![Page 1: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/1.jpg)
Equivalent Key Recovery Attacks against HMAC and NMAC with
Whirlpool Reduced to 7 Rounds
Jian Guo1, Yu Sasaki2, Lei Wang1, Meiqin Wang3 and Long Wen3
1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories, Japan
3: Shandong University, China
FSE 2014 (05/March/2014)
1 Initially discussed at ASK 2013 at Weihai
![Page 2: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/2.jpg)
Research Summary • Improved key recovery attack on HMAC-Whirlpool
• Convert MitM attacks on AES based ciphers into the known plaintext model.
2 2482.3 for camera-ready version
![Page 3: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/3.jpg)
Whirlpool
• AES based 512-bit hash function proposed by Barreto and Rijmen in 2000
• Standardised by ISO
• Recommended by NESSIE
• Implemented in many cryptographic libraries
• Its usage in HMAC is also implemented.
3
![Page 4: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/4.jpg)
More Structure on Whirlpool
• Narrow-pipe Merkle-Damgård iteration
• Compression function is built by Miyaguchi-Preneel mode with an AES based block-cipher.
4
tag
(=IV)
CF CF
M0 Mℓ-1
H0
H1 Hℓ-1
512
512 512 512 512 E Hi-1
Mi-1
Hi-1
![Page 5: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/5.jpg)
HMAC • Proposed by Bellare et al. in 1996 with a proof
of being PRF up to the birthday order queries.
• Generating a MAC by two hash function calls
5
IV
tag IV
K⊕opad
K⊕ipad || M
||
Hash Function
Hash Function
![Page 6: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/6.jpg)
HMAC in CF Level
6
IV
tag IV
CF CF CF
CF CF CF
Kin
Kout
K⊕opad
K⊕ipad M0 m1||padI
padO
• Proposed by Bellare et al. in 1996 with a proof of being PRF up to the birthday order queries.
• Generating a MAC by two hash function calls
Equivalent keys
![Page 7: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/7.jpg)
Initial Thoughts
• Previous key recovery attack on HMAC-Whirlpool is up to 6 rounds.
• At Eurocrypt 2013, Derbez et al. presented 7-round key recovery attack on AES with a MitM attack in the chosen-plaintext model.
• Can we apply the MitM attack to 7-round HMAC-Whirlpool?
• The application is not easy!!
7
![Page 8: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/8.jpg)
Overview
8
IV
tag IV
CF CF
CF CF CF Kin
Kout
K⊕opad
K⊕ipad M0 m1||padI
padO
E
ct
pt
v
• Collect many pairs of (pt, ct) and run the MitM attack.
• Kout is used as a key input of the AES-based cipher. It should be recovered by the MitM attack.
![Page 9: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/9.jpg)
Difficulties of MitM Attack
9
IV
tag IV
CF CF
CF CF CF
Kin
K⊕opad
K⊕ipad M0 m1||padI
padO
E
ct
pt
v
Kout
2. pt is random
3. v and ct are unknown
• In HMAC, the attacker only can observe tag value.
1. pt is unknown
![Page 10: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/10.jpg)
Our Strategy for Difficulty 1
10
IV
tag IV
CF CF
CF CF CF
Kin
K⊕opad
K⊕ipad M0 m1||padI
padO
E
ct
pt
v
Kout
1. pt is unknown
2. pt is random
3. v and ct are unknown
• In HMAC, the attacker only can observe tag value.
Internal state recovery
[LPW-AC13]: internal state after a 1-block message is recovered with O(23n/4) complexity.
![Page 11: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/11.jpg)
Our Strategy for Difficulty 3
11
IV
tag IV
CF CF
CF CF CF
Kin
K⊕opad
K⊕ipad M0 m1||padI
padO
E
ct
pt
v
Kout
1. pt is unknown
2. pt is random
3. v and ct are unknown
• In HMAC, the attacker only can observe tag value.
Internal state recovery
Generate 2z pairs of (v,tag) in advance. With prob 2-(n-z), a tag is converted to v.
Precompute look-up table
![Page 12: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/12.jpg)
MitM Attacks on AES Based Ciphers in Known Plaintext Model
12
![Page 13: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/13.jpg)
Whirlpool Internal Block-cipher
• 8×8-byte state
• 10 rounds, with the last MixRows operation
• Similar operations between key and data
13
SB SC MR
SB SC MR
Round x constx
Key
Data pt
Kout
![Page 14: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/14.jpg)
Notations: d-set and n-d-set
For a byte-oriented cipher, a d-set is a set of 256 texts such that a byte takes all possible values among 256 texts (Active) and the other bytes take a fixed value (Constant) among 256 texts. If n bytes are active, we call it n-d-set.
14
d-set A C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C
C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C
12-d-set used in our attack A A A C A A C C A C C C C C C C C C C C C C C C C C C C C C C C
C C C C C C C A C C A A C A A A C C C C C C C C C C C C C C C C
![Page 15: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/15.jpg)
Previous MitM Attack on AES (1/2) • 7R characteristic: 4 -> 1 -> 4 -> 16 -> 4 -> 1 -> 4 -> 16
• 4-round middle distinguisher
– Consider a function f which maps #X[0] to #Y[0]. The number of all possible such functions is 28*256=22048
– For a pair of texts satisfying the characteristic, construct a d-set by modifying #X[0], (d0,d1,…,d255). Then, {f(d0),f(d1),…,f(d255)} can take only 280 possibilities.
