generic attacks against mac algorithms
play

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic - PowerPoint PPT Presentation

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,


  1. Introduction A 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) A 3 A 3 A 2 A 1 8 J 10 J 9 J Hash-based MACs A 3 11 / 59 A 1 AEZ State recovery Universal forgery Key-recovery 11 J Conclusion 10 J 9 J pad E E E E E E E E ▶ AEZ uses a variant of PMAC [Hoang, Krovetz & Rogaway ’15] ▶ A collision gives J : [ x ] ⊕ 9 J = pad ([ y ]) ⊕ 8 J ▶ Key derivation (AEZ v2) J = E 0 ( k ) ▶ Collisions reveal the master key! [FLS, AC’15]

  2. Introduction Proofs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs Attacks Security of block cipher based MACs Conclusion Key-recovery Universal forgery State recovery 12 / 59 CBC-MAC, PMAC, and AEZ have security proofs up to the birthday bound Efgect of collision attacks with 2 n / 2 queries ▶ CBC-MAC: almost universal forgeries [Jia & al ’09] ▶ PMAC: universal forgeries ▶ AEZ: key recovery

  3. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 13 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  4. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n x 3 Hash-based MACs m 2 h x 2 m 1 h State recovery Universal forgery Key-recovery Hash-based MACs Conclusion 14 / 59 x 0 m 0 h | M | ℓ ℓ ℓ ℓ MAC k ( M ) ▶ ℓ -bit chaining value ▶ n -bit output ▶ k -bit key we focus on ℓ = n = k ▶ Key-dependant initial value I k ▶ Unkeyed compression function h ▶ Key-dependant finalization, with message length g k

  5. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 15 / 59 HMAC Conclusion Key-recovery Universal forgery State recovery ▶ HMAC has been designed by Bellare, Canetti, and Krawczyk in 1996 ▶ Standardized by ANSI, IETF, ISO, NIST. ▶ Used in many applications: ▶ To provide authentication: ▶ SSL, IPSEC, ... ▶ To provide identification: ▶ Challenge-response protocols ▶ CRAM-MD5 authentication in SASL, POP3, IMAP, SMTP, ... ▶ For key-derivation: ▶ HMAC as a PRF in IPsec ▶ HMAC-based PRF in TLS

  6. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 16 / 59 Security of hash-based MACS Conclusion Key-recovery Universal forgery State recovery ▶ Security proofs up to the birthday bound ▶ Generic attacks based on collisions ▶ Proof is tight for some security notions ▶ Existential forgery ▶ Distinguishing-R ▶ What is the remaining security above the birthday bound? ▶ Generic distinguishing-H attack? ▶ Generic state-recovery attack? ▶ Generic universal forgery attack? ▶ Generic key-recovery attack?

  7. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 17 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  8. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 18 / 59 Bibliography Conclusion Key-recovery Universal forgery State recovery Y. Naito, Y. Sasaki, L. Wang, K. Yasuda Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC IWSEC 2013 G. Leurent, T. Peyrin, L. Wang New Generic Attacks against Hash-Based MACs ASIACRYPT 2013 I. Dinur, G. Leurent Improved Generic Attacks against Hash-Based MACs and HAIFA CRYPTO 2014

  9. Introduction m 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 1 x 2 19 / 59 [Naito, Sasaki, Wang & Yasuda ’13] State recovery Universal forgery Key-recovery h Multi-collision based attack Conclusion m 0 h x 0 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we apply a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Use bias in the output of the compression function ▶ Some outputs are more likely than others ▶ With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages (offmine) ▶ How to detect when this state is reached?

  10. Introduction m 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 1 x 2 19 / 59 [Naito, Sasaki, Wang & Yasuda ’13] State recovery Universal forgery Key-recovery h Multi-collision based attack Conclusion m 0 h x 0 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we apply a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Use bias in the output of the compression function ▶ Some outputs are more likely than others ▶ With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages (offmine) ▶ How to detect when this state is reached?

