International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Meet-in-the-Middle Attacks Revisited: Key-recovery, Collision, and Preimage Attacks

Authors:
Xiaoyang Dong , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China
Jialiang Hua , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China
Siwei Sun , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
Zheng Li , Beijing University of Technology, Beijing, China
Xiaoyun Wang , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China
Lei Hu , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Download:
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2021
Abstract: At EUROCRYPT 2021, Bao et al. proposed an automatic method for systematically exploring the configuration space of meet-in-the-middle (MITM) preimage attacks. We further extend it into a constraint-based framework for finding exploitable MITM characteristics in the context of key-recovery and collision attacks by taking the subtle peculiarities of both scenarios into account. Moreover, to perform attacks based on MITM characteristics with nonlinear constrained neutral words, which have not been seen before, we present a procedure for deriving the solution spaces of neutral words without solving the corresponding nonlinear equations or increasing the overall time complexities of the attack. We apply our method to concrete symmetric-key primitives, including SKINNY, ForkSkinny, Romulus-H, Saturnin, Grostl, Whirlpool, and hashing modes with AES-256. As a result, we identify the first 23-round key-recovery attack on \skinny-$n$-$3n$ and the first 24-round key-recovery attack on ForkSkinny-$n$-$3n$ in the single-key model. Moreover, improved (pseudo) preimage or collision attacks on round-reduced Whirlpool, Grostl, and hashing modes with AES-256 are obtained. In particular, imploying the new representation of the \AES key schedule due to Leurent and Pernot (EUROCRYPT 2021), we identify the first preimage attack on 10-round AES-256 hashing.
Video from CRYPTO 2021
BibTeX
@inproceedings{crypto-2021-31139,
  title={Meet-in-the-Middle Attacks Revisited: Key-recovery, Collision, and Preimage Attacks},
  publisher={Springer-Verlag},
  author={Xiaoyang Dong and Jialiang Hua and Siwei Sun and Zheng Li and Xiaoyun Wang and Lei Hu},
  year=2021
}