generic attacks against mac algorithms
play

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic - PowerPoint PPT Presentation

Dec 31, 2022 •662 likes •1.71k views

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

  1. Introduction A 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) A 3 A 3 A 2 A 1 8 J 10 J 9 J Hash-based MACs A 3 11 / 59 A 1 AEZ State recovery Universal forgery Key-recovery 11 J Conclusion 10 J 9 J pad E E E E E E E E ▶ AEZ uses a variant of PMAC [Hoang, Krovetz & Rogaway ’15] ▶ A collision gives J : [ x ] ⊕ 9 J = pad ([ y ]) ⊕ 8 J ▶ Key derivation (AEZ v2) J = E 0 ( k ) ▶ Collisions reveal the master key! [FLS, AC’15]

  2. Introduction Proofs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs Attacks Security of block cipher based MACs Conclusion Key-recovery Universal forgery State recovery 12 / 59 CBC-MAC, PMAC, and AEZ have security proofs up to the birthday bound Efgect of collision attacks with 2 n / 2 queries ▶ CBC-MAC: almost universal forgeries [Jia & al ’09] ▶ PMAC: universal forgeries ▶ AEZ: key recovery

  3. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 13 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  4. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n x 3 Hash-based MACs m 2 h x 2 m 1 h State recovery Universal forgery Key-recovery Hash-based MACs Conclusion 14 / 59 x 0 m 0 h | M | ℓ ℓ ℓ ℓ MAC k ( M ) ▶ ℓ -bit chaining value ▶ n -bit output ▶ k -bit key we focus on ℓ = n = k ▶ Key-dependant initial value I k ▶ Unkeyed compression function h ▶ Key-dependant finalization, with message length g k

  5. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 15 / 59 HMAC Conclusion Key-recovery Universal forgery State recovery ▶ HMAC has been designed by Bellare, Canetti, and Krawczyk in 1996 ▶ Standardized by ANSI, IETF, ISO, NIST. ▶ Used in many applications: ▶ To provide authentication: ▶ SSL, IPSEC, ... ▶ To provide identification: ▶ Challenge-response protocols ▶ CRAM-MD5 authentication in SASL, POP3, IMAP, SMTP, ... ▶ For key-derivation: ▶ HMAC as a PRF in IPsec ▶ HMAC-based PRF in TLS

  6. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 16 / 59 Security of hash-based MACS Conclusion Key-recovery Universal forgery State recovery ▶ Security proofs up to the birthday bound ▶ Generic attacks based on collisions ▶ Proof is tight for some security notions ▶ Existential forgery ▶ Distinguishing-R ▶ What is the remaining security above the birthday bound? ▶ Generic distinguishing-H attack? ▶ Generic state-recovery attack? ▶ Generic universal forgery attack? ▶ Generic key-recovery attack?

  7. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 17 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  8. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 18 / 59 Bibliography Conclusion Key-recovery Universal forgery State recovery Y. Naito, Y. Sasaki, L. Wang, K. Yasuda Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC IWSEC 2013 G. Leurent, T. Peyrin, L. Wang New Generic Attacks against Hash-Based MACs ASIACRYPT 2013 I. Dinur, G. Leurent Improved Generic Attacks against Hash-Based MACs and HAIFA CRYPTO 2014

  9. Introduction m 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 1 x 2 19 / 59 [Naito, Sasaki, Wang & Yasuda ’13] State recovery Universal forgery Key-recovery h Multi-collision based attack Conclusion m 0 h x 0 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we apply a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Use bias in the output of the compression function ▶ Some outputs are more likely than others ▶ With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages (offmine) ▶ How to detect when this state is reached?

  10. Introduction m 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 1 x 2 19 / 59 [Naito, Sasaki, Wang & Yasuda ’13] State recovery Universal forgery Key-recovery h Multi-collision based attack Conclusion m 0 h x 0 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we apply a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Use bias in the output of the compression function ▶ Some outputs are more likely than others ▶ With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages (offmine) ▶ How to detect when this state is reached?

