collision-based attack described in [6] can be applied on Chaskey. Furthermore, we show that variants of this attack can be applied in the case of Chaskey. All attacks can be performed when we use single-block messages. Chaskey then becomes an Even-Mansour cipher:

Fig. 2.

Single-block messages in Chaskey

The main idea of all attacks is to build chains by using a function based on Chaskey and then search for collisions between them. For this, a function that can be used to build chains should be defined. However, in the case of Chaskey, for every user we can build two different chains depending on the subkey that we are using (Fig. 2).

To build the chains needed, we define the functions:

$$\begin{aligned} f_{s}(M) = K_{s} \oplus \pi (M \oplus (K_{s} \oplus K)) \end{aligned}$$

$$\begin{aligned} F_{f_{s}}(M) = f_{s}(M) \oplus f_{s}(M \oplus \delta ) \oplus M \end{aligned}$$

where K is the users key, \(K_s\) with \(s \in \{1,2\}\) represents the two subkeys generated as mentioned in Sect. 3 and \(\delta \) is an arbitrary but fixed non zero constant.

In the multi-user setting we assume that L different users are all using the Chaskey MAC algorithm based on the same public permutation \(\pi \). Each user \(U_{i}\), with \(0 \le i \le L\), chooses its own key \(K^{(i)}\) at random and independently from all the other users and generates \(K_s\) with \(s \in \{1,2\}\). We define the functions \(f_{s}(M)\) and \(F_{f_{s}}(M)\) as above and we also define the function \(F_{\pi }(M)\) for the public user as follows:

$$\begin{aligned} F_{\pi }(M) = M \oplus \pi (M) \oplus \pi (M \oplus \delta ). \end{aligned}$$

We remark that for two plaintexts M and \(M^{'}\) where \(M^{'} = M \oplus K_{s} \oplus K\), we have \(F_{f_{s}}(M \oplus K_{s} \oplus K) = F_{\pi }(M) \oplus (K_{s} \oplus K)\). So, two chains based on functions \(F_{f_{s}}\) and \(F_{\pi }\) may become parallel.

4.1 Key-Recovery Attack in the Single-User Setting

In this section, we show that an attack with complexity \(2^{64}\) can be applied in the classical single-user scenario. This attack does not contradict the security bound showed in the original paper of Chaskey and has similar complexity with possible slide attacks based on [2]. However, with this attack we show a simple application on Chaskey of the parallel chains detection technique.

The attack is described below:

1. 1.

   Create two chains constructed by using both:

   $$\begin{aligned} F_{f_{1}}(M) = f_{1}(M) \oplus f_{1}(M \oplus \delta ) \oplus M \ \ \text {and} \ \ F_{f_{2}}(M^{'}) = f_{2}(M^{'}) \oplus f_{2}(M^{'} \oplus \delta ) \oplus M^{'} \end{aligned}$$

   until \(f_{1}(M) \oplus f_{1}(M \oplus \delta )\) and \(f_{2}(M^{'}) \oplus f_{2}(M^{'} \oplus \delta )\) reach a distinguished point.

2. 2.

   Store all endpoints of the constructed chains and search for collisions between the two different types of chains, i.e. for two plaintexts M and \(M^{'}\) search for \((F_{f_{1}}(M))^{a} = (F_{f_{2}}(M^{'}))^{b}\) where \(a,b \ge 1\) is the number of iterations of the respective functions. (For the rest of this paper, to facilitate the reading, the use of a and b will be omitted from equations that represent collisions between chains.)

3. 3.

   If a collision is found, recover the XOR of the two inputs \(M \oplus M^{'}\) which is expected to be equal to:

   $$\begin{aligned} K_{1} \oplus K \oplus K_{2} \oplus K = (\alpha + \alpha ^{2})K \end{aligned}$$

   and thus recover the key K.

