Higher-Order Differential Meet-in-The-Middle Preimage Attacks on SHA-1 and BLAKE

At CRYPTO 2012, Knellwolf and Khovratovich presented a differential formulation of advanced meet-in-the-middle techniques for preimage attacks on hash functions. They demonstrated the usefulness of their approach by significantly improving the previously best known attacks on SHA-1 from CRYPTO 2009, increasing the number of attacked rounds from a 48-round one-block pseudo-preimage without padding and a 48-round two-block preimage without padding to a 57-round one-block preimage without padding and a 57-round two-block preimage with padding, out of 80 rounds for the full function. In this work, we exploit further the differential view of meet-in-the-middle techniques and generalize it to higher-order differentials. Despite being an important technique dating from the mid-90’s, this is the first time higher-order differentials have been applied to meet-in-the-middle preimages. We show that doing so may lead to significant improvements to preimage attacks on hash functions with a simple linear message expansion. We extend the number of attacked rounds on SHA-1 to give a 62-round one-block preimage without padding, a 56-round one-block preimage with padding, and a 62-round two-block preimage with padding. We also apply our framework to the more recent SHA-3 finalist BLAKE and its newer variant BLAKE2, and give an attack for a 2.75-round preimage with padding, and a 7.5-round pseudo-preimage on the compression function.

[1]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[2]  Shuang Wu,et al.  Analysis of BLAKE2 , 2014, CT-RSA.

[3]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[4]  Ji Li,et al.  Attacks on Round-Reduced BLAKE , 2009, IACR Cryptol. ePrint Arch..

[5]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[6]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[7]  Dmitry Khovratovich,et al.  New Preimage Attacks against Reduced SHA-1 , 2012, CRYPTO.

[8]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[9]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[10]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[11]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[12]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[13]  Willi Meier,et al.  SHA-3 proposal BLAKE , 2009 .

[14]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[15]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[16]  Xuejia Lai,et al.  Improved preimage attack on one-block MD4 , 2012, J. Syst. Softw..

[17]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[18]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[19]  Willi Meier,et al.  The Hash Function Family LAKE , 2008, FSE.