  11. Introduction c ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Online Structure g k c h 1 h 1 M h 0 I k Hash-based MACs Offmine Structure h 1 h 1 State recovery Universal forgery Key-recovery Conclusion Building fjlters Filters to compare online and online states 20 / 59 x Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M ‖ c ′ ) 2 MAC ( M ‖ c ) h ( x , c ) = h ( x , c ′ ) x ? c ′ c ′

  12. Introduction c ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Online Structure g k c h 1 h 1 M h 0 I k Hash-based MACs Offmine Structure h 1 h 1 State recovery Universal forgery Key-recovery Conclusion Building fjlters Filters to compare online and online states 20 / 59 x Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M ‖ c ′ ) 2 MAC ( M ‖ c ) h ( x , c ) = h ( x , c ′ ) x ? c ′ c ′

  13. Introduction c ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Online Structure g k c h 1 h 1 M h 0 I k Hash-based MACs Offmine Structure h 1 h 1 State recovery Universal forgery Key-recovery Conclusion Building fjlters Filters to compare online and online states 20 / 59 x Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M ‖ c ′ ) 2 MAC ( M ‖ c ) h ( x , c ) = h ( x , c ′ ) x ? c ′ c ′

  14. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h m 2 m 1 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h 21 / 59 | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  15. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h m 2 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h 21 / 59 | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  16. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h m 2 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h 21 / 59 | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  17. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h 21 / 59 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h c / c ′ | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  18. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n l x 3 x 2 Hash-based MACs h 21 / 59 0 h State recovery Universal forgery Key-recovery Conclusion [Naito, Sasaki, Wang & Yasuda ’13] First state-recovery attack x 0 m 0 h c / c ′ | M | ℓ ℓ ℓ MAC k ( M ) 1 Fix a message block m 1 = [ 0 ] . With 2 ℓ−𝜁 work, find a value x ∗ with ℓ preimages 2 Find a collision h ( x ∗ , c ) = h ( x ∗ , c ′ ) 3 For random m 0 , compare MAC ( m 0 ‖ [ 0 ] ‖ c ) and MAC ( m 0 ‖ [ 0 ] ‖ c ′ ) If they are equal, x 2 = x ∗

  19. Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Structure of state-recovery attacks G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 22 / 59 1 Identify special states easier to reach 2 Build filter for special states 3 Build messages to reach special states Test if special state reached using filters ▶ In this attack, steps 1 & 2 offmine, step 3 online.

  20. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 2 0 h State recovery Universal forgery Key-recovery Conclusion Cycle based attack x 0 0 h 23 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in related-key setting [Peyrin, Sasaki & Wang, Asiacrypt 12]

  21. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g K I K n x 3 Hash-based MACs 0 h x 2 0 h State recovery Universal forgery Key-recovery Conclusion Cycle based attack x 0 0 h 23 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in related-key setting [Peyrin, Sasaki & Wang, Asiacrypt 12]

  22. Introduction x 3 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) x 7 Hash-based MACs x 5 x 4 x 6 x 2 x 1 x 0 Random Mappings Conclusion Key-recovery Universal forgery State recovery 24 / 59 ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 ℓ/ 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components

  23. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 24 / 59 Random Mappings Conclusion Key-recovery Universal forgery State recovery ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 ℓ/ 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components

  24. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 24 / 59 Random Mappings Conclusion Key-recovery Universal forgery State recovery ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 ℓ/ 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components

  25. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 25 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  26. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 25 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  27. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Success if Using the cycle length Conclusion Key-recovery Universal forgery State recovery 26 / 59 1 Offmine: find the cycle length L of the main component of h 0 2 Online: query t = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 ℓ/ 2 iterations p ≥ 0 . 5 Randomize starting point

  28. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 26 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  29. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Success if Using the cycle length Conclusion Key-recovery Universal forgery State recovery 26 / 59 1 Offmine: find the cycle length L of the main component of h 0 2 Online: query t = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 ℓ/ 2 iterations p ≥ 0 . 5 Randomize starting point

  30. Introduction 0 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g k I k n x 3 x 2 0 h Hash-based MACs x 1 27 / 59 Key-recovery x 0 State recovery 0 h Universal forgery h Dealing with the message length Conclusion Problem: most MACs use the message length. | M | ℓ ℓ ℓ ℓ MAC k ( M )

  31. Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Dealing with the message length G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 27 / 59 Solution: reach the cycle twice M = r ‖ [ 0 ] 2 ℓ/ 2 ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2

  32. Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Dealing with the message length G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 27 / 59 Solution: reach the cycle twice M 2 = r ‖ [ 0 ] 2 ℓ/ 2 ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2 + L M 1 = r ‖ [ 0 ] 2 ℓ/ 2 + L ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2

  33. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Analysis 28 / 59 Key-recovery Distinguishing-H attack Conclusion State recovery Universal forgery 1 Offmine: find the cycle length L of the main component of h 0 t = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2 + L ) 2 Online: query t ′ = MAC ( r ‖ [ 0 ] 2 ℓ/ 2 + L ‖ [ 1 ] ‖ [ 0 ] 2 ℓ/ 2 ) 3 If t = t ′ , then h is the compression function in the oracle ▶ Complexity: 2 ℓ/ 2 compression function calls ▶ Success probability: p ≃ 0 . 14 ▶ Both starting point are in the main component p = 0 . 76 2 ▶ Both cycles are reached with less than 2 ℓ/ 2 iterations p ≥ 0 . 5 2