Analysis of the Attack. To find a collision between the two sets of endpoints, one constructed by using the function \(F_{f_{1}}\) and one constructed by using \(F_{f_{2}}\), we need to construct two chains each of length \(2^{64}\). So, the total cost of the attack is \(2^{64}\). As said previously, this attack does not contradict the security claim of Chaskey. It is just an example which shows how to use the distinguished point technique to attack Chaskey in the single-user setting.

4.2 Key-Recovery Attack in the Multi-user Setting

To apply the attack of Fouque et al. we use the iteration functions \(f_{s}, F_{f_{s}}\) and \(F_{\pi }\) defined previously. The attack is described below:

1. 1.

   In a set of L users, for every user \(U_{i}\) where \(0 \le i \le (L-1)\), build a constant number of chains, starting from an arbitrary plaintext, using the function \(F_{f_{s}}\). For every user, create some chains using the function \(F_{f_{1}}(M) = f_{1}(M) \oplus f_{1}(M \oplus \delta ) \oplus M\) until \(f_{1}(M) \oplus f_{1}(M \oplus \delta )\) reaches a distinguished point and some chains using the function \(F_{f_{2}}(M) = f_{2}(M) \oplus f_{2}(M \oplus \delta ) \oplus M\) until \(f_{2}(M) \oplus f_{2}(M \oplus \delta )\) reaches a distinguished poit.

2. 2.

   Construct some chains for the unkeyed user starting from an arbitrary plaintext, by iterating the function \(F_{\pi }\).

3. 3.

   Store the endpoints and search for collisions between the users. In the case of Chaskey, we can have three types of collisions between the keyed users:

   • A collision between the two chains \(F_{f_{1}}(M)\) and \(F_{f_{2}}(M^{'})\) of the same user i and, in this case, we recover \(K_{1}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(i)} \oplus K^{(i)}\). As \(K_{1}^{(i)} = \alpha K^{(i)}\) and \(K_{2}^{(i)} = \alpha ^{2} K^{(i)}\), we have that \(M \oplus M^{'} = (\alpha + \alpha ^{2})K^{(i)}\).

   • A collision between two similar chains of two different users i and j: \(F_{f_{1}}^{(i)}(M) = F_{f_{1}}^{(j)}(M^{'})\) or \(F_{f_{2}}^{(i)}(M) = F_{f_{2}}^{(j)}(M^{'})\). Then, we recover \(K_{1}^{(i)} \oplus K^{(i)} \oplus K_{1}^{(j)} \oplus K^{(j)} = (1 + \alpha ) (K^{(i)} \oplus K^{(j)})\) or \(K_{2}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(j)} \oplus K^{(j)} = (1 + \alpha ^{2}) (K^{(i)} \oplus K^{(j)})\).

   • A collision between two different type of chains between two different users i and j (cross collision): \(F_{f_{1}}^{(i)}(M) = F_{f_{2}}^{(j)}(M^{'})\). Then, we learn \(K_{1}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(j)} \oplus K^{(j)} = (1 + \alpha )K^{(i)} \oplus (1 + \alpha ^{2})K^{(j)}\).

   Also search for collisions between a chain of a keyed user i and the unkeyed user for whom we build chains by using the function \(F_{\pi }\). A collision of this type may occur by using both \(F_{f_{1}}\) or \(F_{f_{2}}\). From the first function, we learn \(K_{1}^{(i)} \oplus K^{(i)}\) and from the second function \(K_{2}^{(i)} \oplus K^{(i)}\). As a consequence, in both cases, we are able to recover \(K^{(i)}\).

4. 4.

   Build a graph where vertices represent the keyed and unkeyed users. More precisely, each user is represented by two vertices as for each user we use two different functions to build chains. Whenever a collision is obtained between two chains, add an edge between the corresponding vertices. This edge is labelled by the relation between the keys as explained in the previous step. An example of the graph can be seen in Fig. 3.

5. 5.

   From the key relations found before, resolve the system and recover the users keys. With only a single collision for the unkeyed user, we learn almost all keys of the giant component. If we also find a collision for the unkeyed user, then we are able to learn all keys of our giant component.

Fig. 3.

