Cryptology ePrint Archive: Report 2019/607

Improved Meet-in-the-Middle Preimage Attacks against AES Hashing Modes

Zhenzhen Bao and Lin Ding and Jian Guo and Haoyang Wang and Wenying Zhang

Abstract: Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011 introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key schedules are not taken into account, hence the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from key, extra degrees of freedom are gained, which are utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from $2^{120}$ to $2^{112}$, $2^{96}$, and $2^{96}$ for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from key to cancel those from state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities $2^{120}$ and $2^{96}$. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the attack complexities further. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

Category / Keywords: secret-key cryptography / AES, MITM, preimage, hashing mode, key schedule

Date: received 30 May 2019, last revised 31 May 2019

Contact author: zzbao at ntu edu sg,dinglin@sjtu edu cn,guojian@ntu edu sg,wang1153@e ntu edu sg,zhangwenying@sdnu edu cn

Available format(s): PDF | BibTeX Citation

Version: 20190602:113725 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]