Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2013 Article ID 101907 6 pageshttpdxdoiorg1011552013101907
Research ArticleSecurity Analysis of HMACNMAC by Using Fault Injection
Kitae Jeong1 Yuseop Lee1 Jaechul Sung2 and Seokhie Hong1
1 Center for Information Security Technologies (CIST) Korea University Anam-dong Seongbuk-guSeoul 136-713 Republic of Korea
2Department of Mathematics University of Seoul Jeonnong-dong Dongdaemun-gu Seoul 130-743 Republic of Korea
Correspondence should be addressed to Jaechul Sung jcsunguosackr
Received 18 July 2013 Accepted 22 August 2013
Academic Editor Jongsung Kim
Copyright copy 2013 Kitae Jeong et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
In Choukri and Tunstall (2005) the authors showed that if they decreased the number of rounds in AES by injecting faults it ispossible to recover the secret key In this paper we propose fault injection attacks on HMACNMAC by applying the main idea oftheir attack These attacks are applicable to HMACNMAC based on the MD-family hash functions and can recover the secret keywith the negligible computational complexity Particularly these results onHMACNMAC-SHA-2 are the first known key recoveryattacks so far
1 Introduction
HMAC and NMAC are hash-based message authenticationcodes proposed in [1] The construction of HMACNMAC isbased on a keyed hash function Let119867 be an iteratedMerkle-Damgard hash function which defines a keyed hash function119867119870by replacing IVwith the key119870Then HMAC andNMAC
can be defined as follows
HMAC119870 (119872) = 119867(119870 oplus opad 10038171003817100381710038171003817119867 (119870 oplus ipad10038171003817100381710038171003817119872))
NMAC11987011198702(119872) = 119867119870
1
(1198671198702(119872))
(1)
Here119872 is a message and 119870 and (1198701 1198702) are the secret keys
of HMAC and NMAC respectively 119870means 119870 padded to asingle block and opad(= 0x5c5c sdot sdot sdot ) and ipad(= 0x3636 sdot sdot sdot )are two one-block length constants Until now many theoret-ical cryptanalytic results on HMACNMAC have been pro-posed [2ndash4] For example Wang et al presented key recoveryattacks on HMACNMAC-MD4 with 272 MAC queries and277MD4 computations [4] On the other hand McEvoy et alintroduced a differential power analysis on HMAC-SHA-256in [5] This attack does not allow the recovery of the secretkey but rather a secret intermediate hash value of SHA-256 Itleads to forging theMACs for arbitrarymessages Correlationpower analysis on HMAC based on six SHA-3 candidateswas presented in [6] This is also a forgery attack To our
knowledge there is no key recovery attack on HMAC byusing side channel analyss
Side channel analysis exploits the easily accessible infor-mation such as power consumption running time and input-output behavior under malfunctions It is often much morepowerful than the classical cryptanalysis such as differentialcryptanalysis and linear cryptanalysis Since Kocher hadintroduced timing attacks in [7] many side channel analysessuch as differential fault analysis [8] and fault injection attack[9] have been proposed [10ndash12]
Choukri and Tunstall proposed a fault injection attack onAES [13]The fault injectionmethod used a transient glitch onthe power supplied to the smart card In general the imple-mentation of a symmetric cryptographic algorithm in the PICassembly language will have the following format
movlw OAhmovwf RoudCounterRoudLabelCall RoudFunctiondecfz RoudCountergoto RoudLabel
(2)
The RAM variable (RoudCounter) is set to the number ofrounds required (in the case of AES OA in hexadecimal) Theround function is executed which has been represented by acall to the function RoudFunction The RoudCounter
2 Journal of Applied Mathematics
variable is then decremented and the round is repeated untilRoudCounter is equal to zero at which the loop point exits Itis this loop that we are trying to change so that it exits earlierthan expectedThe target of the fault is the decfz step whichconsists of a decrement a test and a conditional jump Theconditional jump is presented as a jump of one instructionwhen the test is positive otherwise the next instruction isexecuted The aim of the attack is to reduce the algorithm toone round It is not possible to remove the first round entirelyas the first conditional test is after the first round Thus thecryptanalysis of the resulting algorithm can be simple andonly requires two plaintextciphertext pairs