  11. Introduction c ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Online Structure g k c h 1 h 1 M h 0 I k Hash-based MACs Offmine Structure h 1 h 1 State recovery Universal forgery Key-recovery Conclusion Building fjlters Filters to compare online and online states 20 / 59 x Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M ‖ c ′ ) 2 MAC ( M ‖ c ) h ( x , c ) = h ( x , c ′ ) x ? c ′ c ′

  12. Introduction c ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Online Structure g k c h 1 h 1 M h 0 I k Hash-based MACs Offmine Structure h 1 h 1 State recovery Universal forgery Key-recovery Conclusion Building fjlters Filters to compare online and online states 20 / 59 x Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M ‖ c ′ ) 2 MAC ( M ‖ c ) h ( x , c ) = h ( x , c ′ ) x ? c ′ c ′

  13. Introduction c ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Online Structure g k c h 1 h 1 M h 0 I k Hash-based MACs Offmine Structure h 1 h 1 State recovery Universal forgery Key-recovery Conclusion Building fjlters Filters to compare online and online states 20 / 59 x Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M ‖ c ′ ) 2 MAC ( M ‖ c ) h ( x , c ) = h ( x , c ′ ) x ? c ′ c ′

  14. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h m 2 m 1 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h 21 / 59 | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  15. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h m 2 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h 21 / 59 | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  16. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h m 2 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h 21 / 59 | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  17. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h 21 / 59 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h c / c ′ | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  18. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h 21 / 59 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h c / c ′ | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  19. Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Structure of state-recovery attacks G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 22 / 59 1 Identify special states easier to reach 2 Build filter for special states 3 Build messages to reach special states Test if special state reached using filters ▶ In this attack, steps 1 & 2 offmine, step 3 online.

  20. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 2 0 h State recovery Universal forgery Key-recovery Conclusion Cycle based attack x 0 0 h 23 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in related-key setting [Peyrin, Sasaki & Wang, Asiacrypt 12]

  21. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 2 0 h State recovery Universal forgery Key-recovery Conclusion Cycle based attack x 0 0 h 23 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in related-key setting [Peyrin, Sasaki & Wang, Asiacrypt 12]

  22. Introduction x 3 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) x 7 Hash-based MACs x 5 x 4 x 6 x 2 x 1 x 0 Random Mappings Conclusion Key-recovery Universal forgery State recovery 24 / 59 ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 ℓ/ 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components

  23. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 24 / 59 Random Mappings Conclusion Key-recovery Universal forgery State recovery ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 ℓ/ 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components

  24. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 24 / 59 Random Mappings Conclusion Key-recovery Universal forgery State recovery ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 ℓ/ 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components

  25. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 25 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  26. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 25 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  27. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Success if Using the cycle length Conclusion Key-recovery Universal forgery State recovery 26 / 59 1 Offmine: find the cycle length L of the main component of h 0 2 Online: query t = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 ℓ/ 2 iterations p ≥ 0 . 5 Randomize starting point

  28. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 26 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  29. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Success if Using the cycle length Conclusion Key-recovery Universal forgery State recovery 26 / 59 1 Offmine: find the cycle length L of the main component of h 0 2 Online: query t = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 ℓ/ 2 iterations p ≥ 0 . 5 Randomize starting point

  30. Introduction 0 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n x 3 x 2 0 h Hash-based MACs x 1 27 / 59 Key-recovery x 0 State recovery 0 h Universal forgery h Dealing with the message length Conclusion Problem: most MACs use the message length. | M | ℓ ℓ ℓ ℓ MAC k ( M )

  31. Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Dealing with the message length G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 27 / 59 Solution: reach the cycle twice M = r ‖ [ 0 ] 2 ℓ/ 2 ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2

  32. Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Dealing with the message length G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 27 / 59 Solution: reach the cycle twice M 2 = r ‖ [ 0 ] 2 ℓ/ 2 ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2 + L M 1 = r ‖ [ 0 ] 2 ℓ/ 2 + L ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2

  33. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Analysis 28 / 59 Key-recovery Distinguishing-H attack Conclusion State recovery Universal forgery 1 Offmine: find the cycle length L of the main component of h 0 t = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2 + L ) 2 Online: query t ′ = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 + L ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2 ) 3 If t = t ′ , then h is the compression function in the oracle ▶ Complexity: 2 ℓ/ 2 compression function calls ▶ Success probability: p ≃ 0 . 14 ▶ Both starting point are in the main component p = 0 . 76 2 ▶ Both cycles are reached with less than 2 ℓ/ 2 iterations p ≥ 0 . 5 2

  34. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Analysis 29 / 59 Conclusion State recovery attack Key-recovery Universal forgery State recovery ▶ Consider the first cyclic point ▶ With high pr., root of the giant tree 1 Offmine: find cycle length L , and root of giant tree 𝛽 2 Online: Binary search for smallest z with collisions: ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 + L ) , MAC ( r ‖ [ 0 ] z MAC ( r ‖ [ 0 ] z + L ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 ) 3 State after r ‖ [ 0 ] z is 𝛽 (with high pr.) ▶ Complexity 2 ℓ/ 2 × ℓ × log (ℓ)

