Zheng Yuan,Wei Wang,Keting Jia,Guangwu Xu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-03356-8_13

2009-01-01

Abstract:This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts.The first part presents new distinguishers of the MAC construction Alred and its specific instance Alpha-MAC based on AES. For the Alred construction, we first describe a general distinguishing attack which leads to a forgery attack directly with the complexity of the birthday attack. A 2-round collision differential path of Alpha-MAC is adopted to construct a new distinguisher with about 265.5 chosen messages and 265.5 queries. One of the most important results is to use this new distinguisher to recover the internal state, which is an equivalent subkey of Alpha-MAC. Moreover, our distinguisher on Alred construction can be applied to the MACs based on CBC and CFB encryption modes.The second part describes the first impossible differential attack on MACs-Pelican, MT-MAC-AES and PC-MAC-AES. Using the birthday attack, enough message pairs that produce the inner near-collision with some specific differences are detected, then the impossible differential attack on 4-round AES to the above mentioned MACs is performed. For Pelican, our attack recovers its internal state, which is an equivalent subkey. For MT-MAC-AES, the attack turns out to be a subkey recovery attack directly. The complexity of the two attacks is 285.5 chosen messages and 285.5 queries. For PC-MAC-AES, we recover its 256-bit key with 285.5 chosen messages and 2128 queries.

Xiaoyun Wang,Hongbo Yu,Wei Wang,Haina Zhang,Tao Zhan

DOI: https://doi.org/10.1007/978-3-642-01001-9_7

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 2(97) queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2(126.1) messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx-MAC based on MD5. The MDx-MAC was proposed by Preneel and van Oorschot in Crypto'95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 2(97) queries.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

Xiaoyun Wang,Wei Wang,Keting Jia,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-03317-9_22

2009-01-01

Abstract:This paper presents a new distinguisher which can be applied to secret-prefix MACs with the message length prepended to the message before hashing. The new distinguisher makes use of a special truncated differential path with high probability to distinguish an inner near-collision in the first round. Once the inner near-collision is detected, we can recognize an instantiated MAC from a MAC with a random function. The complexity for distinguishing the MAC with 43-step reduced SHA-1 is 2124.5 queries. For the MAC with 61-step SHA-1, the complexity is 2154.5 queries. The success probability is 0.70 for both.

Yaobin Shen,Lei Wang

DOI: https://doi.org/10.46586/tosc.v2019.i2.146-168

2019-01-01

Abstract:ISO/IEC 9797-1 is an international standard for block-cipher-based Message Authentication Code (MAC). The current version ISO/IEC 9797-1:2011 specifies six single-pass CBC-like MAC structures that are capped at the birthday bound security. For a higher security that is beyond-birthday bound, it recommends to use the concatenation combiner of two single-pass MACs. In this paper, we reveal the invalidity of the suggestion, by presenting a birthday bound forgery attack on the concatenation combiner, which is essentially based on Joux’s multi-collision. Notably, our new forgery attack for the concatenation of two MAC Algorithm 1 with padding scheme 2 only requires 3 queries. Moreover, we look for patches by revisiting the development of ISO/IEC 9797-1 with respect to the beyond-birthday bound security. More specifically, we evaluate the XOR combiner of single-pass CBC-like MACs, which was used in previous version of ISO/IEC 9797-1.

Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-02620-1_13

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on the LPMAC based on step-reduced SHA-256. The LPMAC is the abbreviation of the secret-prefix MAC with the length prepended to the message before hashing and it's a more secure version of the secret-prefix MAC. In [19], Wang e t al. give the first distinguishing attack on HMAC/NMAC-MD5 without the related key, then they improve the techniques to give a distinguishing attack on the LPMAC based on 61-step SHA-1 in [23]. In this paper, we utilize the techniques in [23] combined with our differential path on step-reduced SHA-256 to distinguishing the LPMAC based on 39-step SHA-256 from the LPMAC with a random function. The complexity of our attack is about 2184.5 MAC queries.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Jiehui Nan,Honggang Hu,Ping Zhang,Yiyuan Luo

