Security Analysis of BLAKE2's Modes of Operation
Atul Luykx, Bart Mennink, Samuel Neves
KU Leuven (Belgium) and Radboud University (The Netherlands)
FSE 2017 March 7, 2017
1 / 14 BLAKE2
m1 m2 m3 m 0∗ `k
IV PB F F F F H(m) ⊕
t1 f1 t2 f2 t3 f3 t` f`
Cryptographic hash function • Aumasson, Neves, Wilcox-O'Hearn, Winnerlein (2013) • Simplication of SHA-3 nalist BLAKE •
2 / 14 BLAKE2
Use in Password Hashing Argon2 (Biryukov et al.) • Catena (Forler et al.) • Lyra (Almeida et al.) • Lyra2 (Simplício Jr. et al.) • Rig (Chang et al.) • Use in Authenticated Encryption AEZ (Hoang et al.) • Applications Noise Protocol Framework (Perrin) • Zcash Protocol (Hopwood et al.) • RAR 5.0 (Roshal) • 3 / 14 BLAKE2 Guo et al. 2014 Hao 2014 Khovratovich et al. 2015 Espitau et al. 2015 ???
Even slight modications may make a scheme insecure!
Security Inheritance?
BLAKE cryptanalysis Aumasson et al. 2010 Biryukov et al. 2011 Dunkelman&K. 2011
generic Andreeva et al. 2012 Chang et al. 2012
4 / 14 ???
Even slight modications may make a scheme insecure!
Security Inheritance?
BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 Chang et al. 2012
4 / 14 Even slight modications may make a scheme insecure!
Security Inheritance?
BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012
4 / 14 Security Inheritance?
BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012
Even slight modications may make a scheme insecure!
4 / 14 No structural design aws • Well-suited for composition •
Indierentiability
real world simulated world
IC C idealPrandom Rsimulator S function primitive for oracle P
distinguisher D
Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R ∃ S ( , ) and ( , ) indistinguishable C P R S
5 / 14
1 Indierentiability
real world simulated world
IC C idealPrandom Rsimulator S function primitive for oracle P
distinguisher D
Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R ∃ S ( , ) and ( , ) indistinguishable C P R S No structural design aws • Well-suited for composition •
5 / 14
1 (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→
Composition1 indiff-compose-0
H
E F
H
6 / 14 (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→
Composition2 indiff-compose-1
H
(i) E F
(i) H
(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→
6 / 14 (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→
Composition3 indiff-compose-2
H
(i) E (ii) F
(i) H
(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→
6 / 14 Composition4 indiff-compose-3
(iii) H
(i) E (ii) F
(i)
(iii) H
(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→ 6 / 14 Composition5 indiff-compose-4
(iii) H
(i) E (ii) F
(i)
(iii) H
(i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −→ (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −→ (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −→ 6 / 14 Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties •
Our Results
Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! •
7 / 14 Our Results
Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! •
Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties •
7 / 14 BLAKE2 Compression Function
n \
m
2n \ n h \
n \
n/2 2n n \ \ \
0 h0 E \
n/4 n n \ t \
n/4 \
f n \
IV
h is state, m is message, t is counter, f is ag • IV is initialization value •
8 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)
Weakly Ideal Cipher Model E is an ideal cipher modulo above property •
Underlying Block Cipher
k k k k k k k k k k k k
k k k k \ 2n
a a a a a a a a
2n 2n 0 0 0 0 \
b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0
9 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)
Underlying Block Cipher
k k k k k k k k k k k k
k k k k \ 2n
a a a a a a a a
2n 2n 0 0 0 0 \
b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0
Weakly Ideal Cipher Model E is an ideal cipher modulo above property •
9 / 14 Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)
Underlying Block Cipher
k k k k k k k k k k k k
k k k k \ 2n
a a a a a a a a
2n 2n 0 0 0 0 \
b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0
Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys •
9 / 14 Underlying Block Cipher
k k k k k k k k k k k k
k k k k \ 2n
a a a a a a a a
2n 2n 0 0 0 0 \
b b b b \ b0 b0 b0 b0 c c c c E c c c c ! 0 0 0 0 ! d d d d d0 d0 d0 d0
Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc)
9 / 14 inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2
input matches legitimate F -call? yes no
consult R input weak?
yes no reply like weak reply uniformly permutation at random
Proof Idea
Construction F E: Simulator : S
n \
m
2n \ n h \
n \
n/2 2n n \ \ \
0 h0 E \
n/4 n n \ t \
n/4 \
f n \
IV
10 / 14 inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2
Proof Idea
Construction F E: Simulator : S n \ input matches m legitimate F -call?
2n \ n yes no h \
n \
n/2 2n n \ \
\ consult R input weak?
0 h0 E \
n/4 n n \ t \ yes no
n/4 \ f n \ reply like weak reply uniformly IV permutation at random
10 / 14 inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2
Proof Idea
Construction F E: Simulator : S n \ input matches m legitimate F -call?
2n \ n yes no h \
n \
n/2 2n n \ \
\ consult R input weak?
0 h0 E \
n/4 n n yes \ \ no t
n/4 \ f n \ reply like weak reply uniformly IV permutation at random
10 / 14 inverse query−−→ hits 0-block
q Indiff E (q) = Θ F ,S 2n/2
Proof Idea
Construction F E: Simulator : S n \ input matches m legitimate F -call?