In this paper we propose fault injection attacks onHMACNMAC Our fault assumption is based on that of[13] That is it is assumed that we can decrease the numberof steps in the target compression function by injecting somefaults Our attack can be applied to HMACNMAC basedon the MD-family hash functions and recover the secret keywith the negligible computational complexity As concreteexamples we apply our attack to HMACNMAC based onMD4MD5 and SHA-2 Our attack results are summarized inTable 1 In the case of HMAC-SHA-256 for any message wecan recover the 119899-word secret key with [1198993] fault injectionsand only a negligible computational complexity Also weneed only 2 sdot [1198993] fault injections to recover the 2119899-wordsecret key of NMAC-SHA-256 Thus when 119899 is 4 that isthe 4(8)-word secret key we require just two(four) faultinjections to recover the secret key of HMAC-SHA-256(NMAC-SHA-256) respectively Note that the attack resultson HMACNMAC-SHA-2 are the first known key recoveryattacks on them
This paper is organized as follows in Section 2 we brieflyintroduce the MD-family hash functions Then we describethe fault injection attacks on HMAC and NMAC in mbox-Sections 3 and 4 respectively Finally we give a conclusion inSection 5
2 MD-Family Hash Function
Since MD4 [14] had been introduced in 1990 the MD-familyhash functions such as MD5 [15] and SHA-2 [16] where thedesign rationale is based on that ofMD4 have been proposedTo compute the hash value for a message 119872 of any sizethe MD-family hash functions divide119872 into message blocks(1198720 119872
119905) of fixed length 119887 and obtain the hash value by
using a compression function 119891 A compression function 119891takes a 119887-bit message string119872
119894minus1and a 119904-bit chaining variable
IHV119894minus1
as input values and outputs an updated 119904-bit chainingvariable IHV
119894 IHV
119894is computed by iteratively using a step
function It consists of addition Boolean function and rota-tion operations After operating a step function repeatedlyIHV119894is updated by adding IHV
119894minus1 Table 2 presents the
parameters of MD4 MD5 and SHA-2As a concrete example we briefly introduce SHA-2 (SHA-
224 SHA-256 SHA-384 and SHA-512) one of the mostimportant MD-family hash functions In SHA-224256 theword size is 32 bits The message string is firstly paddedto be a 512-bit multiple and is divided into 512-bit blocks
Table 1 Our attack results on HMACNMAC
Algorithm No ofinjected faults Algorithm No of
injected faultsHMAC-MD4 [1198993] NMAC-MD4 2 sdot [1198993]
HMAC-MD5 [1198993] NMAC-MD5 2 sdot [1198993]
HMAC-SHA-224 [1198993] NMAC-SHA-224 [1198993] + [1198992]
HMAC-SHA-256 [1198993] NMAC-SHA-256 2 sdot [1198993]
HMAC-SHA-384 [1198993] NMAC-SHA-384 [1198993] + 119899
HMAC-SHA-512 [1198993] NMAC-SHA-512 2 sdot [1198993]
Table 2 Parameters of MD4 MD5 and SHA-2
Hashfunction
Messageblock
Chainingvalue
Hashvalue
Stepfunction Word size
MD4 512 bits 128 bits 128 bits 48 steps 32 bitsMD5 512 bits 128 bits 128 bits 64 steps 32 bitsSHA-224 512 bits 256 bits 224 bits 64 steps 32 bitsSHA-256 512 bits 256 bits 256 bits 64 steps 32 bitsSHA-384 1024 bits 512 bits 384 bits 80 steps 64 bitsSHA-512 1024 bits 512 bits 512 bits 80 steps 64 bits
A compression function 119891 takes a 512-bit message string anda 256-bit chaining variable as input values and outputs anupdated 256-bit chaining variable It consists of amessage ex-pansion and a data processing The message block is expand-ed by using the following message expansion function Here(1198980 119898
15) = 119872
119894 ldquo+rdquo denotes the wordwise addition
1205900(119883) = (119883
⋙7) oplus (119883
⋙18) oplus (119883
≫3) and 120590
1(119883) = (119883
⋙17) oplus
(119883⋙19
) oplus (119883≫10)
Consider
119882119895= 119898119895 (0 le 119895 lt 16)
119882119895= 1205901(119882119895minus2) +119882
119895minus7+ 1205900(119882119895minus15
) +119882119895minus16
(16 le 119895 lt 80)
(3)
The data processing computes IHV119894as follows Here 119881
119895
denotes a 256-bit value consisting of eight words 119860119895 119861119895 119862119895
119863119895 119864119895 119865119895 119866119895 and119867
119895
Consider
1198810= IHV
119894minus1
119881119895+1
= 119877119895(119881119895119882119895) (119895 = 0 63)
IHV119894= IHV
119894minus1+ 11988164
(4)
A step function119877119895is defined as follows Here119870
119895is a constant
number for each step Ch(119883 119884 119885) = (119883 or 119884) oplus (not119883 or 119885)
Journal of Applied Mathematics 3
Maj(119883 119884 119885) = (119883or119884)oplus (119883or119885)oplus (119884or119885) Σ0(119883) = (119883
⋙2)oplus
(119883⋙13
) oplus (119883⋙22
) and Σ1(119883) = (119883
⋙6) oplus (119883
⋙11) oplus (119883
⋙25)
119879119895
1= 119867119895+ Σ1(119864119895) + Ch (119864
119895 119865119895 119866119895) + 119870119895+119882119895
119879119895
2= Σ0(119860119895) +Maj (119860
119895 119861119895 119862119895)
119860119895+1
= 119879119895
1+ 119879119895
2 119861
119895+1= 119860119895
119862119895+1
= 119861119895 119863
119895+1= 119862119895
119864119895+1
= 119863119895+ 119879119895
1 119865
119895+1= 119864119895
119866119895+1
= 119865119895 119867
119895+1= 119866119895
(5)
SHA-224 outputs the left most 224-bit value of IHV119905+1
as thehash value and SHA-256 outputs IHV
119905+1as the hash value
