KeyRecovery Attacks Against the MAC Algorithm Chaskey
Abstract
Chaskey is a Message Authentication Code (MAC) for 32bit microcontrollers proposed by Mouha et al. at SAC 2014. Its underlying blockcipher uses an EvenMansour construction with a permutation based on the ARX methodology. In this paper, we present keyrecovery attacks against Chaskey in the single and multiuser setting. These attacks are based on recent work by Fouque, Joux and Mavromati presented at Asiacrypt 2014 on EvenMansour based constructions. We first show a simple attack on the classical singleuser setting which confirms the security properties of Chaskey. Then, we describe an attack in the multiuser setting and we recover all keys of \(2^{43}\) users by doing \(2^{43}\) queries per user. Finally, we show a variant of this attack where we are able to recover keys of two users in a smaller group of \(2^{32}\) users.
Keywords
Message Authentication Code Collisionbased cryptanalysis ARX EvenMansour Chaskey Multiuser setting1 Introduction
A Message Authentication Code (MAC) algorithm is a basic component in many cryptographic systems and its goal is to provide integrity and data authentication. For this, it takes as input a message M and a nbit secret key K, and outputs a tag \(\tau \) which is usually appended to M. In general, MAC algorithms are built from universal hash functions, hash functions or block ciphers. The first security property of a MAC is that it should be impossible to recover the key K faster than \(2^{n}\) operations (key recovery attack). It should also be impossible for an attacker to forge a tag for any unseen message without knowing the key (MAC forgery). Here, the attacker selects a message and simply guesses the correct MAC value without any knowledge of the key. The probability that the guess will be correct is \(2^{t}\) where t is the size of the tag \(\tau \). However, such attacks can be avoided by making the tag sufficiently large. MACs based on universal hash functions compute the universal hash of the message to authenticate and then encrypt this value. MAC algorithms based on block ciphers are usually given as a mode of operation for the block cipher. Typically, CBCMAC is very similar to the CBC encryption mode of operation and is one of the most commonly used MACs.
The implementation of a MAC algorithm on a typical microcontroller is a challenging issue as many problems may appear. More precisely, the use of a MAC based on a hash function or a block cipher might have a negative impact on the speed of the microcontroller due to the computational cost of the operations required by the underlying functions.
Recently, at SAC 2014, a new MAC algorithm named Chaskey has been introduced by Mouha et al. [8]. It is a permutationbased MAC algorithm and its underlying permutation relies on the ARX design. The designers claim that Chaskey is a lightweight algorithm which overcomes the implementation issues of a MAC on a microcontroller. The construction of Chaskey is based on some simple variants of the CBCMAC proposed by Black et al. [3]. As CBCMAC is not secure when used with messages of variable length, these variants were designed to authenticate arbitrary length messages. Alternatively, Chaskey can also be seen as an iterated EvenMansour construction where the same subkey is xored in the input and output of the last permutation round.
In Asiacrypt 2014, Fouque et al. [6] presented new techniques to attack the EvenMansour scheme in the multiuser setting. Based on this work, we present here some keyrecovery attacks against the MAC algorithm Chaskey in the single and multiuser setting.
The paper is organized as follows: in Sect. 2 we recall the necessary background, present the multiuser setting, the EvenMansour scheme and the general principle of collisionbased attacks using the distinguished points method, in Sect. 3 we present the main specifications of the Chaskey MAC algorithm and finally, in Sect. 4, we describe new attacks against Chaskey.
2 Preliminaries
2.1 The Multiuser Setting
The security of most schemes in cryptography is usually studied when we have a single recipient of encrypted data: the singleuser model. However, this setting ignores an important dimension of the real world where there are many users, who are all using the same algorithms, but each one has its own key. In this setting, the attacker tries to recover all or fraction of keys more efficiently than the complexity of the attack in the singleuser model times the number of users. This can be done by amortizing the cost of the attack among the users.
In [7], Menezes studies the security of MAC algorithms in the multiuser setting. He shows that the security degrades when we pass from one to many users. The scenario attack against MAC algorithms in the multiuser setting can be seen as follows. Let \(H_{K} : \{0,1\}^{*} \rightarrow \{0,1\}^{t}\) be a family of MACs where \(K \in \{0,1\}^{k}\). In the singleuser model, it should be hard for an attacker who has access to an oracle \(H_{K}\) to generate a valid messagetag pair \((m, \tau )\) without knowing the key K. In the multiuser setting, we suppose that we have L users with keys \(K^{(i)} \in \{0,1\}^k\) where \(0 \le i \le (L1)\). Then for an attacker who has access to oracles for \(H_{K^{(i)}}\), it should be difficult to produce a triplet \((i,m,\tau )\).
