Improved Meet-in-the-Middle Preimage Attacks against AES Hashing Modes

被引：9

作者：

Bao, Zhenzhen ^{[1
,2
]}

Ding, Lin ^{[3
]}

Guo, Jian ^{[1
]}

Wang, Haoyang ^{[1
]}

Zhang, Wenying ^{[1
,4
]}

机构：

[1] Nanyang Technol Univ, Sch Phys & Math Sci, Div Math Sci, Singapore, Singapore

[2] Nanyang Technol Univ, Strateg Ctr Res Privacy Preserving Technol & Syst, Singapore, Singapore

[3] Shanghai Jiao Tong Univ, Dept Comp Sci & Engn, Shanghai, Peoples R China

[4] Shandong Normal Univ, Sch Informat Sci & Engn, Jinan, Peoples R China

来源：

IACR TRANSACTIONS ON SYMMETRIC CRYPTOLOGY | 2019年 / 2019卷 / 04期

基金：

新加坡国家研究基金会; 中国国家自然科学基金;

关键词：

AES; MITM; preimage; hashing mode; key-schedule; FINDING PREIMAGES; MD4; TIGER;

D O I：

10.13154/tosc.v2019.i4.318-347

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011, introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key-schedules are not taken into account. Hence, the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from the key, extra degree of freedom is gained, which is utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2 120 to 2 104, 2 96, and 2 96 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from the key to cancel those from the state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2 112 and 2 96. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the complexity and extend the attack to one more round. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

引用

页码：318 / 347

页数：30

共 33 条

[1]

Advanced Encryption Standard (AES), 2001, FIPS PUB 197

[2] Second Preimage Analysis of Whirlwind [J].

AlTawy, Riham ;

Youssef, Amr M. .

INFORMATION SECURITY AND CRYPTOLOGY (INSCRYPT 2014), 2015, 8957 :311-328

[3]

AlTawy R, 2014, LECT NOTES COMPUT SC, V8469, P109

[4]

[Anonymous], 2010, 1011822010 ISOIEC

[5]

Aoki K, 2009, LECT NOTES COMPUT SC, V5381, P103, DOI 10.1007/978-3-642-04159-4_7

[6]

Aoki K, 2009, LECT NOTES COMPUT SC, V5912, P578, DOI 10.1007/978-3-642-10366-7_34

[7]

Aoki K, 2009, LECT NOTES COMPUT SC, V5677, P70, DOI 10.1007/978-3-642-03356-8_5

[8]

Aumasson JP, 2009, LECT NOTES COMPUT SC, V5381, P120, DOI 10.1007/978-3-642-04159-4_8

[9] Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives [J].

Bost, Raphael ;

Minaud, Brice ;

Ohrimenko, Olga .

CCS'17: PROCEEDINGS OF THE 2017 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2017, :1465-1482

[10] Σοφοζ - Forward Secure Searchable Encryption [J].

Bost, Raphael .

CCS'16: PROCEEDINGS OF THE 2016 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2016, :1143-1154

← 1 2 3 4 →