The structures of SHA-384512 are similar to those ofSHA-224256 In SHA-384512 the word size is double thatof SHA-224256 Thus a message block is 1024 bits and thesize of a chaining value is 512 bits A compression functionconsists of 80 steps
3 Key Recovery Attack on HMAC
Our attack can be applied to HMAC based on the MD-family hash functions As a concrete example we introducea key recovery attack on HMAC-SHA-2 Other cases can beexplained similarly For the detailed attack results see Table 1
31 Fault Assumption Recall that the authors reduced thenumber of rounds in AES to one in [13] We apply thisfault assumption to HMAC That is by using several faultinjections we can reduce the number of steps in the lasttwo compression functions (see Figure 1) Similarly to AESthe MD-family hash functions compute the hash value byiteratively using a step function Moreover there are someresults based on similar fault models [17 18] Thus our faultassumption is reasonable
For the simplicity we denote these two compressionfunctions by 119891lowast
0and 119891lowast
1 Thus we reduce the number of
steps in (119891lowast0 119891lowast
1) to some values by using fault injections
respectively and then recover the secret key 119870 of HMAC-SHA-2 When we reduced the number of steps in 119891lowast
119894to 119895 we
denoted this event by 119891lowast119894119895in this paper
32 Key Recovery Attack on HMAC-SHA-256512 As men-tioned in the previous section the structure of SHA-512 issimilar to that of SHA-256 excluding parameters such as theword size Thus we only propose a key recovery attack onHMAC-SHA-256 in this subsection
Since the word size of SHA-256 is 32 bits we assumethat the length of 119870(= 119870
01198701 sdot sdot sdot 119870
119899minus1) is 32 sdot 119899 bits Our
attack on HMAC-SHA-256 conducts the procedure recov-ering 96-bit (119870
3119894 1198703119894+1 1198703119894+2) iteratively [1198993] times (119894 =
0 [(119899 minus 1)3]) We can recover (1198700 1198701 1198702) as fol-
lows From an event (119891lowast03 119891lowast
11) we compute HMAC(=
HMAC0HMAC
1 sdot sdot sdot HMAC
7) Then we can construct
f f f f f
M0 M1 Mtminus1 Mt
Koplus opad
Koplus ipad
Fault
middot middot middotIHV0
IHV0 IHV1 HMACflowast1flowast
0
Figure 1 Our fault model on HMAC
the following six equations (see Figure 2) Here (119860 119867) =(IHV00 IHV
07)
(119884 + 119885) + (119860 + 119861) = HMAC1
(119883 + 119884) + (119861 + 119862) = HMAC2
119883 + (119860 + 119861 + 119863) = HMAC3
(120573 + 120574) + (119864 + 119865) = HMAC5
(120572 + 120573) + (119865 + 119866) = HMAC6
120572 + (119864 + 119866 + 119867) = HMAC7
(6)
Since (119860 119867) are known values in (6) we can obtain(119883 119884 119885 120572 120573 120574) With these values we can compute(1198700 1198701 1198702) by using the following equations
1198700oplus 0x5c = 119883 minus (119867 + Σ
1 (119864) + Ch (119864 119865 119866) + 1198620
+ Σ0 (119860) +Maj (119860 119861 119862)
1198701oplus 0x5c = 119884 minus (119866 + Σ
1 (120572) + Ch (120572 119864 119865) + 1198621
+ Σ0 (119883) +Maj (119883 119860 119861)
1198702oplus 0x5c = 119885 minus (119865 + Σ
1(120573) + Ch (120573 120572 119864) + 119862
2
+ Σ0 (119884) +Maj (119884119883 119860)
(7)
By repeating the previous procedure we can recover119870 byusing [1198993] fault injections Since this consists of only solvingsimple equations the computational complexity is negligible
33 Key Recovery Attack on HMAC-SHA-224384 Recallthat SHA-224384 outputs the left most 224384 bits of theresulting 256512-bit hash value as the hash valuerespectively For example HMAC-SHA-224 outputs onlyHMAC
0 sdot sdot sdot HMAC
6as the hash value Thus we can not
compute (120572 120573) in (6) (see Figure 2) However we can obtain(119883 119884 119885) in (6) and compute 119870
0in (7) And then we can
obtain 120572 by using 1198700 By repeating this procedure we can
recover (1198701 1198702) sequentially Hence we can recover 119870 of
HMAC-SHA-224384 with [1198993] fault injections and thenegligible computational complexity
4 Journal of Applied Mathematics
A B C D E F G H
X A B C E F G
Ch
Maj
Maj
Y X A B E F
Ch
Z Y X A E
Ch
Maj
Ch
Maj
sum1 sum1
sum0 sum0
sum0
sum0
sum1
sum1
120572
120572120573
120574 120572120573
IHV00 IHV01 IHV02 IHV03 IHV04 IHV05 IHV06 IHV07 IHV10 IHV11 IHV12 IHV13 IHV14 IHV15 IHV16 IHV17
Z + A
Z + A
Y + B
Y + B
X+ C
X+ C
A+ D E + H120574 + E
120574 + E
120573 + F
120573 + F
120572 + G
120572 + G
C2
C1
C0
W0
C0
K1 oplus 0x5c
K2 oplus 0x5c
K0 oplus 0x5c
HMAC0 HMAC1 HMAC2 HMAC3 HMAC4 HMAC5 HMAC6 HMAC7
Figure 2 An event (119891lowast03 119891lowast
11)
4 Key Recovery Attack on NMAC
A key recovery attack on NMAC is similar to that on HMACThis is also applicable to NMAC based on the MD-familyhash functions As a concrete example we present a keyrecovery attack on NMAC-SHA-2 In the case of other MD-family hash functions we can attack in a similar fashionTable 1 gives the detailed results
