Ubiquitous Weak-Key Classes of BRW-Polynomial Function

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10831)


BRW-polynomial function is suggested as a preferred alternative of polynomial function, owing to its high efficiency and seemingly non-existent weak keys. In this paper we investigate the weak-key issue of BRW-polynomial function as well as BRW-instantiated cryptographic schemes. Though, in BRW-polynomial evaluation, the relationship between coefficients and input blocks is indistinct, we give out a recursive algorithm to compute another \((2^{v+1}-1)\)-block message, for any given \((2^{v+1}-1)\)-block message, such that their output-differential through BRW-polynomial evaluation, equals any given s-degree polynomial, where \(v\ge \lfloor \log _2(s+1)\rfloor \). With such algorithm, we illustrate that any non-empty key subset is a weak-key class in BRW-polynomial function. Moreover any key subset of BRW-polynomial function, consisting of at least 2 keys, is a weak-key class in BRW-instantiated cryptographic schemes like the Wegman-Carter scheme, the UHF-then-PRF scheme, DCT, etc. Especially in the AE scheme DCT, its confidentiality, as well as its integrity, collapses totally, when using weak keys of BRW-polynomial function, which are ubiquitous.


Weak key Polynomial evaluation hash BRW-polynomial DCT Message authentication code Authenticated encryption 



The authors would like to thank the anonymous reviewers for their helpful comments and suggestions. The work of this paper is supported by the National Key Basic Research Program of China (2014CB340603) and the National Natural Science Foundation of China (Grants 61472415, 61732021, 61772519).


  1. 1.
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_29Google Scholar
  2. 2.
    Abdelraheem, M.A., Bogdanov, A., Tischhauser, E.: Weak-key analysis of poet. Cryptology ePrint Archive, Report 2014/226 (2014). http://eprint.iacr.org/2014/226
  3. 3.
    Abed, F., Fluhrer, S., Foley, J., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: The POET family of on-line authenticated encryption schemes (2014). http://competitions.cr.yp.to/caesar-submissions.html
  4. 4.
    Andreeva, E., Bogdanov, A., Lauridsen, M.M., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COBRA (2014). http://competitions.cr.yp.to/caesar-submissions.html
  5. 5.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_3CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J.: Polynomial Evaluation and Message Authentication (2011). http://cr.yp.to/papers.html#pema
  7. 7.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener [38], pp. 216–233 (1999).  https://doi.org/10.1007/3-540-48405-1_14
  8. 8.
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Chakraborty, D., Mancillas-López, C.: Double ciphertext mode: a proposal for secure backup. IJACT 2(3), 271–287 (2012).  https://doi.org/10.1504/IJACT.2012.045588MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Chakraborty, D., Sarkar, P.: HCH: a new tweakable enciphering scheme using the hash-encrypt-hash approach. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 287–302. Springer, Heidelberg (2006).  https://doi.org/10.1007/11941378_21CrossRefGoogle Scholar
  11. 11.
    Etzel, M., Patel, S., Ramzan, Z.: SQUARE hash: fast message authenication via optimized universal hash functions. In: Wiener [38], pp. 234–251 (1999).  https://doi.org/10.1007/3-540-48405-1_15
  12. 12.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Efficient beyond-birthday-bound-secure deterministic authenticated encryption with minimal stretch. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 317–332. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-40367-0_20CrossRefGoogle Scholar
  13. 13.
    Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052345CrossRefGoogle Scholar
  14. 14.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_9CrossRefGoogle Scholar
  15. 15.
    Harris, S.: The Enchilada authenticated ciphers (2014). http://competitions.cr.yp.to/caesar-submissions.html
  16. 16.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_2Google Scholar
  17. 17.
    IEEE Std 1619.2-2010: IEEE standard for wide-block encryption for shared storage media (2011)Google Scholar
  18. 18.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_15Google Scholar
  19. 19.
    McGrew, D.A., Fluhrer, S.R.: The extended codebook (XCB) mode of operation. IACR Cryptology ePrint Archive 2004, 278 (2004). http://eprint.iacr.org/2004/278
  20. 20.
    McGrew, D.A., Viega, J.: The Galois/Counter mode of operation (GCM) (2004). http://csrc.nist.gov/groups/ST/toolkit/BCM/
  21. 21.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter mode of operation (full version). IACR Cryptology ePrint Archive 2004, 193 (2004). http://eprint.iacr.org/2004/193
  22. 22.
    Mennink, B.: Weak keys for AEZ, and the external key padding attack. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 223–237. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_13CrossRefGoogle Scholar
  23. 23.
    Morales-Luna, G.: On formal expressions of BRW-polynomials. IACR Cryptology ePrint Archive 2013, 3 (2013). http://eprint.iacr.org/2013/003
  24. 24.
    Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_2CrossRefGoogle Scholar
  25. 25.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_15Google Scholar
  26. 26.
    Rabin, M.O., Winograd, S.: Fast evaluation of polynomials by rational preparation. Commun. Pure Appl. Math. 25(4), 433–458 (1972)MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_13CrossRefGoogle Scholar
  28. 28.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans. Inf. Theory 55(10), 4749–4760 (2009).  https://doi.org/10.1109/TIT.2009.2027487MathSciNetCrossRefMATHGoogle Scholar
  29. 29.
    Sarkar, P.: Tweakable enciphering schemes using only the encryption function of a block cipher. Inf. Process. Lett. 111(19), 945–955 (2011).  https://doi.org/10.1016/j.ipl.2011.06.014MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Crypt. Commun. 6(3), 189–231 (2014).  https://doi.org/10.1007/s12095-013-0097-7MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004, 332 (2004). http://eprint.iacr.org/2004/332
  32. 32.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_5Google Scholar
  33. 33.
    Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 2, no. 52 (1995). http://eccc.hpi-web.de/eccc-reports/1995/TR95-052/index.html
  34. 34.
    Sun, Z., Wang, P., Zhang, L.: Weak-key and related-key analysis of hash-counter-hash tweakable enciphering schemes. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 3–19. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-19962-7_1CrossRefGoogle Scholar
  35. 35.
    Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005).  https://doi.org/10.1007/11599548_15CrossRefGoogle Scholar
  36. 36.
    Wang, P., Li, Y., Zhang, L., Zheng, K.: Related-key almost universal hash functions: definitions, constructions and applications. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 514–532. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_26CrossRefGoogle Scholar
  37. 37.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1MATHGoogle Scholar
  39. 39.
    Zhu, B., Tan, Y., Gong, G.: Revisiting MAC forgeries, weak keys and provable security of galois/counter mode of operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 20–38. Springer, Cham (2013).  https://doi.org/10.1007/978-3-319-02937-5_2CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.School of Cyber SecurityUniversity of Chinese Academic ScienceBeijingChina

Personalised recommendations