  34. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Analysis 29 / 59 Conclusion State recovery attack Key-recovery Universal forgery State recovery ▶ Consider the first cyclic point ▶ With high pr., root of the giant tree 1 Offmine: find cycle length L , and root of giant tree 𝛽 2 Online: Binary search for smallest z with collisions: ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 + L ) , MAC ( r ‖ [ 0 ] z MAC ( r ‖ [ 0 ] z + L ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 ) 3 State after r ‖ [ 0 ] z is 𝛽 (with high pr.) ▶ Complexity 2 ℓ/ 2 × ℓ × log (ℓ)

  35. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 29 / 59 Cycle structure Conclusion Key-recovery Universal forgery State recovery Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  36. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Analysis 29 / 59 Conclusion State recovery attack Key-recovery Universal forgery State recovery ▶ Consider the first cyclic point ▶ With high pr., root of the giant tree 1 Offmine: find cycle length L , and root of giant tree 𝛽 2 Online: Binary search for smallest z with collisions: ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 + L ) , MAC ( r ‖ [ 0 ] z MAC ( r ‖ [ 0 ] z + L ‖ [ x ] ‖ [ 0 ] 2 ℓ/ 2 ) 3 State after r ‖ [ 0 ] z is 𝛽 (with high pr.) ▶ Complexity 2 ℓ/ 2 × ℓ × log (ℓ)

  37. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Compare with collision fjnding algorithms 30 / 59 Limitations of cycle-based attacks Short message attacks Conclusion Key-recovery Universal forgery State recovery ▶ Messages of length 2 ℓ/ 2 are not very practical... ▶ SHA-1 and HAVAL limit the message length to 2 64 bits ▶ Cycle detection impossible with messages shorter than L ≈ 2 ℓ/ 2 ▶ Shorter cycles have a small component ▶ Not applicable to HAIFA hash functions ▶ Pollard’s rho algorithm use cycle detection ▶ Parallel collision search for van Oorschot and Wiener uses shorter chains

  38. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Can we detect properties of the iteration of fjxed functions? g K I K n x 3 x 2 Hash-based MACs h 2 C B Chain-based attack State recovery Universal forgery Key-recovery Conclusion h 0 x 0 A h 1 31 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message, we iterate a fixed sequence of function ▶ Starting point and ending point unknown because of the key ▶ Study the entropy loss skip details

  39. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Can we detect properties of the iteration of fjxed functions? g K I K n x 3 x 2 Hash-based MACs h 2 C B Chain-based attack State recovery Universal forgery Key-recovery Conclusion h 0 x 0 A h 1 31 / 59 | M | ℓ ℓ ℓ ℓ MAC K ( M ) ▶ Using a fixed message, we iterate a fixed sequence of function ▶ Starting point and ending point unknown because of the key ▶ Study the entropy loss skip details

  40. Introduction x 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Theorem (Entropy loss) x 4 y 3 Hash-based MACs y 2 x 3 y 1 x 1 y 0 x 0 Collision fjnding with short chains Conclusion Key-recovery Universal forgery State recovery 32 / 59 1 Compute chains x � y Stop when y distinguished 2 If y ∈ { y i } , collision found Let f 1 , f 2 , … , f 2 s be a fixed sequence of random functions; the image of g 2 s ≜ f 2 s ∘ … ∘ f 2 ∘ f 1 contains about 2 ℓ− s points. ▶ Use these state as special states (instead of cycle entry point)

  41. Introduction h 0 h 0 Hash-based MACs h 2 g k M i Online Structure h 0 h 1 h 2 h 0 h 1 h 2 h 1 g k h 2 h 0 h 1 h 2 h 0 h 1 h 2 M i Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 I k h 1 h 2 h 2 State recovery Universal forgery Key-recovery Conclusion State-recovery attacks I k h 0 h 1 h 2 g k I k h 1 h 0 h 1 33 / 59 I k h 0 I k h 0 h 1 g k g k h 2 ▶ Send messages to the oracle ▶ Do some computations offmine with the compression function MAC ( M 0 ) $ MAC ( M 1 ) $ MAC ( M 2 ) $ MAC ( M 3 ) $ MAC ( M 4 ) $ ▶ Match the sets of points? ▶ How to test equality? Online chaining values unknown ▶ How many equality test do we need?