41 Fault Assumption Differently fromHMAC NMAC usestwo 119899-word secret keys (119870
1 1198702) (see Figure 3) Thus our
attack on NMAC consists of the following two steps Firstlywe recover 119870
2by using a key recovery attack on HMAC-
SHA-2 (Fault1in Figure 3) Secondly to compute 119870
1 we
inject faults to (119891lowast2 119891lowast
3 119891lowast
1) (Fault
2in Figure 3) Note that we
assume that a message119872 is only a single block
42 Key Recovery Attack on NMAC-SHA-256512 Since thestructure of SHA-512 is similar to that of SHA-256 we onlyintroduce a key recovery attack on NMAC-SHA-256 in this
K1
K2
Fault2
Fault1
flowast3
flowast2
flowast0 flowast
1
M
NMACIHV0 IHV1
IHV0
Figure 3 Our fault model on NMAC
subsection We assume that the length of (1198701(= 11987010 sdot sdot sdot
1198701119899minus1
) 1198702(= 11987020 sdot sdot sdot 119870
2119899minus1)) is 32 sdot 119899 bits respectively By
using a key recovery attack on HMAC-SHA-256 we firstlyrecover 119870
2with [1198993] fault injections and the negligible
Journal of Applied Mathematics 5
Table 3 Recovery of (11987010 11987011 11987012)
Chaining value Message
119891lowast
23
(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010
(119883 119886 119887 119888 119890 119891 119892) 11987011
(119884119883 119886 119887 119890 119891) 11987012
(119885 119884119883 119886 119890) mdash
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-
forward
119891lowast
31
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872
(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +
119886 + 119888 + 119889 )
feed-forward
119891lowast
14
(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886
(1205721 119860 119861 119862 120573
1 119864 119865 119866) 119884+119885+119886+119887
(1205722 1205721 119860 119861 120573
2 1205731 119864 119865) 119883+119884+119887+119888
(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889
(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash
(1205724+ 119860 120572
3+ 119861 120572
2+ 119862 120572
1+ 119863 120573
4+ 119864 120573
3+
119865 1205732+ 119866 120573
1+ 119867)
feed-forward
computational complexity And then we compute 1198701from
an event (119891lowast2119894 119891lowast
3119895 119891lowast
1119896)
Table 3 shows the results of an event (119891lowast23 119891lowast
31 119891lowast
14) From
Table 3 we can compute (11987010 11987011 11987012) as follows Since
we know HMAC and can compute IHV1(= 119860119861 sdot sdot sdot 119867)
by using 1198702 we can compute (120572
1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by
using the following equations
1205721= HMAC
3minus 119863 120573
1= HMAC
7minus 119867
1205722= HMAC
2minus 119862 120573
2= HMAC
6minus 119866
1205723= HMAC
1minus 119861 120573
3= HMAC
5minus 119865
1205724= HMAC
0minus 119860 120573
4= HMAC
4minus 119864
(8)
By using (1205721 1205722 1205723 1205724 1205731 1205732 1205733 1205734) we can compute the
messages of 119891lowast1(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887 119883 + 119884 + 119887 +
119888 119883 + 119886 + 119888 + 119889) easily Since we know IHV0(= 119886119887 sdot sdot sdot ℎ)
we can obtain (119883 119884 119885)Thus we can recover (11987010 11987011 11987012)
similarly to a key recovery attack on HMAC-SHA-256By repeating the previous procedure we can recover
(1198701 1198702) by using 2 sdot [1198993] fault injections Its computational
complexity is also negligible
43 Key Recovery Attack on NMAC-SHA-224384 SinceSHA-224384 outputs the left most 224384 bits of the result-ing 256512-bit hash value as the hash value respectively wedo not know (120573
1 1205732) (see Table 3) In this case we can not
compute 1198701 Thus we consider different events on these
algorithms To recover (11987010 11987011) of NMAC-SHA-224 we
use an event (119891lowast22 119891lowast
31 119891lowast
13) This attack needs [1198993] + [1198992]
fault injections and the negligible computational complex-ity In the case of NMAC-SHA-384 we consider an event(119891lowast
21 119891lowast
31 119891lowast
12) to recover 119870
10 This attack requires [1198993] + 119899
fault injections with a negligible computational complexity
5 Conclusion
In this paper we proposed key recovery attacks onHMACNAC by using a fault injection attack Our attack canbe applied to HMACNMAC based on the MD-family hashfunctions and requires a small number of fault injections witha negligible computational complexity As concrete exampleswe applied our attack to HMACNMAC based on MD4MD5 and SHA-2 The results on HMACNMAC-SHA-2 arethe first known key recovery attacks on them
Conflict of Interests
The authors declare that there is no conflict of interests re-garding the publication of this paper
Acknowledgments
This research was supported by the MSIP (Ministry ofScience ICTampFuture Planning) Korea under the C-ITRC(Convergence Information Technology Research Center)support program (NIPA-2013-H0301-13-3007) supervised bythe NIPA (National IT Industry Promotion Agency)
