Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic...
Transcript of Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic...
![Page 1: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/1.jpg)
Generic Universal Forgery Attack on
Iterative Hash-based MACs
Thomas Peyrin and Lei Wang
EUROCRYPT 2014
![Page 2: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/2.jpg)
Outline
• Introduction
hash-based MACs
known results on hash-based MACs
our contributions
• Universal forgery attacks
attack overview
new technical ideas
• Conclusion
![Page 3: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/3.jpg)
Outline
• Introduction
hash-based MACs
known results on hash-based MACs
our contributions
• Universal forgery attacks
attack overview
new technical ideas
• Conclusion
![Page 4: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/4.jpg)
Message Authentication Code (MAC)
• Symmetric-key cryptographic protocol
• Provide the authenticity and the integrity
Alice Bob
M T
(M, T)
T’ M
MACK MACK
Alice and Bob share a secret key K.
Bo verifies if T=T’ holds.
![Page 5: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/5.jpg)
How to Build MACs
• From hash functions
• From block ciphers
HMAC, Sandwich-MAC, Envelop-MAC
CBC-MAC, CMAC, PMAC
• From universal hash functions
UMAC, VMAC, Poly1305
• Dedicated design
SQUASH, SipHash
![Page 6: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/6.jpg)
How to Build MACs
• From hash functions
• From block ciphers
HMAC, Sandwich-MAC, Envelop-MAC
CBC-MAC, CMAC, PMAC
• From universal hash functions
UMAC, VMAC, Poly1305
• Dedicated design
SQUASH, SipHash
![Page 7: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/7.jpg)
Iterative Hash-based MACs
• A simplified description
, : public deterministic functions
, : initialization and finalization keys
: internal state size
: tag size
![Page 8: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/8.jpg)
Well-known Example HMAC
• Designed by BCK96
• Standardized by ANSI, IETF, ISO, NIST
• I ple e ted i SSL, TLS, IPSe …
![Page 9: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/9.jpg)
Known Results of Hash-based MACs
• Pseudo-Random-Function proof
up to the birthday bound
implication to most security notions
lower security bound
HMAC, Sandwich-MAC, etc
![Page 10: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/10.jpg)
• Generic attacks on each security notion
distinguishing-R:
distinguishing-H:
upper security bound
existential forgery:
key recovery:
universal forgery:
Known Results of Hash-based MACs
![Page 11: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/11.jpg)
• Generic attacks on each security notion
distinguishing-R:
distinguishing-H:
upper security bound
existential forgery:
key recovery:
universal forgery:
Known Results of Hash-based MACs
tight
tight
tight
![Page 12: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/12.jpg)
Our Contributions
• Generic attacks on each security notion
distinguishing-R:
distinguishing-H:
upper security bound
existential forgery:
key recovery:
universal forgery:
tight
tight
tight
![Page 13: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/13.jpg)
Our Technical Contributions
• Collision-detection-based attacks
dis-R and existential forgery by PvO96
dis-H in single-key setting by NSW+13
• Functional-graph-based attacks
indifferentiability of HMAC by DRS+12
dis-R/H and existential forgery of HMAC in
related-key setting by PSW12
dis-H in single-key setting by LPW13
universal forgery in this paper:
extract more information than just cycle structure
![Page 14: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/14.jpg)
Outline
• Introduction
hash-based MACs
known results on hash-based MACs
our contributions
• Universal forgery attacks
attack overview
new technical ideas
• Conclusion
![Page 15: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/15.jpg)
Universal Forgery Setting
given a message M (=m1||m2||•••|| s)
to produce a valid tag T for M
• The adversary
can interact with MAC
can not query M to MAC
![Page 16: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/16.jpg)
Universal Forgery Setting
given a message M (=m1||m2||•••|| s)
to produce a valid tag T for M
• The adversary must be able to forge any message
can interact with MAC
can not query M to MAC
![Page 17: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/17.jpg)
Main Idea
• Construct a second preimage M’ for M
• Query M’ to MAC to o tai a valid tag for M
collision
![Page 18: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/18.jpg)
Main Idea
• Construct a second preimage M’ for M
• Query M’ to MAC to o tai a valid tag for M
collision
![Page 19: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/19.jpg)
Difficulty of Constructing such a M’
• Essentially a second preimage attack on a keyed
iterative hash function
internal states are unknown
• Second preimage attack on public iterative hash
function has been published by KS05
knowledge of internal states is necessary
![Page 20: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/20.jpg)
How to Construct such a M’ • Recover some internal state
states are then known
• Apply previous second preimage attack on public
iterative hash function to get
• Construct
collision
![Page 21: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/21.jpg)
How to Construct such a M’ • Recover some internal state
states are then known
• Apply previous second preimage attack on public
iterative hash function to get
• Construct
collision
Our main technical contribution
![Page 22: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/22.jpg)
Overview of Our Attacks
• Firstly recover some internal state
• Secondly find so that
• Finally query to
get a valid tag for the challenge message
![Page 23: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/23.jpg)
Outline
• Introduction
hash-based MACs
known results on hash-based MACs
our contributions
• Universal forgery attacks
attack overview
new technical ideas
• Conclusion
![Page 24: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/24.jpg)
How to Recover an Internal State
• Offline select distinct values
one pair with a good probability
![Page 25: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/25.jpg)
• Identity such a pair and get the value of
in total pairs.
