Biclique Cryptanalysis of Full Round AES-128 Based Hashing Modes

In this work, we revisit the security analysis of AES-128 instantiated hash modes. We use biclique cryptanalysis technique as our basis for the attack. The traditional biclique approach used for key recovery in AES (and preimage search in AES based compression function) cannot be applied directly to hash function settings due to restrictions imposed on message input due to padding. Under this criteria, we show how to translate biclique technique to hash domain and demonstrate preimage and second preimage attack on all 12 PGV modes. Our preimage attack complexity for all PGV modes stands at 2127.4. The second preimage attack complexities differ based on the PGV construction chosen the lowest being 2126.3 and the highest being 2126.67 complexity. We also show how to model our attacks under different settings, e.g., when message is padded/ not padded, when chaining variable is known/not known, when full message or key space is available/ not available to the attacker etc. Our attacks require only 2 message blocks with padding included and works on full 10 rounds of AES-128 for all 12 PGV modes. In our attacks, the IV is assumed to be a known constant which is a practical assumption but knowledge of other chaining variables is not required for the attacker. Considering these, our results can be termed as the best so far in literature. Though our attack results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions.