Weaknesses of some lightweight blockciphers suitable for IoT systems and their applications in hash modes

  • Hangi Kim
  • Myungseo Park
  • Jaehyung Cho
  • Jihun Kim
  • Jongsung KimEmail author
Part of the following topical collections:
  1. Special Issue on IoT System Technologies based on Quality of Experience


Twelve PGV models, MDC-2, and HIROSE, which are blockcipher-based hash functions, have been proven to be secure as hash functions when they are instantiated with ideal blockciphers. However, their security cannot be guaranteed when the base blockciphers use weak key-schedules. In this paper, we propose various related-key or chosen-key differential paths of Fantomas, Midori-128, GOST, and 12-round reduced AES-256 using key-schedules with weak diffusion effects. We then describe how these differential paths undermine the security of PGV models, MDC-2, or HIROSE. In addition, we show that the invariant subspace attacks on PRINT and Midori-64 can be transferred to collision attacks on their some hash modes.


Blockcipher-based hash functions Related-key differential paths Chosen-key differential paths Invariant subspace property Collision attacks IoT systems 



This work was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD).


  1. 1.
    CryptoLUX Lightweight block ciphers. Accessed: 2017-12-15
  2. 2.
    (2012) Zigbee specification document 053474r20Google Scholar
  3. 3.
    (2015) Hash-functions using the lightweight block cipher LEA. IoTFS-0078Google Scholar
  4. 4.
    Albrecht MR, Driessen B, Kavun EB, Leander G, Paar C, Yalçin T (2014) Block ciphers - focus on the linear layer (feat. PRIDE). In: CRYPTO 2014, Lecture notes in computer science, vol 8616. Springer, pp 57–76Google Scholar
  5. 5.
    Banik S, Bogdanov A, Isobe T, Shibutani K, Hiwatari H, Akishita T, Regazzoni F (2015) Midori: a block cipher for low energy. In: ASIACRYPT 2015, Lecture notes in computer science, vol 9453, pp 411–436Google Scholar
  6. 6.
    Banik S, Pandey SK, Peyrin T, Sasaki Y, Sim SM, Todo Y (2017) GIFT: a small present - towards reaching the limit of lightweight encryption. In: CHES 2017, Lecture notes in computer science, vol 10529. Springer, pp 321–345Google Scholar
  7. 7.
    Biryukov A, Khovratovich D, Nikolic I (2009) Distinguisher and related-key attack on the full AES-256 (extended version). IACR Cryptology ePrint Archive 2009:241zbMATHGoogle Scholar
  8. 8.
    Biryukov A, Nikolic I (2013) Complementing feistel ciphers. In: FSE 2013, Lecture notes in computer science, vol 8424. Springer, pp 3–18Google Scholar
  9. 9.
    Black J, Rogaway P, Shrimpton T (2002) Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: CRYPTO 2002, Lecture notes in computer science, vol 2442. Springer, pp 320–335Google Scholar
  10. 10.
    Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJB, Seurin Y, Vikkelsoe C (2007) PRESENT: an ultra-lightweight block cipher. In: CHES 2007, Lecture notes in computer science, vol 4727. Springer, pp 450–466Google Scholar
  11. 11.
    Brachtl BO, Coppersmith D, Hyden MM, Matyas SM Jr, Meyer CH, Oseas J, Pilpel S, Schilling M (1990) Data authentication using modification detection codes based on a public one way encryption function. US Patent 4,908,861Google Scholar
  12. 12.
    Dolmatov V (2010) Gost 28147-89: encryption, decryption, and message authentication code (mac) algorithms. Tech repGoogle Scholar
  13. 13.
    Gérault D, Lafourcade P (2016) Related-key cryptanalysis of midori. In: INDOCRYPT 2016, Lecture notes in computer science, vol 10095, pp 287–304Google Scholar
  14. 14.
    Grosso V, Leurent G, Standaert F, Varici K (2014) Ls-designs: Bitslice encryption for efficient masked software implementations. In: FSE 2014, Lecture notes in computer science, vol 8540. Springer, pp 18–37Google Scholar
  15. 15.