naive method to verify each pair costs
How to Recover an Internal State
• Offline select distinct values
one pair with a good probability
![Page 26: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/26.jpg)
• Identity such a pair and get the value of
in total pairs.
naive method to verify each pair costs
How to Recover an Internal State
• Offline select distinct values
one pair with a good probability
we use a new property to match
and simultaneously
![Page 27: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/27.jpg)
• Identity such a pair and get the value of
in total pairs.
naive method to verify each pair costs
How to Recover an Internal State
• Offline select distinct values
one pair with a good probability
we use a new property to match
and simultaneously
Height of nodes in functional graph
![Page 28: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/28.jpg)
Functional Graph
• : a -bit to -bit function
• iterate :
#components:
largest components:
#nodes:
#cycle nodes:
longest path:
![Page 29: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/29.jpg)
Height of Nodes in Functional Graph
• The height of a node is the number of nodes
from to the cycle of its component.
• height range:
each node has a single path to its cycle
height of cycle nodes is 0
![Page 30: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/30.jpg)
How to Recover an Internal State
• Use functional graph of with a constant message
e.g., function
denoted as
![Page 31: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/31.jpg)
How to Recover an Internal State
• Recover the height of
• Select with their height
• Match the height between and
#pairs left is upper bounded by
• Examine each remaining pair, and identify the pair
to recover
details are omitted, and referred to paper.
![Page 32: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/32.jpg)
How to Recover an Internal State
• Recover the height of
• Select with their height
• Match the height between and
#pairs left is upper bounded by
• Examine each remaining pair, and identify the pair
to recover
details are omitted, and referred to paper.
![Page 33: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/33.jpg)
How to Recover Height of
• Find the minimum number of iterations so that
the output value is a cycle node.
cycle
node
![Page 34: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/34.jpg)
How to Recover Height of
• Use two messages, constructed by appending
with
: the cycle length of the largest component
![Page 35: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/35.jpg)
enter the cycle
How to Recover Height of
![Page 36: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/36.jpg)
outputs collide
How to Recover Height of
![Page 37: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/37.jpg)
jump out the cycle
How to Recover Height of
![Page 38: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/38.jpg)
re-enter the cycle
How to Recover Height of
![Page 39: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/39.jpg)
outputs collide
How to Recover Height of
![Page 40: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/40.jpg)
• Query the constructed message pair to MAC to
check if they collide
cycle
node?
How to Recover Height of
![Page 41: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/41.jpg)
cycle
node?
How to Recover Height of
• A binary search to recover height
repeat the procedure by times
![Page 42: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/42.jpg)
Outline
• Introduction
hash-based MACs
known results on hash-based MACs
our contributions
• Universal forgery attacks
attack overview
main technical ideas
• Conclusion
![Page 43: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/43.jpg)
Conclusion and Open Problems
• Updated results of hash-based MACs
distinguishing-R:
distinguishing-H:
key recovery:
universal forgery:
tightness proof attack
yes
yes
no
no
existential forgery: yes
![Page 44: Generic Universal Forgery Attack on Iterative Hash …ec14.compute.dtu.dk/talks/10.pdf · Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang](https://reader031.fdocuments.us/reader031/viewer/2022022013/5b3719587f8b9a5a518bf1e1/html5/thumbnails/44.jpg)
Thank you for your attention!