2n \ n yes no h \
n \
n/2 2n n \ \
\ consult R input weak?
0 h0 E \
n/4 n n yes \ \ no t
n/4 \ f n \ reply like weak reply uniformly IV permutation at random −−−−→ collision in uniformly random−−→ responses
10 / 14 q Indiff E (q) = Θ F ,S 2n/2
Proof Idea
Construction F E: Simulator : S n \ input matches m legitimate F -call?
2n \ n yes no h \
n \
n/2 2n n \ \
\ consult R input weak?
0 h0 E \
n/4 n n yes \ \ no t
n/4 \ f n \ reply like weak reply uniformly IV permutation at random inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses
10 / 14 Proof Idea
Construction F E: Simulator : S n \ input matches m legitimate F -call?
2n \ n yes no h \
n \
n/2 2n n \ \
\ consult R input weak?
0 h0 E \
n/4 n n yes \ \ no t
n/4 \ f n \ reply like weak reply uniformly IV permutation at random inverse query−−→ hits 0-block −−−−→ collision in uniformly random−−→ responses q Indiff E (q) = Θ F ,S 2n/2 10 / 14 Prex-Free Merkle-Damgård?
BLAKE2 Hashing Modes
m1 m2 m3 m 0∗ `k
IV PB F F F F H(m) ⊕
t1 f1 t2 f2 t3 f3 t` f`
Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block •
11 / 14 BLAKE2 Hashing Modes
m1 m2 m3 m 0∗ `k
IV PB F F F F H(m) ⊕
t1 f1 t2 f2 t3 f3 t` f`
Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block • Prex-Free Merkle-Damgård?
11 / 14 Captured by generalized design of Bertoni et al. 2014 • Same reasoning for tree and parallel modes of BLAKE2 •
BLAKE2 Hashing Modes
m1 m2 m3 m 0∗ `k
IV PB F F F F H(m) ⊕ m0 | {z } t1 f1 t2 f2 t3 f3 t` f`
PB is largely freely choosable by user • Essentially just an extra message block m0 →
12 / 14 Same reasoning for tree and parallel modes of BLAKE2 •
BLAKE2 Hashing Modes
m1 m2 m3 m 0∗ `k
IV PB F F F F H(m) ⊕ m0 | {z } t1 f1 t2 f2 t3 f3 t` f`
PB is largely freely choosable by user • Essentially just an extra message block m0 → Captured by generalized design of Bertoni et al. 2014 •
12 / 14 BLAKE2 Hashing Modes
m1 m2 m3 m 0∗ `k
IV PB F F F F H(m) ⊕ m0 | {z } t1 f1 t2 f2 t3 f3 t` f`
PB is largely freely choosable by user • Essentially just an extra message block m0 → Captured by generalized design of Bertoni et al. 2014 • Same reasoning for tree and parallel modes of BLAKE2 •
12 / 14 q + Θ 2n/2
1. Multi-key PRF security if BLAKE2 is random oracle 2. Indierentiability of BLAKE2 with weakly ideal cipher
µ µq 2 Prf E KH (q) = κ + κ 2 2
Keyed BLAKE2 Mode
k 0∗ m1 m2 m 0∗ k `k
IV PB F F F F H(m) ⊕
t1 f1 t2 f2 t3 f3 t`+1 f`+1
Key k as rst message block, rest unchanged •
13 / 14 2. Indierentiability of BLAKE2 with weakly ideal cipher
q + Θ 2n/2
Keyed BLAKE2 Mode
k 0∗ m1 m2 m 0∗ k `k
IV PB F F F F H(m) ⊕
t1 f1 t2 f2 t3 f3 t`+1 f`+1
Key k as rst message block, rest unchanged • 1. Multi-key PRF security if BLAKE2 is random oracle
µ µq 2 Prf E KH (q) = κ + κ 2 2
13 / 14 Keyed BLAKE2 Mode
k 0∗ m1 m2 m 0∗ k `k
IV PB F F F F H(m) ⊕
t1 f1 t2 f2 t3 f3 t`+1 f`+1
Key k as rst message block, rest unchanged • 1. Multi-key PRF security if BLAKE2 is random oracle 2. Indierentiability of BLAKE2 with weakly ideal cipher
µ µq 2 q Prf E (q) = + + Θ KH 2κ 2κ 2n/2
13 / 14 Conclusion
Indierentiability of BLAKE2 Short compression function indierentiability proof • Security of hashing modes due to composition •
Optimality? Birthday bound security in the end • Improved analysis for (second) preimage resistance? • PRF security: direct analysis could give better result •
Thank you for your attention!
14 / 14 Supporting Slides
15 / 14 Underlying Block Cipher
k k k k k k k k k k k k
k k k k \ 2n
a e a e a0 e0 a0 e0
2n 2n \
b f b f \ b0 f0 b0 f0 c g c g E c0 g0 c0 g0 d h d h d0 h0 d0 h0
Cryptanalysis of NORX v2.0 by Chaigneau et al. An unexpected structural property of E • Analysis easily extends to this property • Left half of IV is not of the form cgcg either •
16 / 14