    Guo J, Jean J, Nikolic I, Qiao K, Sasaki Y, Sim SM (2015) Invariant subspace attack against full midori64. IACR Cryptology ePrint Archive 2015:1189Google Scholar
  16. 16.
    Guo J, Peyrin T, Poschmann A, Robshaw MJB (2011) The LED block cipher. In: CHES 2011, Lecture notes in computer science, vol 6917. Springer, pp 326–341Google Scholar
  17. 17.
    Hirose S (2006) Some plausible constructions of double-block-length hash functions. In: FSE 2006, Lecture notes in computer science, vol 4047. Springer, pp 210–225Google Scholar
  18. 18.
    Hong D, Kim D, Kwon D, Kim J (2016) Improved preimage attacks on hash modes of 8-round AES-256. Multimed Tools Appl 75(22):14,525–14,539CrossRefGoogle Scholar
  19. 19.
    Hong D, Sung J, Hong S, Lim J, Lee S, Koo B, Lee C, Chang D, Lee J, Jeong K, Kim H, Kim J, Chee S (2006) HIGHT: a new block cipher suitable for low-resource device. In: CHES 2006, Lecture notes in computer science, vol 4249. Springer, pp 46–59Google Scholar
  20. 20.
    Khovratovich D, Biryukov A, Nikolic I (2009) Speeding up collision search for byte-oriented hash functions. In: CT-RSA 2009, Lecture notes in computer science, vol 5473. Springer, pp 164–181Google Scholar
  21. 21.
    Kim H, Kim D, Yi O, Kim J (2018) Cryptanalysis of hash functions based on blockciphers suitable for iot service platform security. Accepted at Multimedia Tools ApplicationsGoogle Scholar
  22. 22.
    Knudsen LR, Leander G, Poschmann A, Robshaw MJB (2010) Printcipher: a block cipher for ic-printing. In: CHES 2010, Lecture notes in computer science, vol 6225. Springer, pp 16–32Google Scholar
  23. 23.
    Knudsen LR, Mendel F, Rechberger C, Thomsen SS (2009) Cryptanalysis of MDC-2. In: EUROCRYPT 2009, Lecture notes in computer science, vol 5479. Springer, pp 106–120Google Scholar
  24. 24.
    Ko Y, Hong S, Lee W, Lee S, Kang J (2004) Related key differential attacks on 27 rounds of XTEA and full-round GOST. In: FSE 2004, Lecture notes in computer science, vol 3017. Springer, pp 299–316Google Scholar
  25. 25.
    Leander G, Abdelraheem MA, AlKhzaimi H, Zenner E (2011) A cryptanalysis of printcipher: The invariant subspace attack. In: CRYPTO 2011, Lecture notes in computer science, vol 6841. Springer, pp 206–221Google Scholar
  26. 26.
    Lee Y, Jeong K, Lee C, Sung J, Hong S (2014) Related-key cryptanalysis on the full printcipher suitable for ic-printing IJDSN 10Google Scholar
  27. 27.
    McKay KA, Bassham L, Turan MS, Mouha N (2016) Report on lightweight cryptography. NISTGoogle Scholar
  28. 28.
    Preneel B, Govaerts R, Vandewalle J (1993) Hash functions based on block ciphers: a synthetic approach. In: CRYPTO 1993, Lecture notes in computer science, vol 773. Springer, pp 368–378Google Scholar
  29. 29.
    Shibutani K, Isobe T, Hiwatari H, Mitsuda A, Akishita T, Shirai T (2011) Piccolo: an ultra-lightweight blockcipher. In: CHES 2011, Lecture notes in computer science, vol 6917. Springer, pp 342–357Google Scholar
  30. 30.
    Stevens M, Bursztein E, Karpman P, Albertini A, Markov Y (2017) The first collision for full SHA-1. In: CRYPTO 2017, Lecture notes in computer science, vol 10401. Springer, pp 570–596Google Scholar
  31. 31.
    Wang X, Yin YL, Yu H (2005) Finding collisions in the full SHA-1. In: CRYPTO 2005, Lecture notes in computer science, vol 3621. Springer, pp 17–36Google Scholar
  32. 32.
    Wang X, Yu H (2005) How to break MD5 and other hash functions. In: EUROCRYPT 2005, Lecture notes in computer science, vol 3494. Springer, pp 19–35Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  • Hangi Kim
    • 1
  • Myungseo Park
    • 1
  • Jaehyung Cho
    • 1
  • Jihun Kim
    • 1
  • Jongsung Kim
    • 1
    • 2
    Email author
  1. 1.Department of Financial Information SecurityKookmin UniversitySeoulKorea
  2. 2.Department of Information Security, Cryptology and MathematicsKookmin UniversitySeoulKorea

Personalised recommendations