Research Identifies Vulnerabilities in AES-like Hashing Methods
/ 4 min read
Quick take - A recent study titled “Chosen-Prefix Collisions on AES-like Hashing” reveals vulnerabilities in AES-like hashing methods to chosen-prefix collision attacks, highlighting significant findings regarding the security of widely used hash functions such as Whirlpool and AES-MMO/MP, and suggesting the need for stronger designs and potential transitions to more resilient alternatives like SHA-3.
Fast Facts
- The paper “Chosen-Prefix Collisions on AES-like Hashing” reveals vulnerabilities in AES-like hashing methods to chosen-prefix collision (CPC) attacks, marking a significant advancement in cryptographic research.
- The study documents the first CPC attacks on reduced versions of hashing algorithms like Whirlpool and AES-MMO/MP, highlighting an extension of the collision attack on Saturnin-hash from 5 to 6 rounds.
- Key findings include a 6-round memoryless quantum collision attack on Whirlpool, demonstrating improved efficiency over traditional collision-finding algorithms.
- The research emphasizes the need for stronger hash function designs and the transition to more resilient options like SHA-3 to mitigate risks from both classical and quantum attacks.
- The authors advocate for regular audits of cryptographic standards and suggest that existing protocols may require revisions to address the identified vulnerabilities effectively.
Chosen-Prefix Collisions on AES-like Hashing
A recent paper titled “Chosen-Prefix Collisions on AES-like Hashing” has unveiled significant findings regarding the vulnerabilities of AES-like hashing methods to chosen-prefix collision (CPC) attacks. The paper is authored by Xiaoyang Dong, Jian Guo, and Tianyu Zhang.
Background on CPC Attacks
CPC attacks were initially introduced by researchers Stevens, Lenstra, and de Weger in 2007. These attacks aim to discover collisions for two selected prefixes, representing a more potent variant compared to identical-prefix collisions. This research marks a notable advancement as it applies the related-key rebound attack framework, diverging from the techniques typically associated with the MD-SHA family.
Key Findings
The study provides the first documented CPC attacks on reduced versions of several hashing algorithms, including Whirlpool, Saturnin-hash, and AES-MMO/MP, in both classic and quantum contexts. Specifically, the paper reports an extension of the collision attack on Saturnin-hash from 5 to 6 rounds in the classic setting. Furthermore, an enhancement to the memoryless algorithm for addressing the 3-round inbound phase significantly improves the efficiency of quantum attacks on Whirlpool.
One of the key findings includes the first 6-round memoryless quantum collision attack on Whirlpool, which surpasses generic CNS collision finding algorithms when exponential-size classic memory is utilized. The study underscores the importance of free-start collisions and their transformation into two-block collisions. Quantum attacks are documented at a complexity of 2201.4 for a 6-round collision, with an improved complexity of 2204.53 noted for a 9-round free-start collision. The adaptability of the CPC framework to AES-like hash structures is highlighted as a significant point in the research.
Implications and Future Directions
Methodologies employed in this study include birthday phase initialization, rebound attacks, and the application of quantum Grover’s algorithm. The implications of these findings raise concerns regarding the security of cryptographic systems, particularly the collision resistance property, which is critical for digital signatures and data integrity. The research specifically targets widely adopted hash functions such as Whirlpool and AES-MMO/MP, both integral to established cryptographic standards.
Given the potential vulnerabilities identified, there may be a need to reassess the reliance on these hash functions in critical systems. CPC attacks pose a particular threat to the integrity of certificates within Public Key Infrastructure (PKI). The authors emphasize the urgency for cryptographic systems to prepare against post-quantum threats and advocate for a transition to more resilient hash functions, like SHA-3, to mitigate both classical and quantum attacks. They suggest that AES-like hash functions may require stronger designs to bolster collision resistance and call for regular audits and updates of cryptographic standards to address emerging threats effectively.
The findings from this research provide valuable insights for defensive teams, aiding in the understanding of potential vulnerabilities associated with AES-like constructions. The study indicates that cryptographic protocols reliant on these hash functions will likely need revisions to lessen risks. Future research directions proposed by the authors include the exploration of new cryptographic primitives capable of resisting CPC and quantum attacks.
Original Source: Read the Full Article Here
