Weaknesses of some lightweight blockciphers suitable for IoT systems and their applications in hash modes

Abstract

Twelve PGV models, MDC-2, and HIROSE, which are blockcipher-based hash functions, have been proven to be secure as hash functions when they are instantiated with ideal blockciphers. However, their security cannot be guaranteed when the base blockciphers use weak key-schedules. In this paper, we propose various related-key or chosen-key differential paths of Fantomas, Midori-128, GOST, and 12-round reduced AES-256 using key-schedules with weak diffusion effects. We then describe how these differential paths undermine the security of PGV models, MDC-2, or HIROSE. In addition, we show that the invariant subspace attacks on PRINT and Midori-64 can be transferred to collision attacks on their some hash modes.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Notes

  1. 1.

    If we fix a value in a certain byte of M2 such that the 1st-round differential is satisfied, then the differential probability will be increased to 2− 44, and thus the number of trials for M2 is down to 246.

  2. 2.

    The involution function σ is sufficient for toggling a single bit in the security proof of HIROSE [17]. Indeed, the role of the σ in HIROSE makes to insert different inputs to the two blockciphers in a compression function.

  3. 3.

    If σ flips one of the bits 32 ∼ 63, in addition to (i), (ii), and \((iii) ((S(\sigma ({G_{1}^{i}}[1])\boxplus {H_{1}^{i}}[0])^{<<<1}\oplus {G_{1}^{i}}[0])_{w},H_{1,w}^{i}[1])\) must be (1, 0) or (0, 1). This increases the attack complexity.

References

  1. 1.

    CryptoLUX Lightweight block ciphers. www.cryptolux.org/index.php/LightweightBlockCiphers. Accessed: 2017-12-15

  2. 2.

    (2012) Zigbee specification document 053474r20

  3. 3.

    (2015) Hash-functions using the lightweight block cipher LEA. IoTFS-0078

  4. 4.

    Albrecht MR, Driessen B, Kavun EB, Leander G, Paar C, Yalçin T (2014) Block ciphers - focus on the linear layer (feat. PRIDE). In: CRYPTO 2014, Lecture notes in computer science, vol 8616. Springer, pp 57–76

  5. 5.

    Banik S, Bogdanov A, Isobe T, Shibutani K, Hiwatari H, Akishita T, Regazzoni F (2015) Midori: a block cipher for low energy. In: ASIACRYPT 2015, Lecture notes in computer science, vol 9453, pp 411–436

    Google Scholar 

  6. 6.

    Banik S, Pandey SK, Peyrin T, Sasaki Y, Sim SM, Todo Y (2017) GIFT: a small present - towards reaching the limit of lightweight encryption. In: CHES 2017, Lecture notes in computer science, vol 10529. Springer, pp 321–345

  7. 7.

    Biryukov A, Khovratovich D, Nikolic I (2009) Distinguisher and related-key attack on the full AES-256 (extended version). IACR Cryptology ePrint Archive 2009:241

    MATH  Google Scholar 

  8. 8.

    Biryukov A, Nikolic I (2013) Complementing feistel ciphers. In: FSE 2013, Lecture notes in computer science, vol 8424. Springer, pp 3–18

  9. 9.

    Black J, Rogaway P, Shrimpton T (2002) Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: CRYPTO 2002, Lecture notes in computer science, vol 2442. Springer, pp 320–335

  10. 10.

    Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJB, Seurin Y, Vikkelsoe C (2007) PRESENT: an ultra-lightweight block cipher. In: CHES 2007, Lecture notes in computer science, vol 4727. Springer, pp 450–466

  11. 11.

    Brachtl BO, Coppersmith D, Hyden MM, Matyas SM Jr, Meyer CH, Oseas J, Pilpel S, Schilling M (1990) Data authentication using modification detection codes based on a public one way encryption function. US Patent 4,908,861

  12. 12.

    Dolmatov V (2010) Gost 28147-89: encryption, decryption, and message authentication code (mac) algorithms. Tech rep

  13. 13.

    Gérault D, Lafourcade P (2016) Related-key cryptanalysis of midori. In: INDOCRYPT 2016, Lecture notes in computer science, vol 10095, pp 287–304

    Google Scholar 

  14. 14.

    Grosso V, Leurent G, Standaert F, Varici K (2014) Ls-designs: Bitslice encryption for efficient masked software implementations. In: FSE 2014, Lecture notes in computer science, vol 8540. Springer, pp 18–37

  15. 15.

    Guo J, Jean J, Nikolic I, Qiao K, Sasaki Y, Sim SM (2015) Invariant subspace attack against full midori64. IACR Cryptology ePrint Archive 2015:1189

    Google Scholar 

  16. 16.

    Guo J, Peyrin T, Poschmann A, Robshaw MJB (2011) The LED block cipher. In: CHES 2011, Lecture notes in computer science, vol 6917. Springer, pp 326–341

  17. 17.

    Hirose S (2006) Some plausible constructions of double-block-length hash functions. In: FSE 2006, Lecture notes in computer science, vol 4047. Springer, pp 210–225

  18. 18.

    Hong D, Kim D, Kwon D, Kim J (2016) Improved preimage attacks on hash modes of 8-round AES-256. Multimed Tools Appl 75(22):14,525–14,539

    Article  Google Scholar 

  19. 19.

