Non-random properties of compression and Hash functions using linear cryptanalysis

We report on linear analyses of block-cipher based compression and hash functions. Our aim is not to find collisions nor (second) preimages, but to detect non-random properties that may distinguish a compression or hash function from an ideal primitive (random oracle). We study single-block modes of operation such as Davies-Meyer (DM), Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) and double-block modes such as Hirose's, Tandem-DM, Parallel-DM and Abreast-DM. This paper points out weaknesses coming from the feedforward operation used in these hash modes. We use an inside-out approach: we show how a weakness (linear relation) in the underlying block cipher can propagate to the compression function and eventually to the whole hash function. To demonstrate our ideas, we instantiate the block cipher underlying these modes with 21-round PRESENT, the full 16-round DES and 9-round Serpent. For instance, in DM-PRESENT-80 mode, we can distinguish the hash function from an ideal primitive with 264 hash computations.

[1]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[2]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[3]  Xuejia Lai,et al.  Security of Iterated Hash Functions Based on Block Ciphers , 1994, CRYPTO.

[4]  Alasdair McAndrew Data Encryption Standard (DES) for Sage , 2009 .

[5]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[6]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[7]  Andrey Bogdanov,et al.  Hash Functions and RFID Tags: Mind the Gap , 2008, CHES.

[8]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[9]  Vincent Rijmen,et al.  On Weaknesses of Non–surjective Round Functions , 1997, Des. Codes Cryptogr..

[10]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[11]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[12]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[13]  Eli Biham,et al.  Linear Cryptanalysis of Reduced Round Serpent , 2001, FSE.

[14]  Ross Anderson,et al.  Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[15]  Meiqin Wang,et al.  Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT , 2009, CANS.

[16]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[17]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.