DOI: https://doi.org/10.1007/s11128-022-03774-5

IF: 1.965

2022-01-01

Quantum Information Processing

Abstract:Since the seminal work of Chen et al. to construct pseudorandom functions (PRFs) from the public random permutations, a series of designs of beyond-birthday-bound secure PRFs or message authentication codes(MACs) have been proposed, like $$\textsf{pEDM}$$ , $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ , $$\textsf{PDM}\text {* }\textsf{MAC}$$ , and $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ , etc. These constructions were classically proved to be secure at least up to $$O(2^{2n/3})$$ queries. In this paper, we consider to attack these constructions in the quantum setting. In particular, we show the key-recovery attack against $$\textsf{pEDM}$$ and $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ with $$O(n\cdot 2^{n/2})$$ quantum queries by using Grover-meets-Simon algorithm. Moreover, a forgery attack is given against the constructions $$\textsf{PDM}\text {* }\textsf{MAC}$$ and $$\textsf{nEHtM}_p$$ with O(n) quantum complexity, and under the same query complexity, we can even recover the key of $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ .

Yaobin Shen,Francois-Xavier Standaert,Lei Wang

DOI: https://doi.org/10.1007/978-981-99-8727-6_6

2023-01-01

Abstract:At CRYPTO'18, Datta et al. proposed nPolyMAC and proved the security up to 2(2n/3) authentication queries and 2(n) verification queries. At EUROCRYPT'19, Dutta et al. proposed CWC+ and showed the security up to 2(2n/3) queries. At FSE'19, Datta et al. proposed PolyMAC and its key-reduced variant 2k-PolyMAC, and showed the security up to 2(2n/3) queries. This security bound was then improved by Kim et al. (EUROCRYPT'20) and Datta et al. (FSE'23) respectively to 2(3n/4) and in the multi-user setting. At FSE'20, Chakraborti et al. proposed PDM*MAC and 1k-PDM*MAC, and showed the security up to 2(2n/3) queries. Recently, Chen et al. proposed nEHtM(p)(+) and showed the security up to 2(2n/3) queries. In this paper, we show forgery attacks on nPolyMAC, CWC+, PolyMAC, 2k-PolyMAC, PDM* MAC, 1k-PDM*MAC and nEHtM(p)(+). Our attacks exploit some vulnerability in the underlying polynomial hash function Poly, and (i) require only one authentication query and one verification query; (ii) are nonce-respecting; (iii) succeed with probability 1. Thus, our attacks disprove the provable high security claims of these schemes. We then revisit their security analyses and identify what went wrong. Finally, we propose two solutions that can restore the beyond-birthday-bound security.

Hongbo Yu,Gaoli Wang,Guoyan Zhang,Xiaoyun Wang

DOI: https://doi.org/10.1007/11599371_1

2005-01-01

Abstract:In Eurocrypt’05, Wang et al. presented new techniques to find collisions of Hash function MD4. The techniques are not only efficient to search for collisions, but also applicable to explore the second- preimage of MD4. About the second-preimage attack, they showed that a random message was a weak message with probability 2−122 and it only needed a one-time MD4 computation to find the second-preimage corresponding to the weak message. A weak message means that there exits a more efficient attack than the brute force attack to find its second-preimage. In this paper, we find another new collision differential path which can be used to find the second-preimage for more weak messages. For any random message, it is a weak message with probability 2−56, and it can be converted into a weak message by message modification techniques with about 227 MD4 computations. Furthermore, the original message is close to the resulting message (weak message), i.e, the Hamming weight of the difference for two messages is about 44.

Dayin Wang,Dongdai Lin,Wenling Wu

2007-01-01

Abstract:We can view an existing Message Authentication Code (MAC) as a Carter-Wegman MAC in spite of the fact it may not have been designed as one. This will make the analysis easier than it has been when considered from other viewpoints. In this paper, we can look PMAC with two keys as a Carter-Wegman MAC and get a simple security proof for it. Using this viewpoint to look at PMAC, we will learn not only why the PMAC is such constructed, but also a new method of constructing MACs.