2.2 CollisionBased Attacks Using the Distinguished Point Technique Against the EvenMansour Scheme
They also remark that, for two different users i and j, two chains constructed by using \(F_\varPi ^{(i)}\) and \(F_{\varPi }^{(j)}\), where \(F_\varPi ^{(i)}(m) = m \oplus \varPi ^{(i)}(m) \oplus \varPi ^{(i)}(m \oplus \delta )\) and \(F_\varPi ^{(j)}(m) = m \oplus \varPi ^{(j)}(m) \oplus \varPi ^{(j)}(m \oplus \delta )\), can also become parallel and their constant difference would be equal to the XOR of the users keys, i.e. \(K_{1}^{(i)} \oplus K_{1}^{(j)}\).
To attack EvenMansour using the distinguished point technique in the multiuser setting, they build a set of chains for the public user using the function f and a small number of chains for every user by using the keyed permutation F. Whenever a collision \(F^{(i)}(x) = F^{(j)}(y)\) for two points x and y, where \(x = y \oplus K_1\), is detected between two users \(U_{i}\) and \(U_{j}\), it yields \(K_{1}^{(i)} \oplus K_{1}^{(j)}\). From these collisions it is possible to construct a graph whose vertices are the users and the edges represent the xor of the first keys of the users with two colliding chains, i.e. \(K_{1}^{(i)} \oplus K_{1}^{(j)}\). When enough edges are present a giant component appears in the graph. Then, it suffices to find a single collision \(F^{(i)}(x) = f(y)\) between a user and the public user to reveal all keys of the users in the giant component.
One of the main ideas of their technique is to detect parallel chains by simply testing if \(\pi (y) \oplus \pi (y \oplus \delta ) = \varPi (x) \oplus \varPi (x \oplus \delta )\) for two distinguished point x and y where \(x = y \oplus K_1\). This does not add any extra cost, as values of \(\pi (y) \oplus \pi (y \oplus \delta )\) and \(\varPi (x) \oplus \varPi (x \oplus \delta )\) are needed to calculate the next element of the chain. Also, it does not require to go back and recompute the chains to detect the merging points.
3 The MAC Algorithm Chaskey
Chaskey was proposed at SAC 2014 by Mouha et al. It is a permutationbased MAC algorithm and its underlying permutation is based on the ARX design. Its design is similar to the permutation of the MAC algorithm SipHash [1]. However, in Chaskey, a state of 128bits (instead of 256bits in SipHash) is used which is decomposed in 4 words of 32bits (instead of 64bits in SipHash). Also, different rotation constants are used.
Chaskey takes as input a message M of arbitrary size and a 128bit key K. The message M is split into \(\ell \) blocks \(m_{1}, m_{2}, \ldots , m_{\ell }\) of 128 bits each. If the last block is incomplete, a padding is applied. It outputs the tbit tag \(\tau \) (where \(t \le n\)) that authenticates the message M. The underlying function is a permutation constructed using the ARX design.
Two subkeys \(K_1\) and \(K_2\) are generated from K as follows: \(K_1\) is equal to the result of the multiplication by 2 (binary notation) of K and \(K_2\) is equal to the multiplication by 2 of \(K_1\). In general, we define \(K_1 = \alpha K\) and \(K_2 = \alpha ^{2} K\). To define multiplication in \(GF(2^n)\), we need to specify the irreducible polynomial f(x) of degree n that defines the representation of the field. The designers of Chaskey choose their irreductible polynomial to be \(f(x) = x^{128} + x^{7} + x^{2} + x + 1\).
The authors prove that Chaskey is secure up to \(D = 2^{n/2}\) chosen plaintexts and \(T = 2^{n}/D\) queries to \(\pi \) or \(\pi ^{1}\).
4 CollisionBased Attacks Against Chaskey
The main idea of all attacks is to build chains by using a function based on Chaskey and then search for collisions between them. For this, a function that can be used to build chains should be defined. However, in the case of Chaskey, for every user we can build two different chains depending on the subkey that we are using (Fig. 2).
4.1 KeyRecovery Attack in the SingleUser Setting
In this section, we show that an attack with complexity \(2^{64}\) can be applied in the classical singleuser scenario. This attack does not contradict the security bound showed in the original paper of Chaskey and has similar complexity with possible slide attacks based on [2]. However, with this attack we show a simple application on Chaskey of the parallel chains detection technique.
