Generic Attacks against MAC algorithms · Introduction Hash-based MACs State recovery Universal...

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion

Generic Attacks against MAC algorithms

Gaeumltan Leurent

Inria France

SAC 2015

G Leurent (Inria) Generic Attacks against MAC algorithms SAC 2015 1 69


Confidentiality and authenticity

Cryptography has two main objectivesConfidentiality keeping the message secret

Authenticity making sure the message is authentic

Authenticity is often more important than confidentiality Email signature Software update Credit cards Sensor networks Remote control (eg garage door car) Remote access (eg password authentication)

Authenticity achieved with signatures (asymmetric)or MACs (symmetric)



Message Authentication Codes

Alice BobM t

Alice sends a message to Bob Bob wants to authenticate the message Alice uses a key k to compute a tag t =MACk(M) Bob verifies the tag with the same key k t =MACk(M)



Example use Authenticated NTP

NTP Network Time Protocol Synchronize clocks up to a few ms NTP client connect to several servers and evaluate transmission time

Correct time is critical for security applications Time used as nonce Use time to detect replay Use time to check certificate validity

Timing message not secret but must be authentic Public key crypto two slow (would affect time precision)

NIST runs a public Authenticated NTP server



Example use challenge-response authentication

Alice

OXYGEN

Serverpassword pw password pw

xlarr $

x

ylarrMACpw(x)y

if y =MACpw(x) acceptelse reject

CRAM-MD5 authentication in SASL POP3 IMAP SMTP



MAC Constructions

Dedicated designs Pelican-MAC SQUASH SipHash Chaskey

From block ciphers CBC-MAC OMAC PMAC

From hash functions HMAC Sandwich-MAC Envelope-MAC

From universal hash functions (randomized MACs) UMAC VMAC GMAC Poly1305



Security notions

Key-recovery given access to a MAC oracle extract the key

Forgery given access to a MAC oracle forge a valid pair For a message chosen by the adversary existential forgery

For a challenge given to the adversary universal forgery

Distinguishing games DistinguishMACH

k from a PRF distinguishing-Reg distinguish HMAC from a PRF

DistinguishMACHk fromMACPRF

k distinguishing-Heg distinguish HMAC-SHA1 from HMAC-PRF



CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2

One of the first MAC [NIST ANSI ISO rsquo85] Designed by practitioners to be used with DES

Based on CBC encryption mode Keep the last cipher-text block as a MAC



CBC-MAC

P0

E

P1

E

P2

E

T One of the first MAC [NIST ANSI ISO rsquo85] Designed by practitioners to be used with DES




Security of modes of operations

Initially security of CBC-MAC-DES was an assumption To reduce the number of assumptionsstudy the block cipher and the mode independently

1 Security proof for the mode Assume that the block cipher is good prove that the MAC is good Lower bound on the security of the mode

2 Cryptanalysis of the block cipher Try to show non-random behavior

3 Generic attacks for the mode Attack that work for any choice of the block cipher Upper bound on the security of the mode
























Security of CBC-MACP0

E

P1

E

P2

E

T

Security proofs Secure with fixed-length message [Bellare Kilian amp Rogaway rsquo94] Attacks with variable length MAC(P0 P1) =MAC(P1 oplusMAC(P0))

Encrypt the last cipher-text block with a different key (ECBC) Secure with variable-length message Many variants FCBC XCBC OMAC [Black amp Rogaway rsquo00]




E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T





Generic Attack against Iterated Deterministic MACs

Ikx

yMAC

1 Find internal collisions [Preneel amp van Oorschot rsquo95] Query 2n2 random short messages 1 internal collision expected detected in the output

2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem

CBC-MAC with DES is unsafe after 232 queries



Security ProofsWhatrsquos a security proof

AdvprfCBC-F(q t) le AdvprpF (mq t +O(mqn)) + q2m2

2nminus1

Bound on the success probability of an adversary against the MACq number of queriest timem max query length

ldquoIf DES is a secure PRF then CBC-MAC-DES is a secure PRFrdquo

Limitations

Birthday-bound security Bound meaningless when mq asymp 2n2

No information on security degradation after the birthday bound Usually assumed that key-recovery attacks require more



