Cryptanalysis of hash functions based on blockciphers suitable for IoT service platform security

It is well-known that blockcipher-based hash functions may be attacked when adopting blockciphers having related-key differential properties. However, all forms of related-key differentials are not always effective to attack them. In this paper we provide the general frameworks for collision and second-preimage attacks on hash functions by using related-key differential properties of instantiated blockciphers, and show their various applications. In the literature, there have been several provably secure blockcipher-based hash functions such as 12 PGV schemes, MDC-2, MJH, Abreast-DM, Tandem-DM, and HIROSE. However, their security cannot be guaranteed when they are instantiated with specific blockciphers. In this paper, we first observe related-key differential properties of some blockciphers such as Even-Mansour (EM), Single-key Even-Mansour (SEM), XPX with a fixed tweak (XPX1111), Chaskey cipher, and LOKI, which are suitable for IoT service platform security. We then present how these properties undermine the security of the aforementioned blockcipher-based hash functions. In our analysis, the collision and second-preimage attacks can be applied to several PGV schemes, MDC-2, MJH instantiated with SEM, XPX1111, Chaskey cipher, to PGV no.5, MJH, HIROSE, Abreast-DM, Tandem-DM instantiated with EM. Furthermore, LOKI-based MDC-2 is vulnerable to the collision attack. We also provide the necessary conditions for related-key differentials of blockciphers in order to attack each of the hash functions. To the best of our knowledge, this study is the first comprehensive analysis of hash functions based on blockciphers having related-key differential properties. Our cryptanalytic results support the well-known claim that blockcipher-based hash functions should avoid adopting blockciphers with related-key differential properties, such as the fixed point property in compression functions. We believe that this study provides a better understanding of the security of blockcipher-based hash functions.

[1]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[2]  John Kelsey,et al.  Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård , 2009, Selected Areas in Cryptography.

[3]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[4]  Jongsung Kim,et al.  Improved preimage attacks on hash modes of 8-round AES-256 , 2016, Multimedia Tools and Applications.

[5]  Dong-Chan Kim,et al.  Preimage and Second-Preimage Attacks on PGV Hashing Modes of Round-Reduced ARIA, Camellia, and Serpent , 2012, IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences.

[6]  Robert S. Winternitz A Secure One-Way Hash Function Built from DES , 1984, 1984 IEEE Symposium on Security and Privacy.

[7]  John P. Steinberger,et al.  Stam's Conjecture and Threshold Phenomena in Collision Resistance , 2012, CRYPTO.

[8]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[9]  Florian Mendel,et al.  Cryptanalysis of MDC-2 , 2009, EUROCRYPT.

[10]  Daesung Kwon,et al.  The Security of Abreast-DM in the Ideal Cipher Model , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[11]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[12]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[13]  Bart Mennink,et al.  XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees , 2016, CRYPTO.

[14]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[15]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[16]  Michael Steil,et al.  Mistakes Microsoft Made in the Xbox Security System , 2022 .

[17]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[18]  John P. Steinberger,et al.  The Collision Intractability of MDC-2 in the Ideal Cipher Model , 2007, IACR Cryptol. ePrint Arch..

[19]  Thomas Peyrin,et al.  On the (In)Security of IDEA in Various Hashing Modes , 2012, FSE.

[20]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[21]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[22]  Eli Biham,et al.  Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer , 1991, CRYPTO.

[23]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[24]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[25]  Daesung Kwon,et al.  Cryptanalysis of Double-Block-Length Hash Mode MJH , 2012, IACR Cryptol. ePrint Arch..

[26]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[27]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[28]  John Kelsey,et al.  New Second-Preimage Attacks on Hash Functions , 2016, Journal of Cryptology.

[29]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[30]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool , 2011, FSE.

[31]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[32]  John P. Steinberger Stam's Collision Resistance Conjecture , 2010, EUROCRYPT.

[33]  Shoichi Hirose,et al.  A Collision Attack on a Double-Block-Length Compression Function Instantiated with 8-/9-Round AES-256 , 2016, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[34]  John P. Steinberger,et al.  The Collision Security of Tandem-DM in the Ideal Cipher Model , 2011, CRYPTO.

[35]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[36]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.