  42. Introduction h 2 g k C Hash-based MACs 2 u Online Structure h 1 h 2 h S h 1 h 2 h S h 1 h S h 2 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h S 34 / 59 h 1 Key-recovery First attempt Universal forgery I k h 0 h 1 State recovery h 2 h S g k h 0 h 0 h 1 h 2 h S g k h 0 g k h S h 2 h 1 g k h S h 2 h 1 h 0 Conclusion ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Evaluate 2 t chains offmine s + t + u = ℓ Build filters for endpoints 2 Query 2 u message M i = [ i ] ‖ C Test endpoints with filters Cplx: 2 s + t + u

  43. Introduction M ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure p h 1 h 1 x Online Structure g k p h 1 Hash-based MACs h 1 h 0 Filters to compare online and online states State recovery Universal forgery Key-recovery Conclusion Building fjlters 35 / 59 I k Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M || p ′ ) 2 MAC ( M || p ) h ( x , p ) = h ( x , p ′ ) x ? p ′ p ′

  44. Introduction M ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure p h 1 h 1 x Online Structure g k p h 1 Hash-based MACs h 1 h 0 Filters to compare online and online states State recovery Universal forgery Key-recovery Conclusion Building fjlters 35 / 59 I k Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M || p ′ ) 2 MAC ( M || p ) h ( x , p ) = h ( x , p ′ ) x ? p ′ p ′

  45. Introduction M ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure p h 1 h 1 x Online Structure g k p h 1 Hash-based MACs h 1 h 0 Filters to compare online and online states State recovery Universal forgery Key-recovery Conclusion Building fjlters 35 / 59 I k Test whether the state reached after processing M is equal to x ▶ Collisions are preserved by the finalization (for same-length messages) ? 1 Find a collision: = MAC ( M || p ′ ) 2 MAC ( M || p ) h ( x , p ) = h ( x , p ′ ) x ? p ′ p ′

  46. Introduction h 2 g k C Hash-based MACs 2 u Online Structure h 1 h 2 h S h 1 h 2 h S h 1 h S h 2 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h S 36 / 59 h 1 Key-recovery First attempt Universal forgery I k h 0 h 1 State recovery h 2 h S g k h 0 h 0 h 1 h 2 h S g k h 0 g k h S h 2 h 1 g k h S h 2 h 1 h 0 Conclusion ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Evaluate 2 t chains offmine s + t + u = ℓ Build filters for endpoints 2 Query 2 u message M i = [ i ] ‖ C Test endpoints with filters Cplx: 2 s + t + u

  47. Introduction h 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 2 s Offmine Structure p h 1 h 1 x Hash-based MACs Online Structure g k p 37 / 59 h 1 M State recovery Universal forgery Key-recovery Conclusion Online fjlters I k h 0 ▶ Using the filters is too expensive. ▶ If we build filters online, using them is cheap. 1 Find p , p ′ s.t. ? = h ( x , m ′ ) 2 h ( x , m ) MAC ( M || p ) = MAC ( M || p ′ ) x ? p ′ p ′ Cost Build Test Offmine filter 2 ℓ/ 2 Online filter 1 2 ℓ/ 2 + s

  48. Introduction h 2 h S g k C Hash-based MACs Online Structure h 1 h 2 h S h 1 h 2 h S h 1 h S h 1 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h 2 2 u h 0 h 2 State recovery Universal forgery Key-recovery Conclusion First attack on HMAC-HAIFA I k h 0 h 1 h 2 h S g k h 0 h 1 g k h S h S h S h 2 h 1 h 0 g k 38 / 59 h 2 h 1 g k h 0 ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build filters for M i Cplx: 2 s + u +ℓ/ 2 2 Evaluate 2 t chains offmine Cplx: 2 t + s Test endpoints with filters Cplx: 2 t + u

  49. Introduction h 2 g k C 2 u Online Structure Hash-based MACs h 1 h 2 h S h 1 h 2 h S h 1 h S h 2 h 1 h 2 h S h 1 h 2 h S C 2 t Offmine Structure Optimal complexity G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h S 38 / 59 h 1 Key-recovery I k h 0 h 1 h 2 h 0 h S g k h 0 Conclusion h 1 h 2 h S g k h 0 h 1 Universal forgery h 2 h S g k h 0 h 1 h 2 State recovery h S g k First attack on HMAC-HAIFA ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build filters for M i Cplx: 2 s + u +ℓ/ 2 2 ℓ− s , for s ≤ ℓ/ 6 2 Evaluate 2 t chains offmine Cplx: 2 t + s (using u = s ) Test endpoints with filters Cplx: 2 t + u Minimum: 2 5 ℓ/ 6