Remaining of this talk

MAC security is well understood

Good MAC constructions have birthday bound security proof We have a generic existential forgery attack with birthday complexity

Or is it

Different MACs have different security loss after the birthday bound We need to study generic attack to understand the security of modes



PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L

A1 A2 Aprime3Aprime3

pad

PMAC parallelisable block-cipher based MAC[Black amp Rogaway rsquo02]

Uses secret offsets to the block cipher input L = Ek(0)



PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad

Collision attack two sets of messages [Lee amp al rsquo06] Ax = [x] |x| = 128

Full block MAC(Ax) = E([x] oplus 1

2L)

By = [y] |y| lt 128 Partial block MAC(By) = E(pad([y]))

Collision (AxBy) The MAC collide iff [x] oplus 1

2L = pad([y]) Deduce L Universal forgery attack



AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad

AEZ uses a variant of PMAC [Hoang Krovetz amp Rogaway rsquo15]

A collision gives J [x] oplus 9J = pad([y]) oplus 8J Key derivation (AEZ v2) J = E0(k) Collisions reveal the master key [FLS ACrsquo15]



Security of block cipher based MACs

Proofs

CBC-MAC PMAC and AEZ have security proofsup to the birthday bound

AttacksEffect of collision attacks with 2n2 queries

CBC-MAC almost universal forgeries [Jia amp al rsquo09]

PMAC universal forgeries

AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs

Hash-based MACsHash-based MACsHMAC

State recovery attacksUsing multi-collisionsUsing the cycle structureShort messages attacks using chains

Universal forgery attacksUsing cyclesUsing chains

Key-recovery attacksHMAC-GOST



Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih

Hash function public function 0 1lowast rarr 0 1n Maps arbitrary-length message to fixed-length hash

Mekle-Damgaringrd mode Process message iteratively Use the message length in the padding (MD strengthening)

Variants Finalization function Use a block counter (HAIFA) Truncate the hash to n lt ℓ (wide-pipe)



Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih






Hash function security Hash function should behave like a random function

Hard to find collisions preimages Hash can be used as a fingerprint

Ideal hash function Random Oracle

Hash-based MACs

Good hash functions (families) are indistinguishablefrom a random oracle up to 2ℓ2 queries

Hashing message and key with a random oracle is a secure MAC Internal state size ℓ larger than block ciphers

Secret-prefix MAC MACk(M) = H(k M) Secret-suffix MAC MACk(M) = H(M k)



Secret-prefix MAC

Definition (Secret-prefix MAC)

MACk(M) = H(k M)

Insecure with MDSHA length-extension attack

hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI

Can computeMACk(M 2 P) fromMACk(M) without k Practical attack against Flickr API [Duong amp Rizzo rsquo09]

Secure with modern hash functions (with finalization) Recommend with sponges (Keccak) Skein-MAC is essentially Secret-prefix MAC



Secret-suffix MAC (I)

Definition (Secret-suffix MAC)

MACk(M) = H(M k)

Can be broken using offline collisions Find a collision H(M1) = H(M2) (with full blocks) Since hash function are iterative H(M1 k) = H(M2 k) Existential forgery

Finding a collision offline requires 2ℓ2 time Almost practical for 128-bit hash functions (eg RIPEMD-128) Cryptanalytic shortcuts (eg MD5)

Finding a collision online require 2ℓ2 queries Far from practical easy to detect the attack



Secret-suffix MAC (II)


MACk(M) = H(M k)

Birthday key-recovery attack [Preneel amp van Oorschot rsquo96]1 Guess the first key byte as klowast2 Find a one-block hash collision (C0C1) with Ci =Mi klowast

helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯

3 QueryMAC(M1) andMAC(M2)

helliphellip

k0

k0k1k2k3hellipk1k2k3hellip

MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103

4 If the MACs are equal the guess was correct

Practical attack when using MD5 (eg APOP) [L rsquo07 Sasaki amp al rsquo08]