 1.Create two chains constructed by using both:until \(f_{1}(M) \oplus f_{1}(M \oplus \delta )\) and \(f_{2}(M^{'}) \oplus f_{2}(M^{'} \oplus \delta )\) reach a distinguished point.$$\begin{aligned} F_{f_{1}}(M) = f_{1}(M) \oplus f_{1}(M \oplus \delta ) \oplus M \ \ \text {and} \ \ F_{f_{2}}(M^{'}) = f_{2}(M^{'}) \oplus f_{2}(M^{'} \oplus \delta ) \oplus M^{'} \end{aligned}$$
 2.
Store all endpoints of the constructed chains and search for collisions between the two different types of chains, i.e. for two plaintexts M and \(M^{'}\) search for \((F_{f_{1}}(M))^{a} = (F_{f_{2}}(M^{'}))^{b}\) where \(a,b \ge 1\) is the number of iterations of the respective functions. (For the rest of this paper, to facilitate the reading, the use of a and b will be omitted from equations that represent collisions between chains.)
 3.If a collision is found, recover the XOR of the two inputs \(M \oplus M^{'}\) which is expected to be equal to:and thus recover the key K.$$\begin{aligned} K_{1} \oplus K \oplus K_{2} \oplus K = (\alpha + \alpha ^{2})K \end{aligned}$$
4.2 KeyRecovery Attack in the Multiuser Setting
 1.
In a set of L users, for every user \(U_{i}\) where \(0 \le i \le (L1)\), build a constant number of chains, starting from an arbitrary plaintext, using the function \(F_{f_{s}}\). For every user, create some chains using the function \(F_{f_{1}}(M) = f_{1}(M) \oplus f_{1}(M \oplus \delta ) \oplus M\) until \(f_{1}(M) \oplus f_{1}(M \oplus \delta )\) reaches a distinguished point and some chains using the function \(F_{f_{2}}(M) = f_{2}(M) \oplus f_{2}(M \oplus \delta ) \oplus M\) until \(f_{2}(M) \oplus f_{2}(M \oplus \delta )\) reaches a distinguished poit.
 2.
Construct some chains for the unkeyed user starting from an arbitrary plaintext, by iterating the function \(F_{\pi }\).
 3.Store the endpoints and search for collisions between the users. In the case of Chaskey, we can have three types of collisions between the keyed users:

A collision between the two chains \(F_{f_{1}}(M)\) and \(F_{f_{2}}(M^{'})\) of the same user i and, in this case, we recover \(K_{1}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(i)} \oplus K^{(i)}\). As \(K_{1}^{(i)} = \alpha K^{(i)}\) and \(K_{2}^{(i)} = \alpha ^{2} K^{(i)}\), we have that \(M \oplus M^{'} = (\alpha + \alpha ^{2})K^{(i)}\).

A collision between two similar chains of two different users i and j: \(F_{f_{1}}^{(i)}(M) = F_{f_{1}}^{(j)}(M^{'})\) or \(F_{f_{2}}^{(i)}(M) = F_{f_{2}}^{(j)}(M^{'})\). Then, we recover \(K_{1}^{(i)} \oplus K^{(i)} \oplus K_{1}^{(j)} \oplus K^{(j)} = (1 + \alpha ) (K^{(i)} \oplus K^{(j)})\) or \(K_{2}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(j)} \oplus K^{(j)} = (1 + \alpha ^{2}) (K^{(i)} \oplus K^{(j)})\).

A collision between two different type of chains between two different users i and j (cross collision): \(F_{f_{1}}^{(i)}(M) = F_{f_{2}}^{(j)}(M^{'})\). Then, we learn \(K_{1}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(j)} \oplus K^{(j)} = (1 + \alpha )K^{(i)} \oplus (1 + \alpha ^{2})K^{(j)}\).
Also search for collisions between a chain of a keyed user i and the unkeyed user for whom we build chains by using the function \(F_{\pi }\). A collision of this type may occur by using both \(F_{f_{1}}\) or \(F_{f_{2}}\). From the first function, we learn \(K_{1}^{(i)} \oplus K^{(i)}\) and from the second function \(K_{2}^{(i)} \oplus K^{(i)}\). As a consequence, in both cases, we are able to recover \(K^{(i)}\).

 4.
Build a graph where vertices represent the keyed and unkeyed users. More precisely, each user is represented by two vertices as for each user we use two different functions to build chains. Whenever a collision is obtained between two chains, add an edge between the corresponding vertices. This edge is labelled by the relation between the keys as explained in the previous step. An example of the graph can be seen in Fig. 3.
 5.
From the key relations found before, resolve the system and recover the users keys. With only a single collision for the unkeyed user, we learn almost all keys of the giant component. If we also find a collision for the unkeyed user, then we are able to learn all keys of our giant component.
