Abstract
Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011, introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key-schedules are not taken into account. Hence, the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from the key, extra degree of freedom is gained, which is utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2120 to 2104, 296, and 296 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from the key to cancel those from the state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2112 and 296. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the complexity and extend the attack to one more round. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.
Highlights
In the two sections, we first present our 7-round pseudo-preimage attacks on Advanced Encryption Standard (AES)-128, AES-192, and Kiasu-BC hashing mode improved in terms of the attack complexity, and present our 8-round attacks on AES-192, AES-256, and Kiasu-BC hashing mode improved in terms of the number of attacked rounds, which are all enabled by introducing neutral bytes in the key
In the scenario where a tweakable block cipher is used in the PGV hashing mode and the tweaks can accept chosen inputs, freedom from this additional input might be exploited in similar attacks to the above ones
Under the general framework of meet-in-the-middle preimage attack against AES hashing modes introduced by Sasaki in 2011 and improved by Wu et al in 2012, we made two observations: the key bits are not used, and the neutral bits in the two chunks are not balanced in Wu et al.’s improvement
Summary
Sasaki and Aoki introduced the Meet-in-the-Middle (MITM) preimage attack in 2008 [SA08], and the technique was extended and used to break the theoretical preimage security claims of MD4 [GLRW10a], MD5 [SA09], Tiger [WS10, GLRW10a], HAVAL [SA08, GSY15] and round-reduced variants of many other hash functions such as SHA-0 and SHA-1 [AS09a, KK12, EFK15], SHA2 [AGM+09], BLAKE [EFK15], HAS-160 [HKS10], RIPEMD and RIPEMD-160 [WSK+11], 1Corresponding open-source libraries are released, and one can find the implementation of the hash function built using AES MMO-mode via https://gitlab.com/sse/crypto/blob/master/src/block_hash. Larger key sizes allow more degrees of freedom for the choices of neutral bits, and AES with a larger key size comes with a slower key diffusion These factors lead us to a higher number of attacked rounds and lower time complexities for AES-192 and AES-256, compared with the previous attacks against AES-128 in [Sas, WFW+12].
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