References
[1] M Bellare R Canetti and H Krawczyk ldquoKeying hash func-tions for message authenticationrdquo in Proceedings of the AnnualInternational Cryptology Conference (CRYPTO rsquo96) vol 1109 ofLecture Notes in Computer Science pp 10ndash15 August 1996
[2] S Contini and Y L Yin ldquoForgery and partial key-recoveryattacks on HMAC and NMAC using hash collisionsrdquo inAdvan-ces in Cryptology vol 4284 ofLectureNotes in Computer Sciencepp 37ndash53 2006
[3] P A Fouque G Leurent and P Q Nguyen ldquoFull key-recovery attacks on HMACNMAC-MD4 and NMAC-MD5rdquoin Advances in Cryptology vol 4622 of Lecture Notes in Com-puter Science pp 13ndash30 2007
[4] L Wang K Ohta and N Kunihiro ldquoNew key-recovery attackson HMACNMAC-MD4 and NMAC-MD5rdquo in Advances inCryptology (EUROCRYPT 2008) vol 4965 of Lecture Notes inComputer Science pp 237ndash253 2008
[5] RMcEvoyM Tunstall C CMurphy andW PMarnane ldquoDif-ferential power analysis of HMAC based on SHA-2 and coun-termeasuresrdquo in Advances in Cryptology vol 4867 of LectureNotes in Computer Science pp 317ndash332 2007
[6] O Benoıt and T Peyrin ldquoSide-channel analysis of six sha-3candidatesrdquo in Advances in Cryptology vol 6225 of LectureNotes in Computer Science pp 140ndash157 2010
[7] P Kocher ldquoTiming attacks on implementation of Diffie-Hellmanrdquo in Advances in Cryptology vol 1109 of Lecture Notesin Computer Science pp 104ndash113 1996
[8] E Biham andA Shamir ldquoDifferential fault analysis of secret keycryptosystemsrdquo in Advances in Cryptology vol 1294 of LectureNotes in Computer Science pp 513ndash525 1997
[9] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advances inCryptology vol 1233 of Lecture Notes in Computer Science pp37ndash51 1997
6 Journal of Applied Mathematics
[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012
[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012
[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013
[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005
[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-
2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based
RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007
[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
2 Journal of Applied Mathematics
variable is then decremented and the round is repeated untilRoudCounter is equal to zero at which the loop point exits Itis this loop that we are trying to change so that it exits earlierthan expectedThe target of the fault is the decfz step whichconsists of a decrement a test and a conditional jump Theconditional jump is presented as a jump of one instructionwhen the test is positive otherwise the next instruction isexecuted The aim of the attack is to reduce the algorithm toone round It is not possible to remove the first round entirelyas the first conditional test is after the first round Thus thecryptanalysis of the resulting algorithm can be simple andonly requires two plaintextciphertext pairs
In this paper we propose fault injection attacks onHMACNMAC Our fault assumption is based on that of[13] That is it is assumed that we can decrease the numberof steps in the target compression function by injecting somefaults Our attack can be applied to HMACNMAC basedon the MD-family hash functions and recover the secret keywith the negligible computational complexity As concreteexamples we apply our attack to HMACNMAC based onMD4MD5 and SHA-2 Our attack results are summarized inTable 1 In the case of HMAC-SHA-256 for any message wecan recover the 119899-word secret key with [1198993] fault injectionsand only a negligible computational complexity Also weneed only 2 sdot [1198993] fault injections to recover the 2119899-wordsecret key of NMAC-SHA-256 Thus when 119899 is 4 that isthe 4(8)-word secret key we require just two(four) faultinjections to recover the secret key of HMAC-SHA-256(NMAC-SHA-256) respectively Note that the attack resultson HMACNMAC-SHA-2 are the first known key recoveryattacks on them
This paper is organized as follows in Section 2 we brieflyintroduce the MD-family hash functions Then we describethe fault injection attacks on HMAC and NMAC in mbox-Sections 3 and 4 respectively Finally we give a conclusion inSection 5
2 MD-Family Hash Function
Since MD4 [14] had been introduced in 1990 the MD-familyhash functions such as MD5 [15] and SHA-2 [16] where thedesign rationale is based on that ofMD4 have been proposedTo compute the hash value for a message 119872 of any sizethe MD-family hash functions divide119872 into message blocks(1198720 119872
119905) of fixed length 119887 and obtain the hash value by
using a compression function 119891 A compression function 119891takes a 119887-bit message string119872
119894minus1and a 119904-bit chaining variable
IHV119894minus1
as input values and outputs an updated 119904-bit chainingvariable IHV