  35. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 29 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  36. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Analysis 29 / 59 Conclusion State recovery attack Key-recovery Universal forgery State recovery ▶ Consider the first cyclic point ▶ With high pr., root of the giant tree 1 Offmine: find cycle length L , and root of giant tree 𝛽 2 Online: Binary search for smallest z with collisions: ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 + L ) , MAC ( r ‖ [ 0 ] z MAC ( r ‖ [ 0 ] z + L ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 ) 3 State after r ‖ [ 0 ] z is 𝛽 (with high pr.) ▶ Complexity 2 ℓ/ 2 × ℓ × log (ℓ)

  37. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Compare with collision fjnding algorithms 30 / 59 Limitations of cycle-based attacks Short message attacks Conclusion Key-recovery Universal forgery State recovery ▶ Messages of length 2 ℓ/ 2 are not very practical... ▶ SHA-1 and HAVAL limit the message length to 2 64 bits ▶ Cycle detection impossible with messages shorter than L ≈ 2 ℓ/ 2 ▶ Shorter cycles have a small component ▶ Not applicable to HAIFA hash functions ▶ Pollard’s rho algorithm use cycle detection ▶ Parallel collision search for van Oorschot and Wiener uses shorter chains

  38. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Can we detect properties of the iteration of fjxed functions? g K I K n x 3 x 2 Hash-based MACs h 2 C B Chain-based attack State recovery Universal forgery Key-recovery Conclusion h 0 x 0 A h 1 31 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message, we iterate a fixed sequence of function ▶ Starting point and ending point unknown because of the key ▶ Study the entropy loss skip details

  39. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Can we detect properties of the iteration of fjxed functions? g K I K n x 3 x 2 Hash-based MACs h 2 C B Chain-based attack State recovery Universal forgery Key-recovery Conclusion h 0 x 0 A h 1 31 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message, we iterate a fixed sequence of function ▶ Starting point and ending point unknown because of the key ▶ Study the entropy loss skip details

  40. Introduction x 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Theorem (Entropy loss) x 4 y 3 Hash-based MACs y 2 x 3 y 1 x 1 y 0 x 0 Collision fjnding with short chains Conclusion Key-recovery Universal forgery State recovery 32 / 59 1 Compute chains x � y Stop when y distinguished 2 If y ∈ { y i } , collision found Let f 1 , f 2 , … , f 2 s be a fixed sequence of random functions; the image of g 2 s ≜ f 2 s ∘ … ∘ f 2 ∘ f 1 contains about 2 ℓ− s points. ▶ Use these state as special states (instead of cycle entry point)

  41. Introduction h 0 h 0 Hash-based MACs h 2 g k M i Online Structure h 0 h 1 h 2 h 0 h 1 h 2 h 1 g k h 2 h 0 h 1 h 2 h 0 h 1 h 2 M i Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 I k h 1 h 2 h 2 State recovery Universal forgery Key-recovery Conclusion State-recovery attacks I k h 0 h 1 h 2 g k I k h 1 h 0 h 1 33 / 59 I k h 0 I k h 0 h 1 g k g k h 2 ▶ Send messages to the oracle ▶ Do some computations offmine with the compression function MAC ( M 0 ) $ MAC ( M 1 ) $ MAC ( M 2 ) $ MAC ( M 3 ) $ MAC ( M 4 ) $ ▶ Match the sets of points? ▶ How to test equality? Online chaining values unknown ▶ How many equality test do we need?

  42. Introduction h 2 g k C Hash-based MACs 2 u Online Structure h 1 h 2 h S h 1 h 2 h S h 1 h S h 2 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h S 34 / 59 h 1 Key-recovery First attempt Universal forgery I k h 0 h 1 State recovery h 2 h S g k h 0 h 0 h 1 h 2 h S g k h 0 g k h S h 2 h 1 g k h S h 2 h 1 h 0 Conclusion ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Evaluate 2 t chains offmine s + t + u = ℓ Build filters for endpoints 2 Query 2 u message M i = [ i ] ‖ C Test endpoints with filters Cplx: 2 s + t + u

  43. Introduction M ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure p h 1 h 1 x Online Structure g k p h 1 Hash-based MACs h 1 h 0 Filters to compare online and online states State recovery Universal forgery Key-recovery Conclusion Building fjlters 35 / 59 I k Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M || p ′ ) 2 MAC ( M || p ) h ( x , p ) = h ( x , p ′ ) x ? p ′ p ′

