Security Analysis of BLAKE2's Modes of Operation

Atul Luykx, Bart Mennink, Samuel Neves

KU Leuven (Belgium) and Radboud University (The Netherlands)

FSE 2017 March 7, 2017

1 / 14 BLAKE2

m1 m2 m3 m 0∗ `k

IV PB F F F F H(m) ⊕

t1 f1 t2 f2 t3 f3 t` f`

Cryptographic hash function • Aumasson, Neves, Wilcox-O'Hearn, Winnerlein (2013) • Simplication of SHA-3 nalist BLAKE •

2 / 14 BLAKE2

Use in Password Hashing Argon2 (Biryukov et al.) • Catena (Forler et al.) • Lyra (Almeida et al.) • Lyra2 (Simplício Jr. et al.) • Rig (Chang et al.) • Use in Authenticated Encryption AEZ (Hoang et al.) • Applications Noise Protocol Framework (Perrin) • Zcash Protocol (Hopwood et al.) • RAR 5.0 (Roshal) • 3 / 14 BLAKE2 Guo et al. 2014 Hao 2014 Khovratovich et al. 2015 Espitau et al. 2015 ???

Even slight modications may make a scheme insecure!

Security Inheritance?

BLAKE cryptanalysis Aumasson et al. 2010 Biryukov et al. 2011 Dunkelman&K. 2011

generic Andreeva et al. 2012 Chang et al. 2012

4 / 14 ???

Even slight modications may make a scheme insecure!

Security Inheritance?

BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 Chang et al. 2012

4 / 14 Even slight modications may make a scheme insecure!

Security Inheritance?

BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012

4 / 14 Security Inheritance?

BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012

Even slight modications may make a scheme insecure!

4 / 14 No structural design aws • Well-suited for composition •

Indierentiability

real world simulated world

IC C idealPrandom Rsimulator S function primitive for oracle P

distinguisher D

Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R ∃ S ( , ) and ( , ) indistinguishable C P R S

5 / 14

1 Indierentiability

real world simulated world

IC C idealPrandom Rsimulator S function primitive for oracle P

distinguisher D

Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R ∃ S ( , ) and ( , ) indistinguishable C P R S No structural design aws • Well-suited for composition •

5 / 14

1 (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→

Composition1 indiff-compose-0

H

E F

H

6 / 14 (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→

Composition2 indiff-compose-1

H

(i) E F

(i) H

(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→

6 / 14 (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→

Composition3 indiff-compose-2

H

(i) E (ii) F

(i) H

(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→

6 / 14 Composition4 indiff-compose-3

(iii) H

(i) E (ii) F

(i)

(iii) H

(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→ 6 / 14 Composition5 indiff-compose-4

(iii) H

(i) E (ii) F

(i)

(iii) H

(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→ 6 / 14 Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties •

Our Results

Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! •

7 / 14 Our Results

Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! •

Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties •

7 / 14 BLAKE2 Compression Function

n \

m

2n \ n h \

n \

n/2 2n n \ \ \

0 h0 E \

n/4 n n \ t \

n/4 \

f n \

IV

h is state, m is message, t is counter, f is ag • IV is initialization value •

8 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)

Weakly Ideal Cipher Model E is an ideal cipher modulo above property •

Underlying Block Cipher

k k k k k k k k  k k k k 

k k k k  \  2n

a a a a a a a a

2n 2n 0 0 0 0 \

b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0

9 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)

Underlying Block Cipher

k k k k k k k k  k k k k 

k k k k  \  2n

a a a a a a a a

2n 2n 0 0 0 0 \

b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0

Weakly Ideal Cipher Model E is an ideal cipher modulo above property •

9 / 14 Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)

Underlying Block Cipher

k k k k k k k k  k k k k 

k k k k  \  2n

a a a a a a a a

2n 2n 0 0 0 0 \

b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0

Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys •

9 / 14 Underlying Block Cipher

k k k k k k k k  k k k k 

k k k k  \  2n

a a a a a a a a

2n 2n 0 0 0 0 \

b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0

Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)

9 / 14 inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2  

input matches legitimate F -call? yes no

consult R input weak?

yes no reply like weak reply uniformly permutation at random

Proof Idea

Construction F E: Simulator : S

n \

m

2n \ n h \

n \

n/2 2n n \ \ \

0 h0 E \

n/4 n n \ t \

n/4 \

f n \

IV

10 / 14 inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2  

Proof Idea

Construction F E: Simulator : S n \ input matches m legitimate F -call?

2n \ n yes no h \

n \

n/2 2n n \ \

\ consult R input weak?

0 h0 E \

n/4 n n \ t \ yes no

n/4 \ f n \ reply like weak reply uniformly IV permutation at random

10 / 14 inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2  

Proof Idea

Construction F E: Simulator : S n \ input matches m legitimate F -call?

2n \ n yes no h \

n \

n/2 2n n \ \

\ consult R input weak?

0 h0 E \

n/4 n n yes \ \ no t

n/4 \ f n \ reply like weak reply uniformly IV permutation at random

10 / 14 inverse query−−→ hits 0-block

q Indiff E (q) = Θ F ,S 2n/2  

Proof Idea

Construction F E: Simulator : S n \ input matches m legitimate F -call?