119894 IHV
119894is computed by iteratively using a step
function It consists of addition Boolean function and rota-tion operations After operating a step function repeatedlyIHV119894is updated by adding IHV
119894minus1 Table 2 presents the
parameters of MD4 MD5 and SHA-2As a concrete example we briefly introduce SHA-2 (SHA-
224 SHA-256 SHA-384 and SHA-512) one of the mostimportant MD-family hash functions In SHA-224256 theword size is 32 bits The message string is firstly paddedto be a 512-bit multiple and is divided into 512-bit blocks
Table 1 Our attack results on HMACNMAC
Algorithm No ofinjected faults Algorithm No of
injected faultsHMAC-MD4 [1198993] NMAC-MD4 2 sdot [1198993]
HMAC-MD5 [1198993] NMAC-MD5 2 sdot [1198993]
HMAC-SHA-224 [1198993] NMAC-SHA-224 [1198993] + [1198992]
HMAC-SHA-256 [1198993] NMAC-SHA-256 2 sdot [1198993]
HMAC-SHA-384 [1198993] NMAC-SHA-384 [1198993] + 119899
HMAC-SHA-512 [1198993] NMAC-SHA-512 2 sdot [1198993]
Table 2 Parameters of MD4 MD5 and SHA-2
Hashfunction
Messageblock
Chainingvalue
Hashvalue
Stepfunction Word size
MD4 512 bits 128 bits 128 bits 48 steps 32 bitsMD5 512 bits 128 bits 128 bits 64 steps 32 bitsSHA-224 512 bits 256 bits 224 bits 64 steps 32 bitsSHA-256 512 bits 256 bits 256 bits 64 steps 32 bitsSHA-384 1024 bits 512 bits 384 bits 80 steps 64 bitsSHA-512 1024 bits 512 bits 512 bits 80 steps 64 bits
A compression function 119891 takes a 512-bit message string anda 256-bit chaining variable as input values and outputs anupdated 256-bit chaining variable It consists of amessage ex-pansion and a data processing The message block is expand-ed by using the following message expansion function Here(1198980 119898
15) = 119872
119894 ldquo+rdquo denotes the wordwise addition
1205900(119883) = (119883
⋙7) oplus (119883
⋙18) oplus (119883
≫3) and 120590
1(119883) = (119883
⋙17) oplus
(119883⋙19
) oplus (119883≫10)
Consider
119882119895= 119898119895 (0 le 119895 lt 16)
119882119895= 1205901(119882119895minus2) +119882
119895minus7+ 1205900(119882119895minus15
) +119882119895minus16
(16 le 119895 lt 80)
(3)
The data processing computes IHV119894as follows Here 119881
119895
denotes a 256-bit value consisting of eight words 119860119895 119861119895 119862119895
119863119895 119864119895 119865119895 119866119895 and119867
119895
Consider
1198810= IHV
119894minus1
119881119895+1
= 119877119895(119881119895119882119895) (119895 = 0 63)
IHV119894= IHV
119894minus1+ 11988164
(4)
A step function119877119895is defined as follows Here119870
119895is a constant
number for each step Ch(119883 119884 119885) = (119883 or 119884) oplus (not119883 or 119885)
Journal of Applied Mathematics 3
Maj(119883 119884 119885) = (119883or119884)oplus (119883or119885)oplus (119884or119885) Σ0(119883) = (119883
⋙2)oplus
(119883⋙13
) oplus (119883⋙22
) and Σ1(119883) = (119883
⋙6) oplus (119883
⋙11) oplus (119883
⋙25)
119879119895
1= 119867119895+ Σ1(119864119895) + Ch (119864
119895 119865119895 119866119895) + 119870119895+119882119895
119879119895
2= Σ0(119860119895) +Maj (119860
119895 119861119895 119862119895)
119860119895+1
= 119879119895
1+ 119879119895
2 119861
119895+1= 119860119895
119862119895+1
= 119861119895 119863
119895+1= 119862119895
119864119895+1
= 119863119895+ 119879119895
1 119865
119895+1= 119864119895
119866119895+1
= 119865119895 119867
119895+1= 119866119895
(5)
SHA-224 outputs the left most 224-bit value of IHV119905+1
as thehash value and SHA-256 outputs IHV
119905+1as the hash value
The structures of SHA-384512 are similar to those ofSHA-224256 In SHA-384512 the word size is double thatof SHA-224256 Thus a message block is 1024 bits and thesize of a chaining value is 512 bits A compression functionconsists of 80 steps
3 Key Recovery Attack on HMAC
Our attack can be applied to HMAC based on the MD-family hash functions As a concrete example we introducea key recovery attack on HMAC-SHA-2 Other cases can beexplained similarly For the detailed attack results see Table 1
31 Fault Assumption Recall that the authors reduced thenumber of rounds in AES to one in [13] We apply thisfault assumption to HMAC That is by using several faultinjections we can reduce the number of steps in the lasttwo compression functions (see Figure 1) Similarly to AESthe MD-family hash functions compute the hash value byiteratively using a step function Moreover there are someresults based on similar fault models [17 18] Thus our faultassumption is reasonable
For the simplicity we denote these two compressionfunctions by 119891lowast
0and 119891lowast
1 Thus we reduce the number of
steps in (119891lowast0 119891lowast
1) to some values by using fault injections
respectively and then recover the secret key 119870 of HMAC-SHA-2 When we reduced the number of steps in 119891lowast
119894to 119895 we
denoted this event by 119891lowast119894119895in this paper
