Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes

نویسندگان

  • Donghoon Chang
  • Mohona Ghosh
  • Somitra Kumar Sanadhya
چکیده

In this work, we revisit the security analysis of AES-128 instantiated hash modes. We use biclique cryptanalysis technique as our basis for the attack. The traditional biclique approach used for key recovery in AES (and preimage search in AES based compression function) cannot be applied directly to hash function settings due to restrictions imposed on message input due to padding. Under this criteria, we show how to translate biclique technique to hash domain and demonstrate preimage and second preimage attack on all 12 PGV modes. Our preimage attack complexity for all PGV modes stands at 2127.4. The second preimage attack complexities differ based on the PGV construction chosen the lowest being 2126.3 and the highest being 2126.67 complexity. We also show how to model our attacks under different settings, e.g., when message is padded/ not padded, when chaining variable is known/not known, when full message or key space is available/ not available to the attacker etc. Our attacks require only 2 message blocks with padding included and works on full 10 rounds of AES-128 for all 12 PGV modes. In our attacks, the IV is assumed to be a known constant which is a practical assumption but knowledge of other chaining variables is not required for the attacker. Considering these, our results can be termed as the best so far in literature. Though our attack results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Biclique Cryptanalysis of Full Round AES with Reduced Data Complexity

Abstract. Biclique cryptanalysis was proposed by Bogdanov et al. in Asiacrypt 2011 as a new tool for cryptanalysis of block ciphers. A major hurdle in carrying out biclique cryptanalysis is that it has a very high query complexity (of the order of 2 for AES-128, 2 for AES-192 and 2 for AES-256). This naturally puts a big question mark over the practical feasibility of implementing biclique atta...

متن کامل

Bicliques with Minimal Data and Time Complexity for AES

Abstract. Biclique cryptanalysis is a recent technique that has been successfully applied to AES resulting in key recovery faster than brute force. However, a major hurdle in carrying out biclique cryptanalysis on AES is that it requires very high data complexity. This naturally warrants questions over the practical feasibility of implementing biclique attack in the real world. In Crypto’13, Ca...

متن کامل

Biclique Cryptanalysis of the Full AES

Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cry...

متن کامل

Non-isomorphic Biclique Cryptanalysis and Its Application to Full-Round mCrypton

Biclique attack, is a new cryptanalytic technique which brings new tools from the area of hash functions to the area of block cipher cryptanalysis. Till now, this technique is the only one able to analyze the full-round AES cipher in a single key scenario. In this paper, we introduce non-isomorphic biclique attack, a modified version of the original biclique attack. In this attack we obtain iso...

متن کامل

Biclique Cryptanalysis of the Block Cipher SQUARE

SQUARE, an 8-round substitution-permutation block cipher, is considered as the predecessor of the AES. In this paper, inspired from the recent biclique attack on the AES [5], we present the first single-key attack on full SQUARE. First, we introduce a biclique for 3 rounds of SQUARE using the independent related-key differentials. Then, we present an attack on the full round of this cipher with...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2015