Abstract
Twelve PGV models, MDC-2, and HIROSE, which are blockcipher-based hash functions, have been proven to be secure as hash functions when they are instantiated with ideal blockciphers. However, their security cannot be guaranteed when the base blockciphers use weak key-schedules. In this paper, we propose various related-key or chosen-key differential paths of Fantomas, Midori-128, GOST, and 12-round reduced AES-256 using key-schedules with weak diffusion effects. We then describe how these differential paths undermine the security of PGV models, MDC-2, or HIROSE. In addition, we show that the invariant subspace attacks on PRINT and Midori-64 can be transferred to collision attacks on their some hash modes.
Similar content being viewed by others
Notes
If we fix a value in a certain byte of M2 such that the 1st-round differential is satisfied, then the differential probability will be increased to 2− 44, and thus the number of trials for M2 is down to 246.
The involution function σ is sufficient for toggling a single bit in the security proof of HIROSE [17]. Indeed, the role of the σ in HIROSE makes to insert different inputs to the two blockciphers in a compression function.
If σ flips one of the bits 32 ∼ 63, in addition to (i), (ii), and \((iii) ((S(\sigma ({G_{1}^{i}}[1])\boxplus {H_{1}^{i}}[0])^{<<<1}\oplus {G_{1}^{i}}[0])_{w},H_{1,w}^{i}[1])\) must be (1, 0) or (0, 1). This increases the attack complexity.
References
CryptoLUX Lightweight block ciphers. www.cryptolux.org/index.php/LightweightBlockCiphers. Accessed: 2017-12-15
(2012) Zigbee specification document 053474r20
(2015) Hash-functions using the lightweight block cipher LEA. IoTFS-0078
Albrecht MR, Driessen B, Kavun EB, Leander G, Paar C, Yalçin T (2014) Block ciphers - focus on the linear layer (feat. PRIDE). In: CRYPTO 2014, Lecture notes in computer science, vol 8616. Springer, pp 57–76
Banik S, Bogdanov A, Isobe T, Shibutani K, Hiwatari H, Akishita T, Regazzoni F (2015) Midori: a block cipher for low energy. In: ASIACRYPT 2015, Lecture notes in computer science, vol 9453, pp 411–436
Banik S, Pandey SK, Peyrin T, Sasaki Y, Sim SM, Todo Y (2017) GIFT: a small present - towards reaching the limit of lightweight encryption. In: CHES 2017, Lecture notes in computer science, vol 10529. Springer, pp 321–345
Biryukov A, Khovratovich D, Nikolic I (2009) Distinguisher and related-key attack on the full AES-256 (extended version). IACR Cryptology ePrint Archive 2009:241
Biryukov A, Nikolic I (2013) Complementing feistel ciphers. In: FSE 2013, Lecture notes in computer science, vol 8424. Springer, pp 3–18
Black J, Rogaway P, Shrimpton T (2002) Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: CRYPTO 2002, Lecture notes in computer science, vol 2442. Springer, pp 320–335
Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJB, Seurin Y, Vikkelsoe C (2007) PRESENT: an ultra-lightweight block cipher. In: CHES 2007, Lecture notes in computer science, vol 4727. Springer, pp 450–466
Brachtl BO, Coppersmith D, Hyden MM, Matyas SM Jr, Meyer CH, Oseas J, Pilpel S, Schilling M (1990) Data authentication using modification detection codes based on a public one way encryption function. US Patent 4,908,861
Dolmatov V (2010) Gost 28147-89: encryption, decryption, and message authentication code (mac) algorithms. Tech rep
Gérault D, Lafourcade P (2016) Related-key cryptanalysis of midori. In: INDOCRYPT 2016, Lecture notes in computer science, vol 10095, pp 287–304
Grosso V, Leurent G, Standaert F, Varici K (2014) Ls-designs: Bitslice encryption for efficient masked software implementations. In: FSE 2014, Lecture notes in computer science, vol 8540. Springer, pp 18–37
Guo J, Jean J, Nikolic I, Qiao K, Sasaki Y, Sim SM (2015) Invariant subspace attack against full midori64. IACR Cryptology ePrint Archive 2015:1189
Guo J, Peyrin T, Poschmann A, Robshaw MJB (2011) The LED block cipher. In: CHES 2011, Lecture notes in computer science, vol 6917. Springer, pp 326–341
Hirose S (2006) Some plausible constructions of double-block-length hash functions. In: FSE 2006, Lecture notes in computer science, vol 4047. Springer, pp 210–225
Hong D, Kim D, Kwon D, Kim J (2016) Improved preimage attacks on hash modes of 8-round AES-256. Multimed Tools Appl 75(22):14,525–14,539