32 Key Recovery Attack on HMAC-SHA-256512 As men-tioned in the previous section the structure of SHA-512 issimilar to that of SHA-256 excluding parameters such as theword size Thus we only propose a key recovery attack onHMAC-SHA-256 in this subsection
Since the word size of SHA-256 is 32 bits we assumethat the length of 119870(= 119870
01198701 sdot sdot sdot 119870
119899minus1) is 32 sdot 119899 bits Our
attack on HMAC-SHA-256 conducts the procedure recov-ering 96-bit (119870
3119894 1198703119894+1 1198703119894+2) iteratively [1198993] times (119894 =
0 [(119899 minus 1)3]) We can recover (1198700 1198701 1198702) as fol-
lows From an event (119891lowast03 119891lowast
11) we compute HMAC(=
HMAC0HMAC
1 sdot sdot sdot HMAC
7) Then we can construct
f f f f f
M0 M1 Mtminus1 Mt
Koplus opad
Koplus ipad
Fault
middot middot middotIHV0
IHV0 IHV1 HMACflowast1flowast
0
Figure 1 Our fault model on HMAC
the following six equations (see Figure 2) Here (119860 119867) =(IHV00 IHV
07)
(119884 + 119885) + (119860 + 119861) = HMAC1
(119883 + 119884) + (119861 + 119862) = HMAC2
119883 + (119860 + 119861 + 119863) = HMAC3
(120573 + 120574) + (119864 + 119865) = HMAC5
(120572 + 120573) + (119865 + 119866) = HMAC6
120572 + (119864 + 119866 + 119867) = HMAC7
(6)
Since (119860 119867) are known values in (6) we can obtain(119883 119884 119885 120572 120573 120574) With these values we can compute(1198700 1198701 1198702) by using the following equations
1198700oplus 0x5c = 119883 minus (119867 + Σ
1 (119864) + Ch (119864 119865 119866) + 1198620
+ Σ0 (119860) +Maj (119860 119861 119862)
1198701oplus 0x5c = 119884 minus (119866 + Σ
1 (120572) + Ch (120572 119864 119865) + 1198621
+ Σ0 (119883) +Maj (119883 119860 119861)
1198702oplus 0x5c = 119885 minus (119865 + Σ
1(120573) + Ch (120573 120572 119864) + 119862
2
+ Σ0 (119884) +Maj (119884119883 119860)
(7)
By repeating the previous procedure we can recover119870 byusing [1198993] fault injections Since this consists of only solvingsimple equations the computational complexity is negligible
33 Key Recovery Attack on HMAC-SHA-224384 Recallthat SHA-224384 outputs the left most 224384 bits of theresulting 256512-bit hash value as the hash valuerespectively For example HMAC-SHA-224 outputs onlyHMAC
0 sdot sdot sdot HMAC
6as the hash value Thus we can not
compute (120572 120573) in (6) (see Figure 2) However we can obtain(119883 119884 119885) in (6) and compute 119870
0in (7) And then we can
obtain 120572 by using 1198700 By repeating this procedure we can
recover (1198701 1198702) sequentially Hence we can recover 119870 of
HMAC-SHA-224384 with [1198993] fault injections and thenegligible computational complexity
4 Journal of Applied Mathematics
A B C D E F G H
X A B C E F G
Ch
Maj
Maj
Y X A B E F
Ch
Z Y X A E
Ch
Maj
Ch
Maj
sum1 sum1
sum0 sum0
sum0
sum0
sum1
sum1
120572
120572120573
120574 120572120573
IHV00 IHV01 IHV02 IHV03 IHV04 IHV05 IHV06 IHV07 IHV10 IHV11 IHV12 IHV13 IHV14 IHV15 IHV16 IHV17
Z + A
Z + A
Y + B
Y + B
X+ C
X+ C
A+ D E + H120574 + E
120574 + E
120573 + F
120573 + F
120572 + G
120572 + G
C2
C1
C0
W0
C0
K1 oplus 0x5c
K2 oplus 0x5c
K0 oplus 0x5c
HMAC0 HMAC1 HMAC2 HMAC3 HMAC4 HMAC5 HMAC6 HMAC7
Figure 2 An event (119891lowast03 119891lowast
11)
4 Key Recovery Attack on NMAC
A key recovery attack on NMAC is similar to that on HMACThis is also applicable to NMAC based on the MD-familyhash functions As a concrete example we present a keyrecovery attack on NMAC-SHA-2 In the case of other MD-family hash functions we can attack in a similar fashionTable 1 gives the detailed results
41 Fault Assumption Differently fromHMAC NMAC usestwo 119899-word secret keys (119870
1 1198702) (see Figure 3) Thus our
attack on NMAC consists of the following two steps Firstlywe recover 119870
2by using a key recovery attack on HMAC-
SHA-2 (Fault1in Figure 3) Secondly to compute 119870
1 we
inject faults to (119891lowast2 119891lowast
3 119891lowast
1) (Fault
2in Figure 3) Note that we
assume that a message119872 is only a single block
42 Key Recovery Attack on NMAC-SHA-256512 Since thestructure of SHA-512 is similar to that of SHA-256 we onlyintroduce a key recovery attack on NMAC-SHA-256 in this
K1
K2
Fault2
Fault1
flowast3
flowast2
flowast0 flowast
1
M
NMACIHV0 IHV1
IHV0
Figure 3 Our fault model on NMAC
subsection We assume that the length of (1198701(= 11987010 sdot sdot sdot
1198701119899minus1
) 1198702(= 11987020 sdot sdot sdot 119870
2119899minus1)) is 32 sdot 119899 bits respectively By
using a key recovery attack on HMAC-SHA-256 we firstlyrecover 119870
2with [1198993] fault injections and the negligible
Journal of Applied Mathematics 5
Table 3 Recovery of (11987010 11987011 11987012)
Chaining value Message
119891lowast
23
(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010
(119883 119886 119887 119888 119890 119891 119892) 11987011
(119884119883 119886 119887 119890 119891) 11987012
(119885 119884119883 119886 119890) mdash
