Abstract:
In this work, we revisit the security analysis of AES-128 instantiated hash modes. We use
biclique cryptanalysis technique as our basis for the attack. The traditional biclique approach used
for key recovery in AES (and preimage search in AES based compression function) cannot be applied
directly to hash function settings due to restrictions imposed on message input due to padding. Under
this criteria, we show how to translate biclique technique to hash domain and demonstrate preimage
and second preimage attack on all 12 PGV modes. Our preimage attack complexity for all PGV modes
stands at 2127.4. The second preimage attack complexities differ based on the PGV construction chosen -
the lowest being 2126.3 and the highest being 2126.67 complexity. We also show how to model our attacks
under different settings, e.g., when message is padded/ not padded, when chaining variable is known/not
known, when full message or key space is available/ not available to the attacker etc. Our attacks require
only 2 message blocks with padding included and works on full 10 rounds of AES-128 for all 12 PGV
modes. In our attacks, the IV is assumed to be a known constant which is a practical assumption but
knowledge of other chaining variables is not required for the attacker. Considering these, our results
can be termed as the best so far in literature. Though our attack results do not significantly decrease
the attack complexity factor as compared to brute force but they highlight the actual security margin
provided by these constructions.