Envelope MAC and Sandwich MACTo avoid problems use the key at the beginning and at the end

Definition (Envelope MAC)

MACk(M) = H(k M k)

Secure up to the birthday bound [Bellare Canetti amp Krawczyk rsquo96] Key-recovery attack with complexity 2ℓ2

[Preneel amp van Oorschot rsquo96]

Definition (Sandwich MAC)

MACk(M) = H(pad(k) pad(M) k)

Secure up to the birthday bound [Yasuda rsquo07] Key-recovery attack does no apply

The proof does not capture this important difference





MACk(M) = H(k M k)









HMAC

HMAC has been designed by Bellare Canetti and Krawczyk in 1996

Standardized by ANSI IETF ISO NIST

Used in many applications To provide authentication

SSL IPSEC

To provide identification Challenge-response protocols CRAM-MD5 authentication in SASL POP3 IMAP SMTP

For key-derivation HMAC as a PRF in IPsec HMAC-based PRF in TLS



Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk

ℓ-bit chaining value n-bit output k-bit key we focus on ℓ = n = k

Key-dependant initial value Ik Unkeyed compression function h Key-dependant finalization with message length gk



Security of hash-based MACS

Security proofs up to the birthday bound

Generic attacks based on collisions Proof is tight for some security notions

Existential forgery Distinguishing-R

What is the remaining security above the birthday bound Generic distinguishing-H attack Generic state-recovery attack Generic universal forgery attack Generic key-recovery attack



OutlineIntroduction

MACsSecurity Proofs







Bibliography

Y Naito Y Sasaki L Wang K YasudaGeneric State-Recovery and Forgery Attacks on ChopMD-MAC andon NMACHMACIWSEC 2013

G Leurent T Peyrin L WangNew Generic Attacks against Hash-Based MACsASIACRYPT 2013

I Dinur G LeurentImproved Generic Attacks against Hash-Based MACs and HAIFACRYPTO 2014



Multi-collision based attack[Naito Sasaki Wang amp Yasuda rsquo13]

hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK

Using a fixed message block we apply a fixed function Starting point and ending point unknown because of the key

Can we detect properties of the function h0 ∶ x↦ h(x 0)

Use bias in the output of the compression function Some outputs are more likely than others With 2ℓminus120576 work find a value xlowast with ℓ preimages (offline)

How to detect when this state is reachedG Leurent (Inria) Generic Attacks against MAC algorithms SAC 2015 29 69



hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK






Building filtersFilters to compare online and online states

Test whether the state reached after processingM is equal to x

Collisions are preserved by the finalization(for same-length messages)

1 Find a collisionh(x c) = h(x cprime)

x h1h1

c

cprime

Offline Structure

2 MAC(M c) =MAC(M cprime)

Ikx

h0

Mh1h1

c

cprime

gk

Online StructureG Leurent (Inria) Generic Attacks against MAC algorithms SAC 2015 30 69






x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk



First state-recovery attack[Naito Sasaki Wang amp Yasuda rsquo13]

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk

1 Fix a message blockm1 = [0]With 2ℓminus120576 work find a value xlowast with ℓ preimages

2 Find a collision h(xlowast c) = h(xlowast cprime)

3 For randomm0 compareMAC(m0 [0] c) andMAC(m0 [0] cprime)If they are equal x2 = xlowast




hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk






Structure of state-recovery attacks

1 Identify special states easier to reach

2 Build filter for special states

3 Build messages to reach special statesTest if special state reached using filters

In this attack steps 1 amp 2 offline step 3 online



Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK

Using a fixed message block we iterate a fixed function Starting point and ending point unknown because of the key


Study the cycle structure of random mappings Used to attack HMAC in related-key setting

[Peyrin Sasaki amp Wang Asiacrypt 12]



Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7

Functional graph of a random mappingxrarr f(x)

Iterate f xi = f(ximinus1)

Collision after asymp 2ℓ2 iterations Cycles

Trees rooted in the cycle

Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure

Expected properties of a randommapping over N points

Components 12 logN

Cyclic nodes radic120587N2 Tail length radic120587N8 Rho length radic120587N2 Largest tree 048N Largest component 076N



Cycle structure


Components 12 logN




Using the cycle length1 Offline find the cycle length L of the main component of h02 Online query t =MAC(r [0]2ℓ2) and tprime =MAC(r [0]2ℓ2+L)

Success if

The starting point is in the main component p = 076 The cycle is reached with less than 2ℓ2 iterations p ge 05

Randomize starting point



Cycle structure


Components 12 logN





Success if





Dealing with the message lengthProblem most MACs use the message length

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk



Dealing with the message lengthSolution reach the cycle twice

M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L



Distinguishing-H attack

1 Offline find the cycle length L of the main component of h0

2 Online query t =MAC(r [0]2ℓ2 [1] [0]2ℓ2+L)tprime =MAC(r [0]2ℓ2+L [1] [0]2ℓ2 )

3 If t = tprime then h is the compression function in the oracle

Analysis

Complexity 2ℓ2 compression function calls Success probability p ≃ 014

Both starting point are in the main component p = 0762 Both cycles are reached with less than 2ℓ2 iterations p ge 052



State recovery attack Consider the first cyclic point With high pr root of the giant tree

1 Offline find cycle length Land root of giant tree 120572

2 Online Binary searchfor smallest z with collisionsMAC(r [0]z [x] [0]2ℓ2+L)MAC(r [0]z+L [x] [0]2ℓ2 )

3 State after r [0]z is 120572 (with high pr)

Analysis

Complexity 2ℓ2 times ℓ times log(ℓ)G Leurent (Inria) Generic Attacks against MAC algorithms SAC 2015 39 69


Cycle structure


Components 12 logN








Analysis



Short message attacksLimitations of cycle-based attacks

Messages of length 2ℓ2 are not very practical SHA-1 and HAVAL limit the message length to 264 bits

Cycle detection impossible with messages shorter than L asymp 2ℓ2 Shorter cycles have a small component

Not applicable to HAIFA hash functions

Compare with collision finding algorithms

Pollardrsquos rho algorithm use cycle detection Parallel collision search for van Oorschot and Wieneruses shorter chains skip details



Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK

Using a fixed message we iterate a fixed sequence of function Starting point and ending point unknown because of the key

Can we detect properties of the iteration of fixed functions

Study the entropy loss



Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Collision finding with short chains

x0 y0x1 y1x2 y2x3 y3x4

1 Compute chains x yStop when y distinguished

2 If y isin yi collision found

Theorem (Entropy loss)

Let f1 f2 hellip f2s be a fixed sequence of random functionsthe image of g2s ≜ f2s ∘ hellip ∘ f2 ∘ f1 contains about 2ℓminuss points

Use these state as special states (instead of cycle entry point)



State-recovery attacks Send messages to the oracle

Ik MAC(M0)h0 h1 h2 gk





Mi

Online Structure

Do some computations offlinewith the compression function

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure

Match the sets of points How to test equality Online chaining values unknown How many equality test do we need



First attempt Chains of length 2s with a fixed message C

Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure

1 Evaluate 2t chains offline s + t + u = ℓBuild filters for endpoints

2 Query 2u messageMi = [i] CTest endpoints with filters Cplx 2s+t+u






2 MAC(M||p) =MAC(M||pprime)

Ikx

h0

Mh1h1

p

pprime

gk

Online Structure

1 Find a collisionh(x p) = h(x pprime)

x h1h1

p

pprime

Offline StructureG Leurent (Inria) Generic Attacks against MAC algorithms SAC 2015 45 69






Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure





Online filters Using the filters is too expensive If we build filters online using them is cheap