  44. Introduction M ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure p h 1 h 1 x Online Structure g k p h 1 Hash-based MACs h 1 h 0 Filters to compare online and online states State recovery Universal forgery Key-recovery Conclusion Building fjlters 35 / 59 I k Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M || p ′ ) 2 MAC ( M || p ) h ( x , p ) = h ( x , p ′ ) x ? p ′ p ′

  45. Introduction M ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure p h 1 h 1 x Online Structure g k p h 1 Hash-based MACs h 1 h 0 Filters to compare online and online states State recovery Universal forgery Key-recovery Conclusion Building fjlters 35 / 59 I k Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M || p ′ ) 2 MAC ( M || p ) h ( x , p ) = h ( x , p ′ ) x ? p ′ p ′

  46. Introduction h 2 g k C Hash-based MACs 2 u Online Structure h 1 h 2 h S h 1 h 2 h S h 1 h S h 2 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h S 36 / 59 h 1 Key-recovery First attempt Universal forgery I k h 0 h 1 State recovery h 2 h S g k h 0 h 0 h 1 h 2 h S g k h 0 g k h S h 2 h 1 g k h S h 2 h 1 h 0 Conclusion ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Evaluate 2 t chains offmine s + t + u = ℓ Build filters for endpoints 2 Query 2 u message M i = [ i ] ‖ C Test endpoints with filters Cplx: 2 s + t + u

  47. Introduction h 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 2 s Offmine Structure p h 1 h 1 x Hash-based MACs Online Structure g k p 37 / 59 h 1 M State recovery Universal forgery Key-recovery Conclusion Online fjlters I k h 0 ▶ Using the filters is too expensive. ▶ If we build filters online, using them is cheap. 1 Find p , p ′ s.t. ? = h ( x , m ′ ) 2 h ( x , m ) MAC ( M || p ) = MAC ( M || p ′ ) x ? p ′ p ′ Cost Build Test Offmine filter 2 ℓ/ 2 Online filter 1 2 ℓ/ 2 + s

  48. Introduction h 2 h S g k C Hash-based MACs Online Structure h 1 h 2 h S h 1 h 2 h S h 1 h S h 1 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h 2 2 u h 0 h 2 State recovery Universal forgery Key-recovery Conclusion First attack on HMAC-HAIFA I k h 0 h 1 h 2 h S g k h 0 h 1 g k h S h S h S h 2 h 1 h 0 g k 38 / 59 h 2 h 1 g k h 0 ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build filters for M i Cplx: 2 s + u +ℓ/ 2 2 Evaluate 2 t chains offmine Cplx: 2 t + s Test endpoints with filters Cplx: 2 t + u

  49. Introduction h 2 g k C 2 u Online Structure Hash-based MACs h 1 h 2 h S h 1 h 2 h S h 1 h S h 2 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure Optimal complexity G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h S 38 / 59 h 1 Key-recovery I k h 0 h 1 h 2 h 0 h S g k h 0 Conclusion h 1 h 2 h S g k h 0 h 1 Universal forgery h 2 h S g k h 0 h 1 h 2 State recovery h S g k First attack on HMAC-HAIFA ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build filters for M i Cplx: 2 s + u +ℓ/ 2 2 ℓ− s , for s ≤ ℓ/ 6 2 Evaluate 2 t chains offmine Cplx: 2 t + s (using u = s ) Test endpoints with filters Cplx: 2 t + u Minimum: 2 5 ℓ/ 6

  50. Introduction Diamond structure ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs [Kelsey & Kohno, EC’06] Diamond fjlters Conclusion Key-recovery Universal forgery State recovery 39 / 59 ▶ Building filers is a bottleneck. ▶ Can we amortize the cost of building many filters? Herd N initial states to a common state ▶ Try ≈ 2 ℓ/ 2 /√ N msg from each state. ▶ Whp, the initial states can be paired ▶ Repeat... Total ≈ √ N ⋅ 2 ℓ/ 2

  51. Introduction Diamond structure ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs [Kelsey & Kohno, EC’06] Diamond fjlters Conclusion Key-recovery Universal forgery State recovery 39 / 59 ▶ Building filers is a bottleneck. ▶ Can we amortize the cost of building many filters? Herd N initial states to a common state ▶ Try ≈ 2 ℓ/ 2 /√ N msg from each state. ▶ Whp, the initial states can be paired ▶ Repeat... Total ≈ √ N ⋅ 2 ℓ/ 2