  50. Introduction Diamond structure ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs [Kelsey & Kohno, EC’06] Diamond fjlters Conclusion Key-recovery Universal forgery State recovery 39 / 59 ▶ Building filers is a bottleneck. ▶ Can we amortize the cost of building many filters? Herd N initial states to a common state ▶ Try ≈ 2 ℓ/ 2 /√ N msg from each state. ▶ Whp, the initial states can be paired ▶ Repeat... Total ≈ √ N ⋅ 2 ℓ/ 2

  51. Introduction Diamond structure ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs [Kelsey & Kohno, EC’06] Diamond fjlters Conclusion Key-recovery Universal forgery State recovery 39 / 59 ▶ Building filers is a bottleneck. ▶ Can we amortize the cost of building many filters? Herd N initial states to a common state ▶ Try ≈ 2 ℓ/ 2 /√ N msg from each state. ▶ Whp, the initial states can be paired ▶ Repeat... Total ≈ √ N ⋅ 2 ℓ/ 2

  52. Introduction Diamond fjlter ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs 39 / 59 Diamond fjlters Conclusion Key-recovery Universal forgery State recovery ▶ Building filers is a bottleneck. ▶ Can we amortize the cost of building many filters? 1 Build a diamond structure 2 Build a collision filter for the final state ▶ Can also be built online ▶ Building N offmine filters: √ N ⋅ 2 ℓ/ 2 rather than N ⋅ 2 ℓ/ 2 ▶ Building N online filters: √ N ⋅ 2 ℓ/ 2 + s rather than N ⋅ 2 ℓ/ 2 + s

  53. Introduction h S 2 u Online Structure Hash-based MACs h 1 h 2 h S h 1 h 2 h S h 1 h 2 h 1 g k h 2 h S h 1 h 2 h S C 2 t Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 C 40 / 59 h S h S State recovery Universal forgery Key-recovery Conclusion Improved attack on HMAC-HAIFA I k h 0 h 1 h 2 h 2 h 0 h 1 h 2 h S h S h 0 h 1 h 2 h 1 h S h 0 h 0 h 1 h 2 ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build diamond filter for M i Cplx: 2 s + u / 2 +ℓ/ 2 2 Evaluate 2 t chains offmine Cplx: 2 t + s Test endpoints with filters Cplx: 2 t + u

  54. Introduction h 1 2 u Online Structure h 1 Hash-based MACs h S h 1 h 2 h S h 1 h 2 h S h 2 g k h S h 1 h 2 h S C 2 t Offmine Structure Optimal complexity G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 C h 2 h S h S State recovery Universal forgery Key-recovery Conclusion Improved attack on HMAC-HAIFA I k h 0 h 1 h 2 h 2 h S h 0 h 1 h 2 40 / 59 h 0 h 0 h 1 h 2 h S h 0 h 1 h 2 h S h 1 ▶ Chains of length 2 s , with a fixed message C [ i ] $ $ $ $ $ S = 2 s S = 2 s 1 Query 2 u message M i = [ i ] ‖ C s + t + u = ℓ Build diamond filter for M i Cplx: 2 s + u / 2 +ℓ/ 2 2 ℓ− s , for s ≤ ℓ/ 5 2 Evaluate 2 t chains offmine Cplx: 2 t + s (using u = s ) Test endpoints with filters Cplx: 2 t + u Minimum: 2 4 ℓ/ 5

  55. Introduction y 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Theorem (Entropy loss for collisions) Hash-based MACs x 4 y 3 x 3 41 / 59 x 2 y 1 x 1 y 0 x 0 Improvement using collisions (fjxed function) State recovery Universal forgery Conclusion Key-recovery 1 Compute chains x � y Stop when y distinguished 2 If y ∈ { y i } , collision found Let ̂ x and ̂ y be two collisions found using chains of length 2 s , with a fixed ℓ -bit random function f . Then Pr 􏿯 ̂ y 􏿲 = 𝛪( 2 2 s −ℓ ) . x = ̂ ▶ Use the collisions as special states (instead of cycle entry point)

  56. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 42 / 59 Trade-ofgs for state-recovery attacks State recovery Universal forgery Key-recovery Conclusion Merkle-Damgård mode HAIFA mode 2 ℓ 2 ℓ Complexity 2 3 ℓ/ 4 2 3 ℓ/ 4 2 ℓ/ 2 2 ℓ/ 2 1 1 2 ℓ/ 4 2 ℓ/ 2 2 ℓ/ 4 2 ℓ/ 2 Length of the messages Length of the messages