1 Find p pprime stMAC(M||p) =MAC(M||pprime)

Ikx

h0

Mh1h1

p

pprime

gk

Online Structure

2 h(xm) = h(xmprime)

x h1h1

p

pprime

Offline Structure

Cost Build Test

Offline filter 2ℓ2 2s

Online filter 2ℓ2+s 1G Leurent (Inria) Generic Attacks against MAC algorithms SAC 2015 47 69


First attack on HMAC-HAIFA Chains of length 2s with a fixed message C

Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure1 Query 2u messageMi = [i] C s + t + u = ℓBuild filters forMi Cplx 2s+u+ℓ2

2 Evaluate 2t chains offline Cplx 2t+s

Test endpoints with filters Cplx 2t+u




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity

2ℓminuss for s le ℓ6(using u = s)Minimum 25ℓ6



Diamond filters

Building filers is a bottleneck Can we amortize the cost of building many filters

Diamond structure [Kelsey amp Kohno ECrsquo06]

Herd N initial states to a common state Try asymp 2ℓ2radicNmsg from each state Whp the initial states can be paired Repeat Total asymp radicN sdot 2ℓ2



Diamond filters






Diamond filters


Diamond filter

1 Build a diamond structure2 Build a collision filter for the final state

Can also be built online

Building N offline filters radicN sdot 2ℓ2 rather than N sdot 2ℓ2

Building N online filters radicN sdot 2ℓ2+s rather than N sdot 2ℓ2+s



Improved attack on HMAC-HAIFA Chains of length 2s with a fixed message C

Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure1 Query 2u messageMi = [i] C s + t + u = ℓBuild diamond filter forMi Cplx 2s+u2+ℓ2






Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Improvement using collisions (fixed function)




Theorem (Entropy loss for collisions)

Let x and y be two collisions found using chains of length 2swith a fixed ℓ-bit random function fThen Pr 1114094x = y1114097 = 120553(22sminusℓ)

Use the collisions as special states (instead of cycle entry point)



Trade-offs for state-recovery attacks

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ

Length of the messages

Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Merkle-Damgaringrd mode



OutlineIntroduction

MACsSecurity Proofs







Bibliography

T Peyrin L WangGeneric Universal Forgery Attack on Iterative Hash-Based MACsEUROCRYPT 2014

J Guo T Peyrin Y Sasaki L WangUpdates on Generic Attacks against HMAC and NMACCRYPTO 2014




Universal forgery attack Given a challenge message C computeMAC(C)

len(C) = 2s Oracle access to theMAC canrsquot askMAC(C)

Study internal states for the computation ofMAC(C) Unknown because of initial key and final key

1 Build a different message reaching same states2 QueryMAC(Mprime) use as forgery

Ik Mprime

Ik MAC(C)h h h h h h h h h h h h h h h gk







Ik Mprime




UF against secret-suffix MAC Secret-suffix has no key at the beginning

All internal states for challenge message are known

Long-message second-preimage attack [Kelsey amp Schneier rsquo05] H(M) = H(C) ⟹MAC(M) = H(M k) = H(C k) =MAC(C)

1 Build a expandable message Cplx 2ℓ2

2 Find a connexion from the IV to the target states Cplx 2ℓminuss

3 Select expandable message

IV Mprime

IV MAC(C)h h h h h h h h h h h h h h h gk







IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast








2 Find a connexion from x⋆ to the target states Cplx 2ℓminuss


IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆




UF against secret-prefix MAC Secret-suffix has no key at the end

Finalization function is known

1 Query the MAC of C|i (truncated to i blocks) Cplx 22sdots

2 Evaluate the finalization function on 2ℓminuss states Cplx 2ℓminuss

3 Find a match compute MAC

Ik MAC(C)h h h h h h h h h h h h h h h g








Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss



UF attack against hash-based MAC Combine both techniques

1 Recover an internal state of the challenge2 Use second-preimage attack with known state

Hard part is to recover an internal state

Extract information about the challenge state through gk Compute distance to cycle Use entropy loss of iterations