  52. Introduction Diamond fjlter ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs 39 / 59 Diamond fjlters Conclusion Key-recovery Universal forgery State recovery ▶ Building filers is a bottleneck. ▶ Can we amortize the cost of building many filters? 1 Build a diamond structure 2 Build a collision filter for the final state ▶ Can also be built online ▶ Building N offmine filters: √ N ⋅ 2 ℓ/ 2 rather than N ⋅ 2 ℓ/ 2 ▶ Building N online filters: √ N ⋅ 2 ℓ/ 2 + s rather than N ⋅ 2 ℓ/ 2 + s

  53. Introduction h S 2 u Online Structure Hash-based MACs h 1 h 2 h S h 1 h 2 h S h 1 h 2 h 1 g k h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 C 40 / 59 h S h S State recovery Universal forgery Key-recovery Conclusion Improved attack on HMAC-HAIFA I k h 0 h 1 h 2 h 2 h 0 h 1 h 2 h S h S h 0 h 1 h 2 h 1 h S h 0 h 0 h 1 h 2 ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build diamond filter for M i Cplx: 2 s + u / 2 +ℓ/ 2 2 Evaluate 2 t chains offmine Cplx: 2 t + s Test endpoints with filters Cplx: 2 t + u

  54. Introduction h 1 2 u Online Structure h 1 Hash-based MACs h S h 1 h 2 h S h 1 h 2 h S h 2 g k h S h 1 h 2 h S C 2 t Offmine Structure Optimal complexity G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 C h 2 h S h S State recovery Universal forgery Key-recovery Conclusion Improved attack on HMAC-HAIFA I k h 0 h 1 h 2 h 2 h S h 0 h 1 h 2 40 / 59 h 0 h 0 h 1 h 2 h S h 0 h 1 h 2 h S h 1 ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build diamond filter for M i Cplx: 2 s + u / 2 +ℓ/ 2 2 ℓ− s , for s ≤ ℓ/ 5 2 Evaluate 2 t chains offmine Cplx: 2 t + s (using u = s ) Test endpoints with filters Cplx: 2 t + u Minimum: 2 4 ℓ/ 5

  55. Introduction y 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Theorem (Entropy loss for collisions) Hash-based MACs x 4 y 3 x 3 41 / 59 x 2 y 1 x 1 y 0 x 0 Improvement using collisions (fjxed function) State recovery Universal forgery Conclusion Key-recovery 1 Compute chains x � y Stop when y distinguished 2 If y ∈ { y i } , collision found Let ̂ x and ̂ y be two collisions found using chains of length 2 s , with a fixed ℓ -bit random function f . Then Pr 􏿯 ̂ y 􏿲 = 𝛪( 2 2 s −ℓ ) . x = ̂ ▶ Use the collisions as special states (instead of cycle entry point)

  56. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 42 / 59 Trade-ofgs for state-recovery attacks State recovery Universal forgery Key-recovery Conclusion Merkle-Damgård mode HAIFA mode 2 ℓ 2 ℓ Complexity 2 3 ℓ/ 4 2 3 ℓ/ 4 2 ℓ/ 2 2 ℓ/ 2 1 1 2 ℓ/ 4 2 ℓ/ 2 2 ℓ/ 4 2 ℓ/ 2 Length of the messages Length of the messages

  57. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 43 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  58. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 44 / 59 Bibliography Conclusion Key-recovery Universal forgery State recovery T. Peyrin, L. Wang Generic Universal Forgery Attack on Iterative Hash-Based MACs EUROCRYPT 2014 J. Guo, T. Peyrin, Y. Sasaki, L. Wang Updates on Generic Attacks against HMAC and NMAC CRYPTO 2014 I. Dinur, G. Leurent Improved Generic Attacks against Hash-Based MACs and HAIFA CRYPTO 2014

  59. Introduction h h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion Universal forgery attack 45 / 59 I k I k ▶ Given a challenge message C , compute MAC ( C ) ▶ len ( C ) = 2 s ▶ Oracle access to the MAC , can’t ask MAC ( C ) ▶ Study internal states for the computation of MAC ( C ) ▶ Unknown because of initial key and final key 1 Build a difgerent message reaching same states 2 Query MAC ( M ′ ) , use as forgery M ′ MAC ( C )

  60. Introduction h h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion Universal forgery attack 45 / 59 I k I k ▶ Given a challenge message C , compute MAC ( C ) ▶ len ( C ) = 2 s ▶ Oracle access to the MAC , can’t ask MAC ( C ) ▶ Study internal states for the computation of MAC ( C ) ▶ Unknown because of initial key and final key 1 Build a difgerent message reaching same states 2 Query MAC ( M ′ ) , use as forgery M ′ MAC ( C )