Analysis of the Attack. From [6] we know that in a group of \(N^{1/3}\) users we expect to recover almost all keys by doing \(c \cdot N^{1/3}\) queries per user (where c is a small arbitrary constant) and \(N^{1/3}\) unkeyed queries. So, for Chaskey, we are able to recover almost all keys of a group of \(2^{43}\) users by doing \(2^{43}\) queries to the unkeyed user and \(2^{43}\) queries per user.
Improvement. We show here that in the case of Chaskey, the use of \(\delta \) can be eliminated. This technique can be used when we search for a collision between two similar chains of two different users.
Thus, if we build our chains in the way presented here, we are able to have a small improvement and gain a factor of \(\sqrt{2}\) on the calculation of our chains.
4.3 Variant of the Previous Attack with Cross Collisions
We show in this section that a variant of the previous attack is also possible. Indeed, we are able to apply a similar technique and we show that we can learn keys of two users when we detect one cross collision between them.
 1.
For two users \(U_{i}\) and \(U_{j}\) in a set of L users, build a constant number of chains, starting from an arbitrary plaintext, using the function \(F_{f_{s}}\), for \(s \in \{1,2\}\). For each user, create some chains using the function \(F_{f_{1}}(M) = f_{1}(M) \oplus f_{1}(M \oplus \delta ) \oplus M\) and some chains using the function \(F_{f_{2}}(M) = f_{2}(M) \oplus f_{2}(M \oplus \delta ) \oplus M\). The construction of the chains stops when \(f_{1}(M) \oplus f_{1}(M \oplus \delta )\) and \(f_{2}(M) \oplus f_{2}(M \oplus \delta )\) reach a distinguished point.
 2.For each chain, store the endpoints and search for a cross collision. A cross collision for users \(U_i\) and \(U_j\) and for two plaintexts M and \(M^{'}\) is detected when \(F_{f_{1}}^{(i)}(M) = F_{f_{2}}^{(j)}(M^{'})\). This indicates that the XOR of the two inputs \(M \oplus M^{'}\) is expected to be equal to:$$\begin{aligned} K_{1}^{(i)} \oplus K^{(i)} \oplus K_{2}^{(j)} \oplus K^{(j)} = (1 + \alpha )K^{(i)} \oplus (1 + \alpha ^{2})K^{(j)}. \end{aligned}$$
 3.If a cross collision is detected, recover also the XOR of the corresponding outputs, which is equal to:$$\begin{aligned} K_{1}^{(i)} \oplus K_{2}^{(j)} = \alpha K^{(i)} \oplus \alpha ^{2}K^{(j)}. \end{aligned}$$
 4.Solve the system:and thus recover \(K^{(i)}\) and \(K^{(j)}\).$$\begin{aligned} (1 + \alpha ) K^{(i)} \oplus (1 + \alpha ^{2}) K^{(j)}&= \varDelta _{1}\\ \alpha K^{(i)} \oplus \alpha ^{2} K^{(j)}&= \varDelta _{2} \end{aligned}$$
5 Conclusion
In this paper, we presented keyrecovery attacks against the MAC algorithm Chaskey. All attacks are using algorithmic ideas for collision based attacks of Fouque et al. presented in [6]. They all work when using singleblock messages in the single or multiuser setting.
First, we show how to use these techniques to form an attack in the classical singleuser setting. By applying this attack, we are able to recover the key of the user by doing \(2^{64}\) operations. However, this attack does not contradict the security claim of Chaskey. Next, we presented two attacks in the multiuser setting. The first one is able to recover almost all keys of a group of \(2^{43}\) users by doing \(2^{43}\) queries per user. We also show that we can improve this attack and gain a factor of \(\sqrt{2}\). Finally, the second attack in the multiuser setting, is able to recover the keys of 2 users in a smaller group of \(2^{32}\) by doing \(2^{32}\) queries per user. We are able to achieve this new result by exploiting the use of two different keys for the last block of Chaskey.
References
 1.Aumasson, J.P., Bernstein, D.J.: SipHash: a fast shortinput PRF. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 489–508. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 2.Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 3.Black, J., Rogaway, P.: CBC MACs for arbitrarylength messages: the threekey constructions. J. Cryptology 18(2), 111–131 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the evenmansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 5.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993)CrossRefGoogle Scholar
 6.Fouque, P.A., Joux, A., Mavromati, C.: Multiuser collisions: applications to discrete logarithm, evenmansour and PRINCE. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Heidelberg (2014)Google Scholar
 7.Menezes, A.: Another look at provable security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, p. 8. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 8.Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Heidelberg (2014)CrossRefGoogle Scholar