Using cyclesMain idea

Measure the distance from challenge point to cycle in h[0] Add zero blocks after the challenge

Match with offline points with known distance

Ik2s 2ℓ2

2sC

Online Structure

11141062ℓminusspoints1114109



Using cycles1 (online) For each challenge state use binary search to find distance

MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02

ℓ2+L)2 (offline) Build a structure with 2ℓminuss points with known distance3 (offline) Match the challenge states and the offline structure4 (online) Test candidates at the right distance

Ik2s 2ℓ2

2sC

Online Structure




Using chainsMain idea

Add a sequence of fixed message blocks to reduce image space Match in the reduced space

Ik2s 22sminus2s

2sC

Online Structure22s22s

11141062ℓminuss points1114109

11141062ℓminus2simages ( )1114109



Using chains1 (online) Query messagesMi = C|i [0]2

2sminusiBuild diamond filter for endpoints Y

2 (offline) Build a structure with 2ℓminuss pointsConsider 22s-images X |X| le 2ℓminus2s

3 (offline) Match X and Y4 (offline) For each match find preimages as candidates

Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109



Universal forgery attacks summaryUniversal forgery attacks

It is possible to perform a generic universal forgery attack Best attack so far 2ℓminuss with s le ℓ4 (23ℓ4 with s = ℓ4)

Using distance to the cycle query length 2ℓ2

Complexity 2ℓminuss s le ℓ6 [Peyrin amp Wang EC rsquo14]Optimal 25ℓ6 with s = 2ℓ6

Complexity 2ℓminuss s le ℓ4 [Guo Peyrin Sasaki amp Wang CR rsquo14]Optimal 23ℓ4 with s = 2ℓ4

Later attack using chains shorter query length 2t

Complexity 2ℓminuss s le ℓ7 t = 2s [Dinur amp L CR rsquo14]Optimal 26ℓ7 with s = 2ℓ7 t = 2ℓ7

Complexity 2ℓminuss2 s le 2ℓ5 t = s [Dinur amp L CR rsquo14]Optimal 24ℓ5 with s = 22ℓ5 t = 2ℓ5



OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g

Family of Russian standards GOST-1994 n = ℓ = 256 GOST-2012 n le ℓ = 512 HAIFA mode (aka Streebog)

GOST and HMAC-GOST standardized by IETF

Checksum (dashed lines) Larger state should increase the security



HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t

In HMAC key-dependant value used after the message Related-key attacks on the last block



Key recovery attack on HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

1 Recover the state of a short message2 Build a multicollision 23l4 messages with the same xlowast3 Query messages detect collisions g(x k oplusM) = g(x k oplusMprime)

Store (M oplusMprimeM) for 2ℓ2 collisions4 Find collisions g(x y) = g(x yprime) offline

Store (x oplus yprime y) for 2ℓ2 collisions5 Detect matchM oplusMprime = y oplus yprime With high probabilityM oplus k = y




IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result

The checksum actually make the hash function weaker HMAC-GOST-1994 is weaker than HMAC-SHA256 HMAC-GOST-2012 is weaker than HMAC-SHA512

It is important to recover the state of a short message For GOST-1994 we can recover the state of a short messagefrom a longer one using padding tricks Total complexity 23ℓ4

For GOST-2012 we use an advanced attackwith message length 2ℓ10 Total complexity 24ℓ5



Attack complexity

Function Mode ℓ s St rec Univ F K rec

SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192

Streebog HAIFA+120590 512 infin 2419 2419 2419



Conclusion

Be carefull with security proof

ldquoCBC-MAC is proven securerdquo does not meanldquoCBC-MAC-AES is a secure as AESrdquo

Most security proofs are up to the birthday bound Is 64-bit security enough

Donrsquot assume too much after the security bound of the proof Generic key-recovery for envelope-MAC AEZ HMAC-GOST