Example of a giant component

Analysis of the Attack. From [6] we know that in a group of \(N^{1/3}\) users we expect to recover almost all keys by doing \(c \cdot N^{1/3}\) queries per user (where c is a small arbitrary constant) and \(N^{1/3}\) unkeyed queries. So, for Chaskey, we are able to recover almost all keys of a group of \(2^{43}\) users by doing \(2^{43}\) queries to the unkeyed user and \(2^{43}\) queries per user.

Improvement. We show here that in the case of Chaskey, the use of \(\delta \) can be eliminated. This technique can be used when we search for a collision between two similar chains of two different users.

If we use a full-block message x and its corresponding ciphertext y we observe that:

where \(x, x^{'}, y \ \ \text {and} \ \ y^{'}\) are represented in Fig. 4.

Fig. 4.

The MAC algorithm Chaskey when single-block full messages are used (the subkey \(K_{1} = \alpha K\) is used).

As previously, our goal is to define a function and build chains by using this function. Here, we define the function \(F_{f_1}(x)\) as follows:

$$\begin{aligned} F_{f_1}(x) = x \oplus \alpha x \oplus (1+\alpha )f_1(x) = (1+\alpha )(x \oplus f_1(x)) \end{aligned}$$

where \(f_1(x) = K_1 \oplus \pi (x \oplus (K_1 \oplus K))\). We also assume that two plaintexts \(x_{1}\) and \(x_{2}\) satisfy \(x_{1} \oplus x_{2} = (1+\alpha )(K^{(i)} \oplus K^{(j)})\).

Thus, for two users i and j for whom we detect a collision, we have that:

$$\begin{aligned} f_{1}^{(i)}(x_{1}) \oplus f_{1}^{(j)}(x_2)&= \alpha (K^{(i)} \oplus K^{(j)})\\ x_{1} \oplus x_{2} \oplus f_{1}^{(i)}(x_{1}) \oplus f_{1}^{(j)}(x_2)&= x_1 \oplus x_2 \oplus \alpha (K^{(i)} \oplus K^{(j)})\\ (x_{1} \oplus f_{1}^{(i)}(x_{1})) \oplus (x_{2} \oplus f_{1}^{(j)}(x_2))&= K^{(i)} \oplus K^{(j)}\\ (1+\alpha )(x_{1} \oplus f_{1}^{(i)}(x_{1})) \oplus (1+\alpha )(x_{2} \oplus f_{1}^{(j)}(x_2))&= (1+\alpha )(K^{(i)} \oplus K^{(j)})\\ F_{f_{1}}^{(i)} \oplus F_{f_{1}}^{(j)}&= (1 + \alpha )(K^{(i)} \oplus K^{(j)}) \end{aligned}$$

and so we observe that chains constructed by \(F_{f_{1}}\) can become parallel and their constant difference would be equal to \((1 + \alpha )(K^{(i)} \oplus K^{(j)})\).

A similar technique can be used when the last block is incomplete and so the key \(K_2\) is used. Here, we observe that:

Thus, in this case, we define the function \(F_{f_{2}}\) as follows:

$$\begin{aligned} F_{f_2}(x) = x \oplus \alpha ^{2} x \oplus (1+\alpha ^{2})f_2(x) = (1+\alpha ^{2})(x \oplus f_2(x)) \end{aligned}$$

where \(f_2(x) = K_2 \oplus \pi (x \oplus (K_2 \oplus K))\). We also assume that two plaintexts \(x_{1}\) and \(x_{2}\) satisfy \(x_{1} \oplus x_{2} = (1+\alpha ^{2})(K^{(i)} \oplus K^{(j)})\).

Equivalently, for two users i and j, we observe that:

$$\begin{aligned} F_{f_2}^{(i)} \oplus F_{f_2}^{(i)} = (1 + \alpha ^{2})(K^{(i)} \oplus K^{(j)}). \end{aligned}$$

So, chains constructed by \(F_{f_{2}}\) can also become parallel and their constant difference would be equal to \((1 + \alpha ^{2})(K^{(i)} \oplus K^{(j)})\).