  61. Introduction h h h h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h 46 / 59 Hash-based MACs State recovery IV Universal forgery Key-recovery Conclusion UF against secret-suffjx MAC IV ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from the IV to the target states Cplx: 2 ℓ− s 3 Select expandable message M ′ MAC ( C )

  62. Introduction h 3 2 IV h h h h h h h h 4 h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 Hash-based MACs 46 / 59 5 6 State recovery Universal forgery Key-recovery Conclusion UF against secret-suffjx MAC 7 ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 7 + 1 bl. 2 6 + 1 bl. 2 5 + 1 bl. 2 4 + 1 bl. 2 3 + 1 bl. 2 2 + 1 bl. m 7 / m ′ m 6 / m ′ m 5 / m ′ m 4 / m ′ m 3 / m ′ m 2 / m ′ IV h ∗ 1 bl. 1 bl. 1 bl. 1 bl. 1 bl. 1 bl. MAC ( C )

  63. Introduction h h h h h h h h h h Hash-based MACs h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h IV 46 / 59 State recovery Universal forgery Key-recovery IV Conclusion UF against secret-suffjx MAC ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from x ⋆ to the target states Cplx: 2 ℓ− s 3 Select expandable message h ⋆ m ⋆ h ′ ⋆ MAC ( C )

  64. Introduction h h h h h h h h h h Hash-based MACs h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h IV 46 / 59 State recovery Universal forgery Key-recovery IV Conclusion UF against secret-suffjx MAC ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from x ⋆ to the target states Cplx: 2 ℓ− s 3 Select expandable message h ⋆ m ⋆ h ′ ⋆ MAC ( C )

  65. Introduction h h h h h h h h h h Hash-based MACs h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h IV 46 / 59 State recovery Universal forgery Key-recovery IV Conclusion UF against secret-suffjx MAC ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from x ⋆ to the target states Cplx: 2 ℓ− s 3 Select expandable message h ⋆ m ⋆ h ′ ⋆ MAC ( C )

  66. Introduction h h h h h h h h h h h g G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion UF against secret-prefjx MAC 47 / 59 h I k ▶ Secret-suffjx has no key at the end ▶ Finalization function is known! 1 Query the MAC of C | i (truncated to i blocks) Cplx: 2 2 ⋅ s 2 Evaluate the finalization function on 2 ℓ− s states Cplx: 2 ℓ− s 3 Find a match, compute MAC MAC ( C )

  67. Introduction g g Hash-based MACs g h g h g h g Online Structure g g g g g g g Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h h I k State recovery Universal forgery Key-recovery Conclusion UF against secret-prefjx MAC g 47 / 59 h h g g h h g ▶ Secret-suffjx has no key at the end ▶ Finalization function is known! 1 Query the MAC of C | i (truncated to i blocks) Cplx: 2 2 ⋅ s 2 Evaluate the finalization function on 2 ℓ− s states Cplx: 2 ℓ− s 3 Find a match, compute MAC MAC ( C ) $ $ $ 2 ℓ− s $ $ $

  68. Introduction h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion UF attack against hash-based MAC 48 / 59 h I k ▶ Combine both techniques 1 Recover an internal state of the challenge 2 Use second-preimage attack with known state ▶ Hard part is to recover an internal state ▶ Extract information about the challenge state through g k ▶ Compute distance to cycle ▶ Use entropy loss of iterations MAC ( C )

  69. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure Online Structure 2 s I k Using cycles Main idea Conclusion Key-recovery Universal forgery State recovery 49 / 59 ▶ Measure the distance from challenge point to cycle in h [ 0 ] ▶ Add zero blocks after the challenge ▶ Match with offmine points with known distance 􏿻 2 ℓ− s points 􏿾 2 s C 2 ℓ/ 2

  70. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure Online Structure 2 s I k 49 / 59 Conclusion Using cycles Key-recovery Universal forgery State recovery 1 (online) For each challenge state, use binary search to find distance ? MAC ( C | i ‖ 0 d + L ‖ 1 ‖ 0 2 ℓ/ 2 ) = MAC ( C | i ‖ 0 d ‖ 1 ‖ 0 2 ℓ/ 2 + L ) 2 (offmine) Build a structure with 2 ℓ− s points with known distance. 3 (offmine) Match the challenge states and the offmine structure 4 (online) Test candidates at the right distance. 􏿻 2 ℓ− s points 􏿾 2 s C 2 ℓ/ 2

  71. Introduction 2 s ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure 2 2 s 2 2 s Online Structure Hash-based MACs 50 / 59 I k Main idea Using chains Conclusion Key-recovery Universal forgery State recovery ▶ Add a sequence of fixed message blocks to reduce image space ▶ Match in the reduced space 􏿻 2 ℓ− s points 􏿾 􏿻 2 ℓ− 2 s images ( ) 􏿾 2 s C 2 2 s − 2 s