Gaps between proofs and attacks

Better generic attacks Better proofs



Thanks

Questions


Introduction

Hash-based MACs

State recovery attacks

Universal forgery attacks

Key-recovery attacks


Confidentiality and authenticity

Cryptography has two main objectivesConfidentiality keeping the message secret

Authenticity making sure the message is authentic

Authenticity is often more important than confidentiality Email signature Software update Credit cards Sensor networks Remote control (eg garage door car) Remote access (eg password authentication)

Authenticity achieved with signatures (asymmetric)or MACs (symmetric)




Alice BobM t












Alice

OXYGEN


xlarr $

x

ylarrMACpw(x)y





MAC Constructions







Security notions










CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Alice BobM t












Alice

OXYGEN


xlarr $

x

ylarrMACpw(x)y





MAC Constructions







Security notions










CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs













Alice

OXYGEN


xlarr $

x

ylarrMACpw(x)y





MAC Constructions







Security notions










CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





MAC Constructions







Security notions










CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Security notions










CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





CBC-MAC

P0

E

P1

E

P2

E

IV

C0 C1 C2





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





CBC-MAC

P0

E

P1

E

P2

E


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs


































E

P1

E

P2

E

T






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






E

P1

E

P2

E Eprime

T






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






E

P1

E

P2

E

T

k1






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






E

P1

E

P2

Eprime

T






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ikx

yMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery




Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ikx

y

mMAC


2 Query t =MAC(x m)

3 1114100y m t1114103 is a forgery

Problem






2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







2nminus1



Limitations








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs








Or is it




PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





PMAC

E E

E

0L 1L 12L

A1 A2 A3

E E

E

0L 1L


pad



2L)






AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





AEZ

E E E

E

9J 10J 11J

A1 A2 A3

E E E

E

9J 10J 8J

A1 A2 A3A3pad






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Proofs





AEZ key recovery



OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





OutlineIntroduction

MACsSecurity Proofs







Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ih






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Hash functions

h0ℓ

m0

x0

h1ℓ

m1

x1

h2ℓ

m2

x2 x3H(M)ℓ ℓ

|M|

Ig






Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Hash functions

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3H(M)ℓ n

|M|

Ih









Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs








Hash-based MACs






Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Secret-prefix MAC


MACk(M) = H(k M)


hℓ

k

x0hℓ

M

x1hℓ

2

x2MACk(M)

ℓI

hℓ

k

x0hℓ

M

x1hℓ

2

x2hℓ

P

x3hℓ

4

x4MACk(M 2 P)

ℓI







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







MACk(M) = H(M k)








MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







MACk(M) = H(M k)


helliphellip

klowastklowast

C0 =C1 =

M0 =

⋯

M1 = ⋯


helliphellip

k0


MAC(M0) = H1114100MAC(M1) = H1114100

11141031114103







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







MACk(M) = H(k M k)











MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







MACk(M) = H(k M k)









HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





HMAC




SSL IPSEC





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Hash-based MACs

hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

ℓ n

|M|

Ikgk












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs












OutlineIntroduction

MACsSecurity Proofs







Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Bibliography







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

m1

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK










x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk







x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









x h1h1

c

cprime

Offline Structure


Ikx

h0

Mh1h1

c

cprime

gk




hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

m1

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

0

x1

hℓ

m2

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk







hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

m0

x0

hℓ

0

x1

hℓ

ccprime

x2 x3MACk(M)

l n

|M|

Ikgk













Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs












Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Cycle based attack

hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACK(M)

ℓ n

|M|

IKgK







Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Random Mappings

x0

x1

x2

x3x4

x5x6

x7





Several components



Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Random Mappings





Several components



Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Random Mappings





Several components



Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Cycle structure


Components 12 logN




Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Cycle structure


Components 12 logN





Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Success if





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Cycle structure


Components 12 logN





Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Success if






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






hℓ

0

x0

hℓ

0

x1

hℓ

0

x2 x3MACk(M)

