Paper 2023/577
Exploring Formal Methods for Cryptographic Hash Function Implementations
, Strativia, Largo, MD, USAAbstract
Cryptographic hash functions are used inside many applications that critically rely on their resistance against cryptanalysis attacks and the correctness of their implementations. Nevertheless, vulnerabilities in cryptographic hash function implementations can remain unnoticed for more than a decade, as shown by the recent discovery of a buffer overflow in the implementation of SHA-3 in the eXtended Keccak Code Package (XKCP), impacting Python, PHP, and several other software projects. This paper explains how this buffer overflow vulnerability in XKCP was found. More generally, we explore the application of formal methods to the five finalist submission packages to the NIST SHA-3 competition, allowing us to (re-)discover vulnerabilities in the implementations of Keccak and BLAKE, and also discover a previously undisclosed vulnerability in the implementation of Grøstl. We also show how the same approach rediscovers a vulnerability affecting 11 out of the 12 implemented cryptographic hash functions in Apple's CoreCrypto library. Our approach consists of removing certain lines of code and then using KLEE as a tool to prove functional equivalence. We discuss the advantages and limitations of our approach and hope that our attempt to consolidate some earlier approaches can lead to new insights.
Metadata
- Available format(s)
-
PDF
- Category
- Implementation
- Publication info
- Published elsewhere. ACISP 2023
- Keywords
- SHA-3Hash FunctionKeccakBLAKEGrøstlCoreCrypto
- Contact author(s)
- nicky @ mouha be
- History
- 2023-04-28: approved
- 2023-04-24: received
- See all versions
- Short URL
- https://ia.cr/2023/577
- License
-
CC0
BibTeX
@misc{cryptoeprint:2023/577,
author = {Nicky Mouha},
title = {Exploring Formal Methods for Cryptographic Hash Function Implementations},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/577},
year = {2023},
url = {https://eprint.iacr.org/2023/577}
}
