Security Analysis of BLAKE2's Modes of Operation Atul Luykx, Bart Mennink, Samuel Neves KU Leuven (Belgium) and Radboud University (The Netherlands) FSE 2017 March 7, 2017 1 / 14 BLAKE2 m1 m2 m3 m 0∗ `k IV PB F F F F H(m) ⊕ t1 f1 t2 f2 t3 f3 t` f` Cryptographic hash function • Aumasson, Neves, Wilcox-O'Hearn, Winnerlein (2013) • Simplication of SHA-3 nalist BLAKE • 2 / 14 BLAKE2 Use in Password Hashing Argon2 (Biryukov et al.) • Catena (Forler et al.) • Lyra (Almeida et al.) • Lyra2 (Simplício Jr. et al.) • Rig (Chang et al.) • Use in Authenticated Encryption AEZ (Hoang et al.) • Applications Noise Protocol Framework (Perrin) • Zcash Protocol (Hopwood et al.) • RAR 5.0 (Roshal) • 3 / 14 BLAKE2 Guo et al. 2014 Hao 2014 Khovratovich et al. 2015 Espitau et al. 2015 ??? Even slight modications may make a scheme insecure! Security Inheritance? BLAKE cryptanalysis Aumasson et al. 2010 Biryukov et al. 2011 Dunkelman&K. 2011 generic Andreeva et al. 2012 Chang et al. 2012 4 / 14 ??? Even slight modications may make a scheme insecure! Security Inheritance? BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 Chang et al. 2012 4 / 14 Even slight modications may make a scheme insecure! Security Inheritance? BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012 4 / 14 Security Inheritance? BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012 Even slight modications may make a scheme insecure! 4 / 14 No structural design aws • Well-suited for composition • Indierentiability real world simulated world IC C idealPrandom Rsimulator S function primitive for oracle P distinguisher D Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R 9 S ( ; ) and ( ; ) indistinguishable C P R S 5 / 14 1 Indierentiability real world simulated world IC C idealPrandom Rsimulator S function primitive for oracle P distinguisher D Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R 9 S ( ; ) and ( ; ) indistinguishable C P R S No structural design aws • Well-suited for composition • 5 / 14 1 (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! Composition1 indiff-compose-0 H E F H 6 / 14 (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! Composition2 indiff-compose-1 H (i) E F (i) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! 6 / 14 (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! Composition3 indiff-compose-2 H (i) E (ii) F (i) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! 6 / 14 Composition4 indiff-compose-3 (iii) H (i) E (ii) F (i) (iii) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! 6 / 14 Composition5 indiff-compose-4 (iii) H (i) E (ii) F (i) (iii) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! 6 / 14 Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties • Our Results Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! • 7 / 14 Our Results Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! • Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties • 7 / 14 BLAKE2 Compression Function n \ m 2n \ n h \ n \ n/2 2n n \ \ \ 0 h0 E \ n/4 n n \ t \ n/4 \ f n \ IV h is state, m is message, t is counter, f is ag • IV is initialization value • 8 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 9 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 Weakly Ideal Cipher Model E is an ideal cipher modulo above property • 9 / 14 Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys • 9 / 14 Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) 9 / 14 inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 input matches legitimate F -call? yes no consult R input weak? yes no reply like weak reply uniformly permutation at random Proof Idea E Construction : n Simulator : F \ S m 2n \ n h \ n \ n/2 2n n \ \ \ 0 h0 E \ n/4 n n \ t \ n/4 \ f n \ IV 10 / 14 inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ t \ yes no n/4 \ f n \ reply like weak reply uniformly permutation at random IV 10 / 14 inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV 10 / 14 inverse query−−! hits 0-block q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV −−−−! collision in uniformly random−−! responses 10 / 14 q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses 10 / 14 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 10 / 14 Prex-Free Merkle-Damgård? BLAKE2 Hashing Modes m1 m2 m3 m 0∗ `k IV PB F F F F H(m) ⊕ t1 f1 t2 f2 t3 f3 t` f` Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block • 11 / 14 BLAKE2 Hashing Modes m1 m2 m3 m 0∗ `k IV PB F F F F H(m) ⊕ t1 f1 t2 f2 t3 f3 t` f` Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block • Prex-Free Merkle-Damgård? 11 / 14 Captured by generalized design of Bertoni et al.