16
𝐸𝑚𝑖𝑑 𝐸𝑝𝑟𝑒 𝐸𝑝𝑜𝑠𝑡
#X #Y
u1 u2 k3 k4
SR MC
AK SB SR
MC AK SB
SR MC AK
SB SR
MC AK SB
![Page 16: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/16.jpg)
Previous MitM Attack on AES (2/2) • 7-round characteristic
Offline: precompute 280 possibilities of distinguishers.
Online: collect pairs of plaintext and ciphertext satisfying the input and output differential forms.
- For each pair, guess 𝑠𝑘𝑝𝑟𝑒 and change plaintext so
that a d-set is constructed at #X[0].
- For each modified plaintext, obtain the ciphertext.
- Guess 𝑠𝑘𝑝𝑜𝑠𝑡 and match precomputed distinguishers 17
1R 6R, 7R
#X #Y middle 4 rounds
280 possibilities
![Page 17: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/17.jpg)
Is It Applicable to HMAC-Whirlpool?
The answer is not obvious.
• Chosen-plaintext v.s. Known-plaintext
– Cannot efficiently collect plaintext pairs
– After constructing d-set at #X[0], the corresponding ciphertext is obtained only probabilistically.
(multi-set technique cannot be used)
• 4*4 state size v.s. 8*8 state size
– Larger state of Whirlpool is easier to analyze
– (2-468 for multiset technique is no longer enough)
• Whirlpool key schedule is easier to analyze 18
![Page 18: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/18.jpg)
Our Strategy • Chosen-plaintext v.s. Known-plaintext
– Cannot efficiently collect plaintext pairs
– After constructing d-set at #X, the corresponding ciphertext is obtained only probabilistically.
(multi-set technique cannot be used)
19
Use n-d-set instead of d-set more elements are examined, and enough elements will remain
Simply increasing the data amount.
![Page 19: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/19.jpg)
• 7R characteristic: 32 -> 12 -> 24 -> 64 -> 8 -> 1 -> 8 -> 64
• 4-round middle distinguisher
– Consider a function f which maps 12 bytes of #X to #Y[0]. The number of all such functions is so huge.
– For a pair of texts satisfying the characteristic, construct a 12-d-set by modifying #X, (d0,d1,…,d2^96-1). Then, {f(d0),f(d1),…,f(d2^96-1)} takes 2360 possibilities.
20
𝐸𝑚𝑖𝑑 𝐸𝑝𝑟𝑒 𝐸𝑝𝑜𝑠𝑡
#X #Y
u1 u2 k3 k4
SR MC
AK SB SR
MC AK SB
SR MC AK
SB SR AK
SB
u0 k5
MitM Attack on HMAC-Whirlpool (1/4)
![Page 20: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/20.jpg)
• 7-round characteristic
Offline: precompute 2360 possibilities of distinguishers.
Online: collect pairs of plaintext and ciphertext satisfying the input and output differential forms.
21
1R 6R, 7R
#X #Y middle 4 rounds
2360 possibilities
MitM Attack on HMAC-Whirlpool (2/4)
- For each pair, guess 𝑠𝑘𝑝𝑟𝑒 and change plaintext so
that a 12-d-set is constructed at #X.
- For each modified plaintext, obtain the ciphertext.
- Guess 𝑠𝑘𝑝𝑜𝑠𝑡 and match precomputed distinguishers
!!
![Page 21: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/21.jpg)
22
MitM Attack on HMAC-Whirlpool (3/4)
- For each pair, guess 𝑠𝑘𝑝𝑟𝑒 and change plaintext so
that a 12-d-set is constructed at #X.
- For each modified plaintext, obtain the ciphertext.
- Guess 𝑠𝑘𝑝𝑜𝑠𝑡 and match precomputed distinguishers
1. Due to the known-plaintext model, only a part of 12-d-set can be obtained.
2. Due to the conversion from tag to ct, ct is obtained only probabilistically.
1.
2.
3.
3. Cannot know which element of 12-d-set is obtained. Cannot sort the precomputation table. (match cost ≠ 1.)
can resolve by using more data
![Page 22: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/22.jpg)
MitM Attack on HMAC-Whirlpool (4/4)
23
#X plaintext
SB
SR MC
SB
SR
Key Kout
SB
SR MC
MC SB
SR
SB
• Previous attack only recovers up to #X.
![Page 23: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/23.jpg)
MitM Attack on HMAC-Whirlpool (4/4)
24
#X plaintext
SB
SR MC
SB
SR
Key Kout
SB
SR MC
MC SB
SR
SB
• Previous attack only recovers up to #X.
• In Whirlpool, we know more bytes. By guessing more bytes at #X’, we can recover all bytes which are index of 2360 distinguisher.
• The match is done for the sorted data.
#X’
Guess 16 bytes
![Page 24: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/24.jpg)
Remarks on Attacks • The best diff characteristic and the number of
n-d-set were searched by programming.
• An optimization technique for making conversion table from tag to v.
• (Time, Mem, Data) = (2490.3, 2481, 2481.3)
• Kin recovery is easier because it is CPA, not KPA.
25
2482.3 for camera-ready
tag CF CF
CF
Kout
padI
padO CF
Kin
M0
![Page 25: Equivalent Key Recovery Attacks against HMAC and … · Research Summary •Improved key recovery attack on HMAC-Whirlpool •Convert MitM attacks on AES based ciphers into the known](https://reader031.vdocument.in/reader031/viewer/2022022601/5b4f2a967f8b9a3e6e8bc214/html5/thumbnails/25.jpg)
Concluding Remarks • 7-round key recovery attack on HMAC-Whirlpool
• Based on MitM attack on AES, but many different problems and many optimizations for HMAC and AES-based compression functions
• Application to Sandwich-MAC still opens.
– needs unknown plaintext recovery with different keys
26
E Hi-1
K
tag
Thank you !!