Siyuan Qiao,Wei Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-14423-3_23

2010-01-01

Abstract:In this paper, we present a new distinguishing attack which works for secret prefix MAC based on 65-step (12-76) SHA-1. By birthday paradox, we first guarantee the existence of an internal collision at the output of the first iteration, then identify it by choosing the second message block smartly, and finally distinguish the specific MAC from a random function by making use of a near-collision differential path. The complexity of our new distinguisher is 2(80.9) queries with success probability 0.51. In comparison, we also present a distinguisher on secret prefix MAC instantiated with 63-step (8-70) SHA-1 according to Wang's method introduced at FSE 2009 [21], which needs about 2(157) queries with success probability 0.70.

Hong-Wei Sun,Bin-Bin Cai,Su-Juan Qin,Qiao-Yan Wen,Fei Gao

DOI: https://doi.org/10.1016/j.physa.2023.129047

2023-07-18

Abstract:In this paper, we investigate the security of several recent MAC constructions with provable security beyond the birthday bound (called BBB MACs) in the quantum setting. On the one hand, we give periodic functions corresponding to targeted MACs (including PMACX, PMAC with parity, HPxHP, and HPxNP), and we can recover secret states using Simon algorithm, leading to forgery attacks with complexity O(n) . This implies our results realize an exponential speedup compared with the classical algorithm. Note that our attacks can even break some optimally secure MACs, such as mPMAC+-f, mPMAC+-p1, mPMAC+-p2, mLightMAC+-f, etc. On the other hand, we construct new hidden periodic functions based on SUM-ECBC-like MACs: SUM-ECBC, PolyMAC, GCM-SIV2, and 2K-ECBC − Plus, where periods reveal the information of the secret key. Then, by applying Grover-meets-Simon algorithm to specially constructed functions, we can recover full keys with O(2n/2n) or O(2m/2n) quantum queries, where n is the message block size and m is the length of the key. Considering the previous best quantum attack, our key-recovery attacks achieve a quadratic speedup.

physics, multidisciplinary

Yusuke Naito,Yu Sasaki,Lei Wang,Kan Yasuda

DOI: https://doi.org/10.1007/978-3-642-41383-4_6

2013-01-01

Abstract:This paper presents new attacks on message authentication codes (MACs). Our attacks are generic and applicable to (secret-prefix) ChopMD-MAC and to NMAC/HMAC, all of which are based on a Merkle-Damgård hash function. We show that an internal state value of these MACs can be recovered with time/queries less than O(2 n )—roughly, with an O(2 n /n) complexity, where ChopMD has 2n-bit state and NMAC/HMAC n-bit. We also show that state-recovery can be extended to MAC-security compromise, such as almost universal forgeries and distinguishing-H attacks. While our results remain to be of theoretical interest due to the high attack complexity, they lead to profound consequences. Namely, our analyses provide us with proper understanding of these MAC constructions, for in the literature the complexity has been implicitly and explicitly assumed to be O(2 n ). Since the complexity is very close to 2 n , we make a precise calculation of attack complexities and of success probabilities in order to show that the total complexity is indeed less than 2 n . Moreover, we perform an experiment by computer simulation to demonstrate that our calculation is correct.

Tairong Shi,Wenling Wu,Bin Hu,Jie Guan,Han Sui,Senpeng Wang,Mengyuan Zhang

DOI: https://doi.org/10.1109/tifs.2024.3402970

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:A lot of work in the field of quantum cryptanalysis is currently devoted to finding applications of Grover-meets-Simon algorithm and its complexity is given in the form of , but research on how to implement the attack efficiently is still insufficient. After all, it is crucial to study quantum attacks in resource-limited situations, according to NIST's guidance on circuit depth. This work first evaluates the parallelization of Grover-meets-Simon by drawing on the Grover's parallel approach and shows that as the width increases by , the depth decreases by a factor of . Further, the first dedicated quantum attack on a class of functions that appear in cryptographic scheme applications (so-called XOR-type function) is proposed. The depth, width, and the number of gates required for the attack are greatly reduced compared to the general parallelization. Then we apply the attack to various Beyond-Birthday-Bound (BBB) MACs, where the XOR function can be constructed, including SUM-ECBC and its variants (2K-SUM-ECBC, 2K-ECBC_Plus), and GCM-SIV2. In the typical case where SUM-ECBC is based on AES-128, our attack saves at least 62.3% in depth, 19.5% in width and 22.2% in gate count simultaneously. The impact on some lightweight ciphers is further explored, and it is interesting to note that the lighter the quantum circuit implementation of the cipher is, the greater the possible impact of an attack will be. This observation may provide new insights into quantum cryptanalysis.