  57. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 43 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  58. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) 44 / 59 Bibliography Conclusion Key-recovery Universal forgery State recovery T. Peyrin, L. Wang Generic Universal Forgery Attack on Iterative Hash-Based MACs EUROCRYPT 2014 J. Guo, T. Peyrin, Y. Sasaki, L. Wang Updates on Generic Attacks against HMAC and NMAC CRYPTO 2014 I. Dinur, G. Leurent Improved Generic Attacks against Hash-Based MACs and HAIFA CRYPTO 2014

  59. Introduction h h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion Universal forgery attack 45 / 59 I k I k ▶ Given a challenge message C , compute MAC ( C ) ▶ len ( C ) = 2 s ▶ Oracle access to the MAC , can’t ask MAC ( C ) ▶ Study internal states for the computation of MAC ( C ) ▶ Unknown because of initial key and final key 1 Build a difgerent message reaching same states 2 Query MAC ( M ′ ) , use as forgery M ′ MAC ( C )

  60. Introduction h h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion Universal forgery attack 45 / 59 I k I k ▶ Given a challenge message C , compute MAC ( C ) ▶ len ( C ) = 2 s ▶ Oracle access to the MAC , can’t ask MAC ( C ) ▶ Study internal states for the computation of MAC ( C ) ▶ Unknown because of initial key and final key 1 Build a difgerent message reaching same states 2 Query MAC ( M ′ ) , use as forgery M ′ MAC ( C )

  61. Introduction h h h h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h 46 / 59 Hash-based MACs State recovery IV Universal forgery Key-recovery Conclusion UF against secret-suffjx MAC IV ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from the IV to the target states Cplx: 2 ℓ− s 3 Select expandable message M ′ MAC ( C )

  62. Introduction h 3 2 IV h h h h h h h h 4 h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 Hash-based MACs 46 / 59 5 6 State recovery Universal forgery Key-recovery Conclusion UF against secret-suffjx MAC 7 ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 7 + 1 bl. 2 6 + 1 bl. 2 5 + 1 bl. 2 4 + 1 bl. 2 3 + 1 bl. 2 2 + 1 bl. m 7 / m ′ m 6 / m ′ m 5 / m ′ m 4 / m ′ m 3 / m ′ m 2 / m ′ IV h ∗ 1 bl. 1 bl. 1 bl. 1 bl. 1 bl. 1 bl. MAC ( C )

  63. Introduction h h h h h h h h h h Hash-based MACs h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h IV 46 / 59 State recovery Universal forgery Key-recovery IV Conclusion UF against secret-suffjx MAC ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from x ⋆ to the target states Cplx: 2 ℓ− s 3 Select expandable message h ⋆ m ⋆ h ′ ⋆ MAC ( C )

  64. Introduction h h h h h h h h h h Hash-based MACs h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h IV 46 / 59 State recovery Universal forgery Key-recovery IV Conclusion UF against secret-suffjx MAC ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from x ⋆ to the target states Cplx: 2 ℓ− s 3 Select expandable message h ⋆ m ⋆ h ′ ⋆ MAC ( C )

  65. Introduction h h h h h h h h h h Hash-based MACs h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h IV 46 / 59 State recovery Universal forgery Key-recovery IV Conclusion UF against secret-suffjx MAC ▶ Secret-suffjx has no key at the beginning ▶ All internal states for challenge message are known! ▶ Long-message second-preimage attack [Kelsey & Schneier ’05] ▶ H ( M ) = H ( C ) ⟹ MAC ( M ) = H ( M ‖ k ) = H ( C ‖ k ) = MAC ( C ) 1 Build a expandable message Cplx: 2 ℓ/ 2 2 Find a connexion from x ⋆ to the target states Cplx: 2 ℓ− s 3 Select expandable message h ⋆ m ⋆ h ′ ⋆ MAC ( C )

  66. Introduction h h h h h h h h h h h g G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion UF against secret-prefjx MAC 47 / 59 h I k ▶ Secret-suffjx has no key at the end ▶ Finalization function is known! 1 Query the MAC of C | i (truncated to i blocks) Cplx: 2 2 ⋅ s 2 Evaluate the finalization function on 2 ℓ− s states Cplx: 2 ℓ− s 3 Find a match, compute MAC MAC ( C )

  67. Introduction g g Hash-based MACs g h g h g h g Online Structure g g g g g g g Offmine Structure G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h h I k State recovery Universal forgery Key-recovery Conclusion UF against secret-prefjx MAC g 47 / 59 h h g g h h g ▶ Secret-suffjx has no key at the end ▶ Finalization function is known! 1 Query the MAC of C | i (truncated to i blocks) Cplx: 2 2 ⋅ s 2 Evaluate the finalization function on 2 ℓ− s states Cplx: 2 ℓ− s 3 Find a match, compute MAC MAC ( C ) $ $ $ 2 ℓ− s $ $ $

