International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing

Authors:
Zhenzhen Bao , Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore
Xiaoyang Dong , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China
Jian Guo , Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore
Zheng Li , Faculty of Information Technology, Beijing University of Technology, Beijing, China; Beijing Key Laboratory of Trusted Computing, Beijing University of Technology, Beijing, China
Danping Shi , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; University of Chinese Academy of Sciences, Beijing, China
Siwei Sun , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; University of Chinese Academy of Sciences, Beijing, China
Xiaoyun Wang , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Shandong, China
Download:
DOI: 10.1007/978-3-030-77870-5_27 (login may be required)
Search ePrint
Search Google
Conference: EUROCRYPT 2021
Abstract: The Meet-in-the-Middle (MITM) preimage attack is highly effective in breaking the preimage resistance of many hash functions, including but not limited to the full MD5, HAVAL, and Tiger, and reduced SHA-0/1/2. It was also shown to be a threat to hash functions built on block ciphers like AES by Sasaki in 2011. Recently, such attacks on AES hashing modes evolved from merely using the freedom of choosing the internal state to also exploiting the freedom of choosing the message state. However, detecting such attacks especially those evolved variants is difficult. In previous works, the search space of the configurations of such attacks is limited, such that manual analysis is practical, which results in sub-optimal solutions. In this paper, we remove artificial limitations in previous works, formulate the essential ideas of the construction of the attack in well-defined ways, and translate the problem of searching for the best attacks into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. The MILP models capture a large solution space of valid attacks; and the objectives of the MILP models are attack configurations with the minimized computational complexity. With such MILP models and using the off-the-shelf solver, it is efficient to search for the best attacks exhaustively. As a result, we obtain the first attacks against the full (5-round) and an extended (5.5-round) version of Haraka-512 v2, and 8-round AES-128 hashing modes, as well as improved attacks covering more rounds of Haraka-256 v2 and other members of AES and Rijndael hashing modes.
Video from EUROCRYPT 2021
BibTeX
@inproceedings{eurocrypt-2021-30872,
  title={Automatic Search of Meet-in-the-Middle Preimage Attacks on AES-like Hashing},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-030-77870-5_27},
  author={Zhenzhen Bao and Xiaoyang Dong and Jian Guo and Zheng Li and Danping Shi and Siwei Sun and Xiaoyun Wang},
  year=2021
}