Hong D, Sung J, Hong S, Lim J, Lee S, Koo B, Lee C, Chang D, Lee J, Jeong K, Kim H, Kim J, Chee S (2006) HIGHT: a new block cipher suitable for low-resource device. In: CHES 2006, Lecture notes in computer science, vol 4249. Springer, pp 46–59
Khovratovich D, Biryukov A, Nikolic I (2009) Speeding up collision search for byte-oriented hash functions. In: CT-RSA 2009, Lecture notes in computer science, vol 5473. Springer, pp 164–181
Kim H, Kim D, Yi O, Kim J (2018) Cryptanalysis of hash functions based on blockciphers suitable for iot service platform security. Accepted at Multimedia Tools Applications
Knudsen LR, Leander G, Poschmann A, Robshaw MJB (2010) Printcipher: a block cipher for ic-printing. In: CHES 2010, Lecture notes in computer science, vol 6225. Springer, pp 16–32
Knudsen LR, Mendel F, Rechberger C, Thomsen SS (2009) Cryptanalysis of MDC-2. In: EUROCRYPT 2009, Lecture notes in computer science, vol 5479. Springer, pp 106–120
Ko Y, Hong S, Lee W, Lee S, Kang J (2004) Related key differential attacks on 27 rounds of XTEA and full-round GOST. In: FSE 2004, Lecture notes in computer science, vol 3017. Springer, pp 299–316
Leander G, Abdelraheem MA, AlKhzaimi H, Zenner E (2011) A cryptanalysis of printcipher: The invariant subspace attack. In: CRYPTO 2011, Lecture notes in computer science, vol 6841. Springer, pp 206–221
Lee Y, Jeong K, Lee C, Sung J, Hong S (2014) Related-key cryptanalysis on the full printcipher suitable for ic-printing IJDSN 10
McKay KA, Bassham L, Turan MS, Mouha N (2016) Report on lightweight cryptography. NIST
Preneel B, Govaerts R, Vandewalle J (1993) Hash functions based on block ciphers: a synthetic approach. In: CRYPTO 1993, Lecture notes in computer science, vol 773. Springer, pp 368–378
Shibutani K, Isobe T, Hiwatari H, Mitsuda A, Akishita T, Shirai T (2011) Piccolo: an ultra-lightweight blockcipher. In: CHES 2011, Lecture notes in computer science, vol 6917. Springer, pp 342–357
Stevens M, Bursztein E, Karpman P, Albertini A, Markov Y (2017) The first collision for full SHA-1. In: CRYPTO 2017, Lecture notes in computer science, vol 10401. Springer, pp 570–596
Wang X, Yin YL, Yu H (2005) Finding collisions in the full SHA-1. In: CRYPTO 2005, Lecture notes in computer science, vol 3621. Springer, pp 17–36
Wang X, Yu H (2005) How to break MD5 and other hash functions. In: EUROCRYPT 2005, Lecture notes in computer science, vol 3494. Springer, pp 19–35
Acknowledgements
This work was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article is part of the Topical Collection: Special Issue on IoT System Technologies based on Quality of Experience
Guest Editors: Cho Jaeik, Naveen Chilamkurti, and SJ Wang
Appendices
Appendix A: Conditions on △,▽,αn, βn, and γn to conduct collision attacks
Table 15 presents the necessary conditions on several differences to apply the collision attack frame in Fig. 2 [21]. The column ‘Differential property of blockcipher’ shows (αn, βn, γn)-triples, representing plaintext, key, and ciphertext differences respectively. For the DBL hash functions, two triples are given, of which the first one is for the upper blockcipher and the second one is for the below blockcipher. Note that PGV nos. 1, 2, 5, 6, 9, 10, MDC-2 and HIROSE might be vulnerable when the base blockcipher has a differential property that satisfies αn = γn according to Table 15.
Appendix B: A chosen-key differential path for 12-round reduced AES-256
We show one example among our 255 differential paths for 12-round reduced AES-256 in Table 16.
Appendix C: Two free-start colliding message pairs for Midori-64-based Davies-Meyer
Tables 17 and 18 both show the free-start colliding message pairs of Midori-64-based Davies-Meyer. Table 17 shows the collision message pair in the assumption using the same IV, and Table 18 shows the collision message pair in the case of using different IV s.
Rights and permissions
About this article
Cite this article
Kim, H., Park, M., Cho, J. et al. Weaknesses of some lightweight blockciphers suitable for IoT systems and their applications in hash modes. Peer-to-Peer Netw. Appl. 13, 489–513 (2020). https://doi.org/10.1007/s12083-019-00734-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12083-019-00734-2