  68. Introduction h h h h h h h h h h h g k G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 h h Hash-based MACs h State recovery Universal forgery Key-recovery Conclusion UF attack against hash-based MAC 48 / 59 h I k ▶ Combine both techniques 1 Recover an internal state of the challenge 2 Use second-preimage attack with known state ▶ Hard part is to recover an internal state ▶ Extract information about the challenge state through g k ▶ Compute distance to cycle ▶ Use entropy loss of iterations MAC ( C )

  69. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure Online Structure 2 s I k Using cycles Main idea Conclusion Key-recovery Universal forgery State recovery 49 / 59 ▶ Measure the distance from challenge point to cycle in h [ 0 ] ▶ Add zero blocks after the challenge ▶ Match with offmine points with known distance 􏿻 2 ℓ− s points 􏿾 2 s C 2 ℓ/ 2

  70. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure Online Structure 2 s I k 49 / 59 Conclusion Using cycles Key-recovery Universal forgery State recovery 1 (online) For each challenge state, use binary search to find distance ? MAC ( C | i ‖ 0 d + L ‖ 1 ‖ 0 2 ℓ/ 2 ) = MAC ( C | i ‖ 0 d ‖ 1 ‖ 0 2 ℓ/ 2 + L ) 2 (offmine) Build a structure with 2 ℓ− s points with known distance. 3 (offmine) Match the challenge states and the offmine structure 4 (online) Test candidates at the right distance. 􏿻 2 ℓ− s points 􏿾 2 s C 2 ℓ/ 2

  71. Introduction 2 s ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure 2 2 s 2 2 s Online Structure Hash-based MACs 50 / 59 I k Main idea Using chains Conclusion Key-recovery Universal forgery State recovery ▶ Add a sequence of fixed message blocks to reduce image space ▶ Match in the reduced space 􏿻 2 ℓ− s points 􏿾 􏿻 2 ℓ− 2 s images ( ) 􏿾 2 s C 2 2 s − 2 s

  72. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Offmine Structure 2 2 s 2 2 s Online Structure 2 s I k Using chains Conclusion Key-recovery Universal forgery State recovery 50 / 59 1 (online) Query messages M i = C | i ‖ [ 0 ] 2 2 s − i . Build diamond filter for endpoints Y 2 (offmine) Build a structure with 2 ℓ− s points. Consider 2 2 s -images X . | X | ≤ 2 ℓ− 2 s 3 (offmine) Match X and Y . 4 (offmine) For each match, find preimages as candidates. 􏿻 2 ℓ− s points 􏿾 􏿻 2 ℓ− 2 s images ( ) 􏿾 2 s C 2 2 s − 2 s

  73. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) s 51 / 59 Universal forgery attacks Conclusion Universal forgery attacks: summary State recovery Universal forgery Key-recovery ▶ It is possible to perform a generic universal forgery attack ▶ Best attack so far: 2 ℓ− s , with s ≤ ℓ/ 4 ( 2 3 ℓ/ 4 with s = ℓ/ 4 ) ▶ Using distance to the cycle: query length 2 ℓ/ 2 ▶ Complexity 2 ℓ− s , s ≤ ℓ/ 6 [Peyrin & Wang, EC ’14] Optimal: 2 5 ℓ/ 6 , with s = 2 ℓ/ 6 ▶ Complexity 2 ℓ− s , s ≤ ℓ/ 4 [Guo, Peyrin, Sasaki & Wang, CR ’14] Optimal: 2 3 ℓ/ 4 , with s = 2 ℓ/ 4 ▶ Later attack using chains: shorter query length 2 t ▶ Complexity 2 ℓ− s , s ≤ ℓ/ 7 , t = 2 s [Dinur & L, CR ’14] Optimal: 2 6 ℓ/ 7 , with s = 2 ℓ/ 7 , t = 2 ℓ/ 7 ▶ Complexity 2 ℓ− s / 2 , s ≤ 2 ℓ/ 5 , t = [Dinur & L, CR ’14] Optimal: 2 4 ℓ/ 5 , with s = 2 2 ℓ/ 5 , t = 2 ℓ/ 5

  74. Introduction Hash-based MACs ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Key-recovery attacks Universal forgery attacks Hash-based MACs State recovery attacks Introduction Outline Conclusion Key-recovery Universal forgery State recovery 52 / 59 MACs Security Proofs Hash-based MACs Using multi-collisions Using the cycle structure Short messages attacks using chains Using cycles Using chains HMAC-GOST

