Introduction State-recovery for HMAC-HAIFA Short message attacks Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur1 Gaëtan Leurent2 1ENS, France 2Inria, France Crypto 2014 I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 1 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks HMAC with GOST HMAC GOST R 34.11-94 I Very common MAC algorithm I Russian hash funct. standard H(K ⊕ opad k H(K ⊕ ipad k M)) I Uses an internal checksum HMAC-GOST K ⊕ ipad M0 M1 M2 jMj K ⊕ opad h IV h h h h g IV h h g t I Expect ` bit security for key-recovery (`-bit state, key, tag) ` I Key recovery attack in 23 /4 [LPW, AC 2013] I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 2 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks HMAC with GOST HMAC GOST R 34.11-94 I Very common MAC algorithm I Russian hash funct. standard H(K ⊕ opad k H(K ⊕ ipad k M)) I Uses an internal checksum HMAC-GOST K ⊕ ipad M0 M1 M2 jMj K ⊕ opad h IV h h h h g IV h h g t I Expect ` bit security for key-recovery (`-bit state, key, tag) ` I Key recovery attack in 23 /4 [LPW, AC 2013] I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 2 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks HMAC with GOST HMAC GOST R 34.11-94 I Very common MAC algorithm I Russian hash funct. standard H(K ⊕ opad k H(K ⊕ ipad k M)) I Uses an internal checksum HMAC-GOST K ⊕ ipad M0 M1 M2 jMj K ⊕ opad h IV h h h h g IV h h g t I Expect ` bit security for key-recovery (`-bit state, key, tag) ` I Key recovery attack in 23 /4 [LPW, AC 2013] I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 2 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks HMAC-GOST key recovery I GOST uses an internal checksum K ⊕ ipad M0 M1 M2 jMj K ⊕ opad h ` ` ` ` IV h h h h g IV h h g t x0 x1 x2 x? n Key recovery attack I Use a state-recovery attack to recover x? [LPW, AC 2013] I Chosen message difference gives chosen checksum difference I “Related-key attack” on the finalization I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 3 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks HMAC-GOST key recovery I GOST uses an internal checksum K ⊕ ipad M0 M1 M2 jMj K ⊕ opad h ` ` ` ` IV h0 h1 h2 h3 g IV h0 h1 g t x0 x1 x2 x? n Question I The is a new GOST hash function: Streebog I Also has a checksum I Uses a block-counter (HAIFA) I Can we build a key-recovery attack against HMAC-Streebog? I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 3 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Security of HMAC ` I Security proof up to 2 /2 I Matching attack for existential forgery ` I We used to assume that many harder attack should cost 2 Recent work I State-recovery attack ` I 2 /` using multi-collisions [NSWY13] `/2 I 2 using the cycle structure of random graphs [LPW12] I Universal forgery attack 5`/6 I 2 using the cycle structure of random graphs [PW14] 3`/4 I 2 improvement [CPSW14] I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 4 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Limitations of recent attacks In this work we address two important limitations of recent attacks: 1 Attacks are not applicable to HAIFA-based hash function I Compression function tweak for each block (counter) I Used in Blake, Skein, Streebog, ... ` 2 Most of these attack use queries of length ≈ 2 /2 I In practice, many hash functions limit the message length e.g. 255 blocks for SHA-1 (` = 160) and SHA-256 (` = 256) I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 5 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Outline Introduction HMAC-GOST Recent work State-recovery for HMAC-HAIFA Previous work New results Short message attacks State-recovery Universal forgery I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 6 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Hash-based MAC with a HAIFA hash function m0 m1 m2 jMj ` h0 ` h1 ` h2 ` gk n Ik MACK(M) x0 x1 x2 x3 I Generic model (HMAC, Sandwich-MAC, Envelope-Mac) I Unkeyed compression functions hi I Each compression function is different with HAIFA I `-bit internal state I Key dependant initialization Ik I Key dependant finalization gk I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 7 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks State-recovery attacks I Send messages to the oracle I Do some computations offline with the compression function Mi Mi I h0 h1 h2 gk MAC(M ) k 0 $ h0 h1 h2 I h0 h1 h2 gk MAC(M ) k 1 $ h0 h1 h2 I h0 h1 h2 gk MAC(M ) k 2 $ h0 h1 h2 I h0 h1 h2 gk MAC(M ) k 3 $ h0 h1 h2 I h0 h1 h2 gk MAC(M ) k 4 $ h0 h1 h2 Online Structure Offline Structure I Match the sets of points? I How to test equality? Online chaining values unknown I How many equality test do we need? I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 8 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Special states Special states in a small set are more likely to match Previous work [LPW14] I Entry point of the main cycle (1 point) `− I Collisions found with long chains (2 2s points) Not applicable to HAIFA We use the entropy loss from iterations of random function Theorem (Entropy loss) Let f1, f2, ... , f2s be a fixed sequence of random functions; `−s the image of g2s , f2s ◦ ... ◦ f2 ◦ f1 contains about 2 points. cf. [PK14] I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 9 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Special states Special states in a small set are more likely to match Previous work [LPW14] I Entry point of the main cycle (1 point) `− I Collisions found with long chains (2 2s points) Not applicable to HAIFA We use the entropy loss from iterations of random function Theorem (Entropy loss) Let f1, f2, ... , f2s be a fixed sequence of random functions; `−s the image of g2s , f2s ◦ ... ◦ f2 ◦ f1 contains about 2 points. cf. [PK14] I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 9 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks First attempt s I Chains of length 2 , with a fixed message C [i] C C h1 h2 hS gk $ h1 h2 hS h1 h2 hS gk $ h1 h2 hS u t 2 h0 h1 h2 hS gk 2 $ h1 h2 hS h0 h0 h1 h2 hS gk $ h1 h2 hS h0 g h h h Ik h0 h1 h2 hS k $ 1 2 S s S=2s S=2 Online Structure Offline Structure 1 Evaluate 2t chains offline s + t + u = ` Build filters for endpoints u 2 Query 2 message Mi = [i] k C Test endpoints with filters Cplx: 2s+t+u I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 10 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Building filters Filters to compare online and online states Test whether the state reached after processing M is equal to x I Collisions are preserved by the finalization (for same-length messages) ? 0 2 MAC(Mjjp) = MAC(Mjjp ) 1 Find a collision: h(x, p) = h(x, p0) M p p x? h1 g h1 Ik h0 k x h1 h1 p0 p0 Online Structure Offline Structure I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 11 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Building filters Filters to compare online and online states Test whether the state reached after processing M is equal to x I Collisions are preserved by the finalization (for same-length messages) ? 0 2 MAC(Mjjp) = MAC(Mjjp ) 1 Find a collision: h(x, p) = h(x, p0) M p p x? h1 g h1 Ik h0 k x h1 h1 p0 p0 Online Structure Offline Structure I. Dinur & G. Leurent (ENS & Inria) Improved Generic Attacks Against Hash-based MACs and HAIFA Crypto 2014 11 / 21 Introduction State-recovery for HMAC-HAIFA Short message attacks Building filters Filters to compare online and online states Test whether the state reached after processing M is equal to x I Collisions are preserved by the finalization (for same-length messages) ? 0 2 MAC(Mjjp) = MAC(Mjjp ) 1 Find a collision: h(x, p) = h(x, p0) M p p x? h1 g h1 Ik h0 k x h1 h1 p0 p0 Online Structure Offline Structure I.