  72. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure 2 2 s 2 2 s Online Structure 2 s I k Using chains Conclusion Key-recovery Universal forgery State recovery 50 / 59 1 (online) Query messages M i = C | i ‖ [ 0 ] 2 2 s − i . Build diamond filter for endpoints Y 2 (offmine) Build a structure with 2 ℓ− s points. Consider 2 2 s -images X . | X | ≤ 2 ℓ− 2 s 3 (offmine) Match X and Y . 4 (offmine) For each match, find preimages as candidates. 􏿻 2 ℓ− s points 􏿾 􏿻 2 ℓ− 2 s images ( ) 􏿾 2 s C 2 2 s − 2 s

  73. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) s 51 / 59 Universal forgery attacks Conclusion Universal forgery attacks: summary State recovery Universal forgery Key-recovery ▶ It is possible to perform a generic universal forgery attack ▶ Best attack so far: 2 ℓ− s , with s ≤ ℓ/ 4 ( 2 3 ℓ/ 4 with s = ℓ/ 4 ) ▶ Using distance to the cycle: query length 2 ℓ/ 2 ▶ Complexity 2 ℓ− s , s ≤ ℓ/ 6 [Peyrin & Wang, EC ’14] Optimal: 2 5 ℓ/ 6 , with s = 2 ℓ/ 6 ▶ Complexity 2 ℓ− s , s ≤ ℓ/ 4 [Guo, Peyrin, Sasaki & Wang, CR ’14] Optimal: 2 3 ℓ/ 4 , with s = 2 ℓ/ 4 ▶ Later attack using chains: shorter query length 2 t ▶ Complexity 2 ℓ− s , s ≤ ℓ/ 7 , t = 2 s [Dinur & L, CR ’14] Optimal: 2 6 ℓ/ 7 , with s = 2 ℓ/ 7 , t = 2 ℓ/ 7 ▶ Complexity 2 ℓ− s / 2 , s ≤ 2 ℓ/ 5 , t = [Dinur & L, CR ’14] Optimal: 2 4 ℓ/ 5 , with s = 2 2 ℓ/ 5 , t = 2 ℓ/ 5

  74. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 52 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  75. Introduction M 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h n x 3 x 2 Hash-based MACs h x 1 M 3 53 / 59 GOST hash functions State recovery Universal forgery Key-recovery h Conclusion M 0 M 1 x 0 h | M | ℓ ℓ ℓ ℓ IV ▶ Family of Russian standards ▶ GOST-1994: n = ℓ = 256 ▶ GOST-2012: n ≤ ℓ = 512 , HAIFA mode (aka Streebog) ▶ GOST and HMAC-GOST standardized by IETF ▶ Checksum (dashed lines) ▶ Larger state should increase the security

  76. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) t n g h h g h x 2 Hash-based MACs h M 2 M 1 h State recovery Universal forgery Key-recovery Conclusion HMAC-GOST 54 / 59 M 0 x 0 h k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV x ∗ k ⊕ 𝚙𝚚𝚋𝚎 IV ▶ In HMAC, key-dependant value used after the message ▶ Related-key attacks on the last block

  77. Introduction h ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h Hash-based MACs M 2 h x 1 M 1 x 2 x 0 Key recovery attack on HMAC-GOST State recovery Universal forgery Key-recovery Conclusion 55 / 59 M 0 h k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV x ∗ 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  78. Introduction h ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h Hash-based MACs M 2 h x 1 M 1 x 2 x 0 Key recovery attack on HMAC-GOST State recovery Universal forgery Key-recovery Conclusion 55 / 59 M 0 h k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV x ∗ 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  79. Introduction M 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h x Hash-based MACs x 2 M 2 h x 1 ̄ 55 / 59 h x 0 M 0 State recovery h Universal forgery Key-recovery Key recovery attack on HMAC-GOST Conclusion k ⊕ M k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  80. Introduction M 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h x Hash-based MACs x 2 M 2 h x 1 ̄ 55 / 59 h x 0 M 0 State recovery h Universal forgery Key-recovery Key recovery attack on HMAC-GOST Conclusion k ⊕ M k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  81. Introduction M 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h x Hash-based MACs x 2 M 2 h x 1 ̄ 55 / 59 h x 0 M 0 State recovery h Universal forgery Key-recovery Key recovery attack on HMAC-GOST Conclusion k ⊕ M k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  82. Introduction Surprising result ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs 56 / 59 Complexity Conclusion Key-recovery Universal forgery State recovery The checksum actually make the hash function weaker! ▶ HMAC-GOST-1994 is weaker than HMAC-SHA256 ▶ HMAC-GOST-2012 is weaker than HMAC-SHA512 It is important to recover the state of a short message ▶ For GOST-1994, we can recover the state of a short message from a longer one using padding tricks Total complexity 2 3 ℓ/ 4 ▶ For GOST-2012, we use an advanced attack with message length 2 ℓ/ 10 Total complexity 2 4 ℓ/ 5