ℓ n

|M|

Ikgk




M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






M = r [0]2ℓ2 [1] [0]2ℓ2




M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






M1 = r [0]2ℓ2+L [1] [0]2ℓ2 M2 = r [0]2ℓ2 [1] [0]2ℓ2+L







Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Analysis









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Analysis



Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Cycle structure


Components 12 logN








Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Analysis











Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs













Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK






Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Chain-based attack

h0ℓ

A

x0

h1ℓ

B

x1

h2ℓ

C

x2 x3MACK(M)

ℓ n

|M|

IKgK





















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs




















Mi

Online Structure


$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

$ h0 h1 h2

Mi

Offline Structure





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime




Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t

Offline Structure







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







Ikx

h0

Mh1h1

p

pprime

gk

Online Structure


x h1h1

p

pprime

Offline Structure

Cost Build Test





Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ik

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0

h1 h2 hS gk

h0h1 h2 hS gk

h0 h1 h2 hS gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity




Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Diamond filters






Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Diamond filters






Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Diamond filters


Diamond filter








Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t







Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






Ik

h0

h1 h2 hS

h0

h1 h2 hS

h0

h1 h2 hS

h0h1 h2 hS

h0 h1 h2 hS

gk

[i] C

S=2s

2u

Online Structure

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

$ h1 h2 hS

C

S=2s

2t




Optimal complexity














1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs















1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ


Com

plexity

HAIFA mode

1 2ℓ4 2ℓ22ℓ2

23ℓ4

2ℓ





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





OutlineIntroduction

MACsSecurity Proofs







Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Bibliography










Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Ik Mprime








Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Ik Mprime










IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs











IV Mprime








IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









IV

1 bl

27 + 1 blm7mprime

7

1 bl

26 + 1 blm6mprime

6

1 bl

25 + 1 blm5mprime

5

1 bl

24 + 1 blm4mprime

4

1 bl

23 + 1 blm3mprime

3

1 bl

22 + 1 blm2mprime

2 hlowast










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs











IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs











IVh⋆

hprime⋆

m⋆










IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs











IVh⋆

hprime⋆

m⋆

















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs


















Ik

MAC(C)

hg

hg

hg

hg

hg

hg

hg

hg

hg

hg

g

Online Structure

$ g

$ g

$ g

$ g

$ g

$ g

2ℓminuss













Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs















Ik2s 2ℓ2

2sC

Online Structure





MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






MAC(C|i 0d+L 1 02ℓ2) =MAC(C|i 0d 1 02


Ik2s 2ℓ2

2sC

Online Structure






Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109







Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs









Ik2s 22sminus2s

2sC



11141062ℓminus2simages ( )1114109













OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs















OutlineIntroduction

MACsSecurity Proofs







GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





GOST hash functions

IV

M0

hℓ

M1

x0

hℓ

M2

x1

hℓ

M3

x2 x3

ℓn

|M|

h g






HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





HMAC-GOST

IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g

IV

k oplus 120472120473120458120461

h h g n

t





IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 xlowast

ℓ

|M|

h g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g







IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs






IV

k oplus 120466120473120458120461

hℓ

M0

x0

hℓ

M1

x1

hℓ

M2

x2 x

ℓ

|M|

h

k oplusM

g






Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Complexity

Surprising result






Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Attack complexity


SHA-1 MD 160 255 2107 2132

SHA-224 MD 256 255 2192

SHA-256 MD 256 255 2192 2228

SHA-512 MD 512 2118 2384 2453

HAVAL MD 256 254 2192 2229

WHIRLPOOL MD 512 2247 2283 2446

BLAKE-256 HAIFA 256 255 2213

BLAKE-512 HAIFA 512 2118 2419

Skein-512 HAIFA 512 290 2419

GOST-94 MD+120590 256 infin 2128 2192 2192




Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Conclusion









Thanks

Questions


Introduction

Hash-based MACs





Thanks

Questions


Introduction

Hash-based MACs




Generic Attacks against MAC algorithms · Introduction Hash-based MACs State recovery Universal...

Documents

Transcript of Generic Attacks against MAC algorithms · Introduction Hash-based MACs State recovery Universal...