  75. Introduction M 2 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h n x 3 x 2 Hash-based MACs h x 1 M 3 53 / 59 GOST hash functions State recovery Universal forgery Key-recovery h Conclusion M 0 M 1 x 0 h | M | ℓ ℓ ℓ ℓ IV ▶ Family of Russian standards ▶ GOST-1994: n = ℓ = 256 ▶ GOST-2012: n ≤ ℓ = 512 , HAIFA mode (aka Streebog) ▶ GOST and HMAC-GOST standardized by IETF ▶ Checksum (dashed lines) ▶ Larger state should increase the security

  76. Introduction x 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) t n g h h g h x 2 Hash-based MACs h M 2 M 1 h State recovery Universal forgery Key-recovery Conclusion HMAC-GOST 54 / 59 M 0 x 0 h k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV x ∗ k ⊕ 𝚙𝚚𝚋𝚎 IV ▶ In HMAC, key-dependant value used after the message ▶ Related-key attacks on the last block

  77. Introduction h ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h Hash-based MACs M 2 h x 1 M 1 x 2 x 0 Key recovery attack on HMAC-GOST State recovery Universal forgery Key-recovery Conclusion 55 / 59 M 0 h k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV x ∗ 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  78. Introduction h ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h Hash-based MACs M 2 h x 1 M 1 x 2 x 0 Key recovery attack on HMAC-GOST State recovery Universal forgery Key-recovery Conclusion 55 / 59 M 0 h k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV x ∗ 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  79. Introduction M 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h x Hash-based MACs x 2 M 2 h x 1 ̄ 55 / 59 h x 0 M 0 State recovery h Universal forgery Key-recovery Key recovery attack on HMAC-GOST Conclusion k ⊕ M k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  80. Introduction M 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h x Hash-based MACs x 2 M 2 h x 1 ̄ 55 / 59 h x 0 M 0 State recovery h Universal forgery Key-recovery Key recovery attack on HMAC-GOST Conclusion k ⊕ M k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  81. Introduction M 1 ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) g h x Hash-based MACs x 2 M 2 h x 1 ̄ 55 / 59 h x 0 M 0 State recovery h Universal forgery Key-recovery Key recovery attack on HMAC-GOST Conclusion k ⊕ M k ⊕ 𝚓𝚚𝚋𝚎 | M | ℓ ℓ ℓ ℓ IV 1 Recover the state of a short message 2 Build a multicollision: 2 3 l / 4 messages with the same x ∗ 3 Query messages, detect collisions g ( ̄ x , k ⊕ M ′ ) x , k ⊕ M ) = g ( ̄ Store ( M ⊕ M ′ , M ) for 2 ℓ/ 2 collisions 4 Find collisions g ( ̄ x , y ′ ) offmine x , y ) = g ( ̄ Store ( x ⊕ y ′ , y ) for 2 ℓ/ 2 collisions 5 Detect match M ⊕ M ′ = y ⊕ y ′ . With high probability M ⊕ k = y

  82. Introduction Surprising result ASK 2015 Generic Attacks against MAC algorithms G. Leurent (Inria) Hash-based MACs 56 / 59 Complexity Conclusion Key-recovery Universal forgery State recovery The checksum actually make the hash function weaker! ▶ HMAC-GOST-1994 is weaker than HMAC-SHA256 ▶ HMAC-GOST-2012 is weaker than HMAC-SHA512 It is important to recover the state of a short message ▶ For GOST-1994, we can recover the state of a short message from a longer one using padding tricks Total complexity 2 3 ℓ/ 4 ▶ For GOST-2012, we use an advanced attack with message length 2 ℓ/ 10 Total complexity 2 4 ℓ/ 5

  83. Introduction 2 118 2 118 2 384 2 453 2 54 Hash-based MACs 2 229 2 247 2 283 2 446 2 55 2 213 2 419 2 192 2 90 2 419 2 128 2 192 2 192 2 419 2 419 2 419 G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 2 228 2 192 2 55 2 132 State recovery Universal forgery Key-recovery Conclusion Attack complexity s 2 55 2 107 57 / 59 2 192 2 55 Function Mode St. rec. Univ. F K. rec. ℓ SHA-1 MD 160 SHA-224 MD 256 SHA-256 MD 256 SHA-512 MD 512 HAVAL MD 256 WHIRLPOOL MD 512 BLAKE-256 HAIFA 256 BLAKE-512 HAIFA 512 Skein-512 HAIFA 512 GOST-94 MD+ 𝜏 256 ∞ Streebog HAIFA+ 𝜏 512 ∞

Recommend


More recommend