2n \ n yes no h \

n \

n/2 2n n \ \

\ consult R input weak?

0 h0 E \

n/4 n n yes \ \ no t

n/4 \ f n \ reply like weak reply uniformly IV permutation at random −−−−→ collision in uniformly random−−→ responses

10 / 14 q Indiff E (q) = Θ F ,S 2n/2  

Proof Idea

Construction F E: Simulator : S n \ input matches m legitimate F -call?

2n \ n yes no h \

n \

n/2 2n n \ \

\ consult R input weak?

0 h0 E \

n/4 n n yes \ \ no t

n/4 \ f n \ reply like weak reply uniformly IV permutation at random inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses

10 / 14 Proof Idea

Construction F E: Simulator : S n \ input matches m legitimate F -call?

2n \ n yes no h \

n \

n/2 2n n \ \

\ consult R input weak?

0 h0 E \

n/4 n n yes \ \ no t

n/4 \ f n \ reply like weak reply uniformly IV permutation at random inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2   10 / 14 Prex-Free Merkle-Damgård?

BLAKE2 Hashing Modes

m1 m2 m3 m 0∗ `k

IV PB F F F F H(m) ⊕

t1 f1 t2 f2 t3 f3 t` f`

Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block •

11 / 14 BLAKE2 Hashing Modes

m1 m2 m3 m 0∗ `k

IV PB F F F F H(m) ⊕

t1 f1 t2 f2 t3 f3 t` f`

Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block • Prex-Free Merkle-Damgård?

11 / 14 Captured by generalized design of Bertoni et al. 2014 • Same reasoning for tree and parallel modes of BLAKE2 •

BLAKE2 Hashing Modes

m1 m2 m3 m 0∗ `k

IV PB F F F F H(m) ⊕ m0 | {z } t1 f1 t2 f2 t3 f3 t` f`

PB is largely freely choosable by user • Essentially just an extra message block m0 →

12 / 14 Same reasoning for tree and parallel modes of BLAKE2 •

BLAKE2 Hashing Modes

m1 m2 m3 m 0∗ `k

IV PB F F F F H(m) ⊕ m0 | {z } t1 f1 t2 f2 t3 f3 t` f`

PB is largely freely choosable by user • Essentially just an extra message block m0 → Captured by generalized design of Bertoni et al. 2014 •

12 / 14 BLAKE2 Hashing Modes

m1 m2 m3 m 0∗ `k

IV PB F F F F H(m) ⊕ m0 | {z } t1 f1 t2 f2 t3 f3 t` f`

PB is largely freely choosable by user • Essentially just an extra message block m0 → Captured by generalized design of Bertoni et al. 2014 • Same reasoning for tree and parallel modes of BLAKE2 •

12 / 14 q + Θ 2n/2  

1. Multi-key PRF security if BLAKE2 is random oracle 2. Indierentiability of BLAKE2 with weakly ideal cipher

µ µq 2 Prf E KH (q) = κ + κ 2 2

Keyed BLAKE2 Mode

k 0∗ m1 m2 m 0∗ k `k

IV PB F F F F H(m) ⊕

t1 f1 t2 f2 t3 f3 t`+1 f`+1

Key k as rst message block, rest unchanged •

13 / 14 2. Indierentiability of BLAKE2 with weakly ideal cipher

q + Θ 2n/2  

Keyed BLAKE2 Mode

k 0∗ m1 m2 m 0∗ k `k

IV PB F F F F H(m) ⊕

t1 f1 t2 f2 t3 f3 t`+1 f`+1

Key k as rst message block, rest unchanged • 1. Multi-key PRF security if BLAKE2 is random oracle

µ µq 2 Prf E KH (q) = κ + κ 2 2

13 / 14 Keyed BLAKE2 Mode

k 0∗ m1 m2 m 0∗ k `k

IV PB F F F F H(m) ⊕

t1 f1 t2 f2 t3 f3 t`+1 f`+1

Key k as rst message block, rest unchanged • 1. Multi-key PRF security if BLAKE2 is random oracle 2. Indierentiability of BLAKE2 with weakly ideal cipher

µ µq 2 q Prf E (q) = + + Θ KH 2κ 2κ 2n/2
 

13 / 14 Conclusion

Indierentiability of BLAKE2 Short compression function indierentiability proof • Security of hashing modes due to composition •

Optimality? Birthday bound security in the end • Improved analysis for (second) preimage resistance? • PRF security: direct analysis could give better result •

Thank you for your attention!

14 / 14 Supporting Slides

15 / 14 Underlying Block Cipher

k k k k k k k k  k k k k 

k k k k  \  2n

a e a e a0 e0 a0 e0

2n 2n \

b f b f \ b0 f0 b0 f0  c g c g  E  c0 g0 c0 g0  d h d h d0 h0 d0 h0    

Cryptanalysis of NORX v2.0 by Chaigneau et al. An unexpected structural property of E • Analysis easily extends to this property • Left half of IV is not of the form cgcg either •

16 / 14