  83. Introduction 2 118 2 118 2 384 2 453 2 54 Hash-based MACs 2 229 2 247 2 283 2 446 2 55 2 213 2 419 2 192 2 90 2 419 2 128 2 192 2 192 2 419 2 419 2 419 G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 2 228 2 192 2 55 2 132 State recovery Universal forgery Key-recovery Conclusion Attack complexity s 2 55 2 107 57 / 59 2 192 2 55 Function Mode St. rec. Univ. F K. rec. ℓ SHA-1 MD 160 SHA-224 MD 256 SHA-256 MD 256 SHA-512 MD 512 HAVAL MD 256 WHIRLPOOL MD 512 BLAKE-256 HAIFA 256 BLAKE-512 HAIFA 512 Skein-512 HAIFA 512 GOST-94 MD+ 𝜏 256 ∞ Streebog HAIFA+ 𝜏 512 ∞

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

3.43k views • 42 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

590 views • 42 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Milena: Write Generic Morphological Algorithms Once, Run on Many Kinds of Images Roland Levillain

Milena: Write Generic Morphological Algorithms Once, Run on Many Kinds of Images Roland Levillain

Milena: Write Generic Morphological Algorithms Once, Run on Many Kinds of Images Roland Levillain 1 , 2 , Thierry G eraud 1 , 2 , Laurent Najman 2 1 EPITA Research and Development Laboratory (LRDE), Le Kremlin-Bic etre, France 2 Universit e

746 views • 47 slides
Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

655 views • 44 slides
Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type parameters Similar to declaring a generic type but type parameter's scope is limited to method where it is declared The following are

584 views • 6 slides
Some Project Ideas Read & Write something Constructions not covered in class (e.g., McEliece

Some Project Ideas Read & Write something Constructions not covered in class (e.g., McEliece

Some Project Ideas Read & Write something Constructions not covered in class (e.g., McEliece PKE, lattice- based PKE), primitives not covered (e.g., Zero-Knowledge, Oblivious Transfer), proofs not covered (e.g., security of TLS),

411 views • 13 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334:

Crypto Conclusion (maybe) Message Authentication Codes Key Management Fall 2018 CS 334: Computer Security 1 Message Authentication message authentication is concerned with: protecting the integrity of a message Confirming

512 views • 48 slides
General Terms Cryptography Cryptology Cryptanalysis

General Terms Cryptography Cryptology Cryptanalysis

159 views • 3 slides
Cryptography Engineering and Cryptocurrency Yongdae Kim Definition A

Cryptography Engineering and Cryptocurrency Yongdae Kim Definition A

EE817/IS 893 Cryptography Engineering and Cryptocurrency Yongdae Kim Definition A hash function is a function h compression h maps an input x of arbitrary finite bitlength, to an output h(x) of fixed bitlength

862 views • 70 slides
IS511 Introduction to Information Security Lecture 3 Cryptography 2 Yongdae Kim Recap

IS511 Introduction to Information Security Lecture 3 Cryptography 2 Yongdae Kim Recap

IS511 Introduction to Information Security Lecture 3 Cryptography 2 Yongdae Kim Recap http://syssec.kaist.ac.kr/~yongdaek/courses/is511/ E-mail policy 4 Include [is511] 4 Profs + TA: IS511_prof@gsis.kaist.ac.kr 4 Profs + TA +

1.1k views • 43 slides
Hash Functions, Message Authentication Codes Ahmet Burak Can Hacettepe University

Hash Functions, Message Authentication Codes Ahmet Burak Can Hacettepe University

Hash Functions, Message Authentication Codes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Information Security Security Services Confidentiality : Symmetric encryption solves Integrity Authentication

272 views • 14 slides
13 - Computer Security Hashing 1 Solution : hash

13 - Computer Security Hashing 1 Solution : hash

13 - Computer Security Hashing 1 Solution : hash function 0 1 n - h x 0 1 - h x is the hash/digest of x Context Goal - Represent large/sensitive message by a smaller one - Numerous

1.14k views • 68 slides

More recommend