computer science, theory & methods,engineering, electrical & electronic

WANG Da-yin,LIN Dong-dai,WU Wen-ling

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.10.014

2006-01-01

Abstract:The most important tool to protect data integrity is Message Authentication Code(MAC),which is widely used in many kinds of secure systems.With the development of the theory of provable security,the MACs,which have security proof,are the first choice of many people.Based on the constructions of XOR MAC and PMAC,we define a deterministic fully parallelizable block-cipher mode of operation for message authentication-DXOR MAC(Deterministic XOR MAC).We prove its security,quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudo-random permutation.

WANG Da-Yin,LIN Dong-Dai,WU Wen-ling,JIANG Zhong-Hua

DOI: https://doi.org/10.3969/j.issn.1002-1175.2006.02.017

2006-01-01

Abstract:Message Authentication Codes are very important tools to protect data integrity.XOR-MAC is defined by Bellare,who also gives a security analysis for it.But the security analysis they gave for XOR-MAC is complex.In this paper,we use the Game-Playing technique to give a new security analysis for XOR-MAC.We prove XOR-MAC secure,quantifying an adversary's success probability of distinguishing XOR-MAC from a purely random function in terms of the quality of the block cipher as a pseudorandom permutation.

Neha Sangwan,Mayank Bakshi,Bikash Kumar Dey,Vinod M. Prabhakaran

2023-09-11

Abstract:We study communication over a Multiple Access Channel (MAC) where users can possibly be adversarial. The receiver is unaware of the identity of the adversarial users (if any). When all users are non-adversarial, we want their messages to be decoded reliably. When a user behaves adversarially, we require that the honest users' messages be decoded reliably. An adversarial user can mount an attack by sending any input into the channel rather than following the protocol. It turns out that the $2$-user MAC capacity region follows from the point-to-point Arbitrarily Varying Channel (AVC) capacity. For the $3$-user MAC in which at most one user may be malicious, we characterize the capacity region for deterministic codes and randomized codes (where each user shares an independent random secret key with the receiver). These results are then generalized for the $k$-user MAC where the adversary may control all users in one out of a collection of given subsets.

Information Theory

Gaetan Leurent,Thomas Peyrin,Lei Wang

DOI: https://doi.org/10.1007/978-3-642-42045-0_1

2013-01-01

Abstract:In this paper we study the security of hash-based MAC algorithms (such as HMAC and NMAC) above the birthday bound. Up to the birthday bound, HMAC and NMAC are proven to be secure under reasonable assumptions on the hash function. On the other hand, if an n-bit MAC is built from a hash function with a l-bit state (l >= n), there is a well-known existential forgery attack with complexity 2(l/2). However, the remaining security after 2(l/2) computations is not well understood. In particular it is widely assumed that if the underlying hash function is sound, then a generic universal forgery attack should require 2(n) computations and some distinguishing (e.g. distinguishing-H but not distinguishing-R) and state-recovery attacks should also require 2(l) computations (or 2(k) if k < l).In this work, we show that above the birthday bound, hash-based MACs offer significantly less security than previously believed. Our main result is a generic distinguishing-H and state-recovery attack against hash-based MACs with a complexity of only <(O)over tilde> (2(l/2)). In addition, we show a key-recovery attack with complexity (O) over tilde (2(3l/4)) against HMAC used with a hash functions with an internal checksum, such as GOST. This surprising result shows that the use of a checksum might actually weaken a hash function when used in a MAC. We stress that our attacks are generic, and they are in fact more efficient than some previous attacks proposed on MACs instanciated with concrete hash functions. We use techniques similar to the cycle-detection technique proposed by Peyrin et al. at Asiacrypt 2012 to attack HMAC in the related-key model. However, our attacks works in the single-key model for both HMAC and NMAC, and without restriction on the key size.