Thus, if we build our chains in the way presented here, we are able to have a small improvement and gain a factor of \(\sqrt{2}\) on the calculation of our chains.

4.3 Variant of the Previous Attack with Cross Collisions

We show in this section that a variant of the previous attack is also possible. Indeed, we are able to apply a similar technique and we show that we can learn keys of two users when we detect one cross collision between them.

The attack works as follows:

1. 1.

   For two users \(U_{i}\) and \(U_{j}\) in a set of L users, build a constant number of chains, starting from an arbitrary plaintext, using the function \(F_{f_{s}}\), for \(s \in \{1,2\}\). For each user, create some chains using the function \(F_{f_{1}}(M) = f_{1}(M) \oplus f_{1}(M \oplus \delta ) \oplus M\) and some chains using the function \(F_{f_{2}}(M) = f_{2}(M) \oplus f_{2}(M \oplus \delta ) \oplus M\). The construction of the chains stops when \(f_{1}(M) \oplus f_{1}(M \oplus \delta )\) and \(f_{2}(M) \oplus f_{2}(M \oplus \delta )\) reach a distinguished point.

2. 2.

   For each chain, store the endpoints and search for a cross collision. A cross collision for users \(U_i\) and \(U_j\) and for two plaintexts M and \(M^{'}\) is detected when \(F_{f_{1}}^{(i)}(M) = F_{f_{2}}^{(j)}(M^{'})\). This indicates that the XOR of the two inputs \(M \oplus M^{'}\) is expected to be equal to:

   $$\begin{aligned} K_{1}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(j)} \oplus K^{(j)} = (1 + \alpha )K^{(i)} \oplus (1 + \alpha ^{2})K^{(j)}. \end{aligned}$$
3. 3.

   If a cross collision is detected, recover also the XOR of the corresponding outputs, which is equal to:

   $$\begin{aligned} K_{1}^{(i)} \oplus K_{2}^{(j)} = \alpha K^{(i)} \oplus \alpha ^{2}K^{(j)}. \end{aligned}$$
4. 4.

   Solve the system:

   $$\begin{aligned} (1 + \alpha ) K^{(i)} \oplus (1 + \alpha ^{2}) K^{(j)}&= \varDelta _{1}\\ \alpha K^{(i)} \oplus \alpha ^{2} K^{(j)}&= \varDelta _{2} \end{aligned}$$

   and thus recover \(K^{(i)}\) and \(K^{(j)}\).

Analysis of the Attack. This attack uses similar techniques to the attack described before. However, the innovation here consists of the fact that we are able to recover keys of two users, in a smaller group than before, by finding only a cross collision between them. More specifically, to find a cross collision between two users, it suffices to have a group of \(\root 4 \of {N}\) users and perform \(\root 4 \of {N}\) queries per user. So, in the case of Chaskey, we are able to recover two keys in a group of \(2^{32}\) by doing \(2^{32}\) queries per user. However, if we want to recover the keys of all users, then we need a group of \(2^{43}\) users as previously.

5 Conclusion

In this paper, we presented key-recovery attacks against the MAC algorithm Chaskey. All attacks are using algorithmic ideas for collision based attacks of Fouque et al. presented in [6]. They all work when using single-block messages in the single or multi-user setting.

First, we show how to use these techniques to form an attack in the classical single-user setting. By applying this attack, we are able to recover the key of the user by doing \(2^{64}\) operations. However, this attack does not contradict the security claim of Chaskey. Next, we presented two attacks in the multi-user setting. The first one is able to recover almost all keys of a group of \(2^{43}\) users by doing \(2^{43}\) queries per user. We also show that we can improve this attack and gain a factor of \(\sqrt{2}\). Finally, the second attack in the multi-user setting, is able to recover the keys of 2 users in a smaller group of \(2^{32}\) by doing \(2^{32}\) queries per user. We are able to achieve this new result by exploiting the use of two different keys for the last block of Chaskey.