Header menu link for other important links
Biclique cryptanalysis of full round AES-128 based hashing modes
D. Chang, M. Ghosh,
Published in Springer Verlag
Volume: 9589
Pages: 3 - 21
In this work, we revisit the security analysis of hashing modes instantiated with AES-128. We use biclique cryptanalysis as the basis for our evaluation. In Asiacrypt’11, Bogdanov et al. had proposed biclique technique for key recovery attacks on full AES-128. Further, they had shown application of this technique to find preimage for compression function instantiated with AES-128 with a complexity of 2125. 56. However, this preimage attack on compression function cannot be directly converted to preimage attack on hash function. This is due to the fact that the initialization vector (IV) is a publically known constant in the hash function settings and the attacker is not allowed to change it, whereas the compression function attack using bicliques introduced differences in the chaining variable. We extend the application of biclique technique to the domain of hash functions and demonstrate second preimage attack on all 12 PGV modes. The complexities of finding second preimages in our analysis differ based on the PGV construction chosen-the lowest being 2126.3 and the highest requiring 2126.6 compression function calls. We implement C programs to find the best biclique trails (that guarantee the lowest time complexity possible) and calculate the above mentioned values accordingly. Our security analysis requires only 2 message blocks and works on full 10 rounds of AES-128 for all 12 PGV modes. This improves upon the previous best result on AES-128 based hash functions by Sasaki at FSE’11 where the maximum number of rounds attacked is 7. Though our results do not significantly decrease the attack complexity factor as compared to brute force but they highlight the actual security margin provided by these constructions against second preimage attack. © Springer International Publishing Switzerland 2016.