Blockcipher-Based Hash Functions Research Articles

Weaknesses of some lightweight blockciphers suitable for IoT systems and their applications in hash modes

Twelve PGV models, MDC-2, and HIROSE, which are blockcipher-based hash functions, have been proven to be secure as hash functions when they are instantiated with ideal blockciphers. However, their security cannot be guaranteed when the base blockciphers use weak key-schedules. In this paper, we propose various related-key or chosen-key differential paths of Fantomas, Midori-128, GOST, and 12-round reduced AES-256 using key-schedules with weak diffusion effects. We then describe how these differential paths undermine the security of PGV models, MDC-2, or HIROSE. In addition, we show that the invariant subspace attacks on PRINT and Midori-64 can be transferred to collision attacks on their some hash modes.

Cryptanalysis of hash functions based on blockciphers suitable for IoT service platform security

It is well-known that blockcipher-based hash functions may be attacked when adopting blockciphers having related-key differential properties. However, all forms of related-key differentials are not always effective to attack them. In this paper we provide the general frameworks for collision and second-preimage attacks on hash functions by using related-key differential properties of instantiated blockciphers, and show their various applications. In the literature, there have been several provably secure blockcipher-based hash functions such as 12 PGV schemes, MDC-2, MJH, Abreast-DM, Tandem-DM, and HIROSE. However, their security cannot be guaranteed when they are instantiated with specific blockciphers. In this paper, we first observe related-key differential properties of some blockciphers such as Even-Mansour (EM), Single-key Even-Mansour (SEM), XPX with a fixed tweak (XPX1111), Chaskey cipher, and LOKI, which are suitable for IoT service platform security. We then present how these properties undermine the security of the aforementioned blockcipher-based hash functions. In our analysis, the collision and second-preimage attacks can be applied to several PGV schemes, MDC-2, MJH instantiated with SEM, XPX1111, Chaskey cipher, to PGV no.5, MJH, HIROSE, Abreast-DM, Tandem-DM instantiated with EM. Furthermore, LOKI-based MDC-2 is vulnerable to the collision attack. We also provide the necessary conditions for related-key differentials of blockciphers in order to attack each of the hash functions. To the best of our knowledge, this study is the first comprehensive analysis of hash functions based on blockciphers having related-key differential properties. Our cryptanalytic results support the well-known claim that blockcipher-based hash functions should avoid adopting blockciphers with related-key differential properties, such as the fixed point property in compression functions. We believe that this study provides a better understanding of the security of blockcipher-based hash functions.

Fixed Point Attack in PGV-5 Scheme Using SIMON Algorithm

Abstract Block cipher-based hash function is a hash function that is constructed by applying a block cipher algorithm on a scheme to form a hash algorithm. So that the strength of the block cipher-based hash function depends on the strength of a block cipher algorithm which is used. In this research, fixed point attack is done to determine the application of SIMON lightweight block cipher scheme PGV-5 hash function in accordance with the characteristics of the fixed point attack. SIMON is a lightweight block cipher algorithm which uses Feistel network as its structure and is recommended as an alternative algorithm beside AES. Fixed-point attack is applied to generate all possible 232 plaintext with some random and extreme IV. The result of this research is plaintext that meets the characteristics of fixed point that does not affect the plaintext hash value because the resulting output is the used IV value itself. Plaintext is used to construct collision. Apparently the result of the application of the PGV-5 scheme is not resistant to collision attack because there is a collision with probability of fixed point 0.00000000093 in the thirty-two IV samples which are used.

Attacks on a double length blockcipher-based hash proposal

In this paper we attack a 2n-bit double length hash function proposed by Lee et al. This proposal is a blockcipher-based hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of O(23n/4) and a preimage attack with complexity of O(2 n ). Our result shows this construction is much worse than an ideal 2n-bit hash function.

최신 경량 블록 암호 PRINCE에 대한 향상된 연관키 공격

The related-key attack is regarded as one of the important cryptanalytic tools for the security evaluation of block ciphers. This is due to the fact that this attack can be effectively applied to schemes like block-cipher based hash functions whose block-cipher keys can be controlled as their messages. In this paper, we improve the related-key attack on lightweight block cipher PRINCE proposed in FSE 2013. Our improved related-key attack on PRINCE reduces data complexity from  [4] to 2.

An Analysis of the Blockcipher-Based Hash Functions from PGV

Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function $H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}$ from a blockcipher $E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}$ . They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.

On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions

Fix a small nonempty set of blockcipher keys . We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from . Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner (Advances in CryptologyCRYPTO 02, Lecture Notes in Computer Science, vol. 2442, pp. 3146, Springer, Berlin, 2002) is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.

Analysis of hash function of Yi and Lam

A block cipher based hash function of Yi and Lam is analysed and shown to be significantly weaker than originally intended.