    Hong D, Sung J, Hong S, Lim J, Lee S, Koo B, Lee C, Chang D, Lee J, Jeong K, Kim H, Kim J, Chee S (2006) HIGHT: a new block cipher suitable for low-resource device. In: CHES 2006, Lecture notes in computer science, vol 4249. Springer, pp 46–59

  20. 20.

    Khovratovich D, Biryukov A, Nikolic I (2009) Speeding up collision search for byte-oriented hash functions. In: CT-RSA 2009, Lecture notes in computer science, vol 5473. Springer, pp 164–181

  21. 21.

    Kim H, Kim D, Yi O, Kim J (2018) Cryptanalysis of hash functions based on blockciphers suitable for iot service platform security. Accepted at Multimedia Tools Applications

  22. 22.

    Knudsen LR, Leander G, Poschmann A, Robshaw MJB (2010) Printcipher: a block cipher for ic-printing. In: CHES 2010, Lecture notes in computer science, vol 6225. Springer, pp 16–32

  23. 23.

    Knudsen LR, Mendel F, Rechberger C, Thomsen SS (2009) Cryptanalysis of MDC-2. In: EUROCRYPT 2009, Lecture notes in computer science, vol 5479. Springer, pp 106–120

  24. 24.

    Ko Y, Hong S, Lee W, Lee S, Kang J (2004) Related key differential attacks on 27 rounds of XTEA and full-round GOST. In: FSE 2004, Lecture notes in computer science, vol 3017. Springer, pp 299–316

  25. 25.

    Leander G, Abdelraheem MA, AlKhzaimi H, Zenner E (2011) A cryptanalysis of printcipher: The invariant subspace attack. In: CRYPTO 2011, Lecture notes in computer science, vol 6841. Springer, pp 206–221

  26. 26.

    Lee Y, Jeong K, Lee C, Sung J, Hong S (2014) Related-key cryptanalysis on the full printcipher suitable for ic-printing IJDSN 10

    Article  Google Scholar 

  27. 27.

    McKay KA, Bassham L, Turan MS, Mouha N (2016) Report on lightweight cryptography. NIST

  28. 28.

    Preneel B, Govaerts R, Vandewalle J (1993) Hash functions based on block ciphers: a synthetic approach. In: CRYPTO 1993, Lecture notes in computer science, vol 773. Springer, pp 368–378

  29. 29.

    Shibutani K, Isobe T, Hiwatari H, Mitsuda A, Akishita T, Shirai T (2011) Piccolo: an ultra-lightweight blockcipher. In: CHES 2011, Lecture notes in computer science, vol 6917. Springer, pp 342–357

  30. 30.

    Stevens M, Bursztein E, Karpman P, Albertini A, Markov Y (2017) The first collision for full SHA-1. In: CRYPTO 2017, Lecture notes in computer science, vol 10401. Springer, pp 570–596

  31. 31.

    Wang X, Yin YL, Yu H (2005) Finding collisions in the full SHA-1. In: CRYPTO 2005, Lecture notes in computer science, vol 3621. Springer, pp 17–36

  32. 32.

    Wang X, Yu H (2005) How to break MD5 and other hash functions. In: EUROCRYPT 2005, Lecture notes in computer science, vol 3494. Springer, pp 19–35

Download references

Acknowledgements

This work was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Jongsung Kim.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the Topical Collection: Special Issue on IoT System Technologies based on Quality of Experience

Guest Editors: Cho Jaeik, Naveen Chilamkurti, and SJ Wang

Appendices

Appendix A: Conditions on △,▽,αn, βn, and γn to conduct collision attacks

Table 15 presents the necessary conditions on several differences to apply the collision attack frame in Fig. 2 [21]. The column ‘Differential property of blockcipher’ shows (αn, βn, γn)-triples, representing plaintext, key, and ciphertext differences respectively. For the DBL hash functions, two triples are given, of which the first one is for the upper blockcipher and the second one is for the below blockcipher. Note that PGV nos. 1, 2, 5, 6, 9, 10, MDC-2 and HIROSE might be vulnerable when the base blockcipher has a differential property that satisfies αn = γn according to Table 15.

Table 15 The relation among related-key differential properties, △, and ▽ to yield two-block colliding messages on hash functions

Appendix B: A chosen-key differential path for 12-round reduced AES-256

We show one example among our 255 differential paths for 12-round reduced AES-256 in Table 16.

Table 16 Differential path for 12-round reduced AES-256

Appendix C: Two free-start colliding message pairs for Midori-64-based Davies-Meyer

Tables 17 and 18 both show the free-start colliding message pairs of Midori-64-based Davies-Meyer. Table 17 shows the collision message pair in the assumption using the same IV, and Table 18 shows the collision message pair in the case of using different IV s.

Table 17 A free-start colliding message pair for Midori-64-based Davies-Meyer with a same IV
Table 18 A free-start colliding message pair for Midori-64-based Davies-Meyer with different IV s

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kim, H., Park, M., Cho, J. et al. Weaknesses of some lightweight blockciphers suitable for IoT systems and their applications in hash modes. Peer-to-Peer Netw. Appl. 13, 489–513 (2020). https://doi.org/10.1007/s12083-019-00734-2

Download citation

Keywords

  • Blockcipher-based hash functions
  • Related-key differential paths
  • Chosen-key differential paths
  • Invariant subspace property
  • Collision attacks
  • IoT systems