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-
forward
119891lowast
31
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872
(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +
119886 + 119888 + 119889 )
feed-forward
119891lowast
14
(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886
(1205721 119860 119861 119862 120573
1 119864 119865 119866) 119884+119885+119886+119887
(1205722 1205721 119860 119861 120573
2 1205731 119864 119865) 119883+119884+119887+119888
(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889
(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash
(1205724+ 119860 120572
3+ 119861 120572
2+ 119862 120572
1+ 119863 120573
4+ 119864 120573
3+
119865 1205732+ 119866 120573
1+ 119867)
feed-forward
computational complexity And then we compute 1198701from
an event (119891lowast2119894 119891lowast
3119895 119891lowast
1119896)
Table 3 shows the results of an event (119891lowast23 119891lowast
31 119891lowast
14) From
Table 3 we can compute (11987010 11987011 11987012) as follows Since
we know HMAC and can compute IHV1(= 119860119861 sdot sdot sdot 119867)
by using 1198702 we can compute (120572
1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by
using the following equations
1205721= HMAC
3minus 119863 120573
1= HMAC
7minus 119867
1205722= HMAC
2minus 119862 120573
2= HMAC
6minus 119866
1205723= HMAC
1minus 119861 120573
3= HMAC
5minus 119865
1205724= HMAC
0minus 119860 120573
4= HMAC
4minus 119864
(8)
By using (1205721 1205722 1205723 1205724 1205731 1205732 1205733 1205734) we can compute the
messages of 119891lowast1(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887 119883 + 119884 + 119887 +
119888 119883 + 119886 + 119888 + 119889) easily Since we know IHV0(= 119886119887 sdot sdot sdot ℎ)
we can obtain (119883 119884 119885)Thus we can recover (11987010 11987011 11987012)
similarly to a key recovery attack on HMAC-SHA-256By repeating the previous procedure we can recover
(1198701 1198702) by using 2 sdot [1198993] fault injections Its computational
complexity is also negligible
43 Key Recovery Attack on NMAC-SHA-224384 SinceSHA-224384 outputs the left most 224384 bits of the result-ing 256512-bit hash value as the hash value respectively wedo not know (120573
1 1205732) (see Table 3) In this case we can not
compute 1198701 Thus we consider different events on these
algorithms To recover (11987010 11987011) of NMAC-SHA-224 we
use an event (119891lowast22 119891lowast
31 119891lowast
13) This attack needs [1198993] + [1198992]
fault injections and the negligible computational complex-ity In the case of NMAC-SHA-384 we consider an event(119891lowast
21 119891lowast
31 119891lowast
12) to recover 119870
10 This attack requires [1198993] + 119899
fault injections with a negligible computational complexity
5 Conclusion
In this paper we proposed key recovery attacks onHMACNAC by using a fault injection attack Our attack canbe applied to HMACNMAC based on the MD-family hashfunctions and requires a small number of fault injections witha negligible computational complexity As concrete exampleswe applied our attack to HMACNMAC based on MD4MD5 and SHA-2 The results on HMACNMAC-SHA-2 arethe first known key recovery attacks on them
Conflict of Interests
The authors declare that there is no conflict of interests re-garding the publication of this paper
Acknowledgments
This research was supported by the MSIP (Ministry ofScience ICTampFuture Planning) Korea under the C-ITRC(Convergence Information Technology Research Center)support program (NIPA-2013-H0301-13-3007) supervised bythe NIPA (National IT Industry Promotion Agency)
References
[1] M Bellare R Canetti and H Krawczyk ldquoKeying hash func-tions for message authenticationrdquo in Proceedings of the AnnualInternational Cryptology Conference (CRYPTO rsquo96) vol 1109 ofLecture Notes in Computer Science pp 10ndash15 August 1996
[2] S Contini and Y L Yin ldquoForgery and partial key-recoveryattacks on HMAC and NMAC using hash collisionsrdquo inAdvan-ces in Cryptology vol 4284 ofLectureNotes in Computer Sciencepp 37ndash53 2006
[3] P A Fouque G Leurent and P Q Nguyen ldquoFull key-recovery attacks on HMACNMAC-MD4 and NMAC-MD5rdquoin Advances in Cryptology vol 4622 of Lecture Notes in Com-puter Science pp 13ndash30 2007
[4] L Wang K Ohta and N Kunihiro ldquoNew key-recovery attackson HMACNMAC-MD4 and NMAC-MD5rdquo in Advances inCryptology (EUROCRYPT 2008) vol 4965 of Lecture Notes inComputer Science pp 237ndash253 2008
[5] RMcEvoyM Tunstall C CMurphy andW PMarnane ldquoDif-ferential power analysis of HMAC based on SHA-2 and coun-termeasuresrdquo in Advances in Cryptology vol 4867 of LectureNotes in Computer Science pp 317ndash332 2007
[6] O Benoıt and T Peyrin ldquoSide-channel analysis of six sha-3candidatesrdquo in Advances in Cryptology vol 6225 of LectureNotes in Computer Science pp 140ndash157 2010
[7] P Kocher ldquoTiming attacks on implementation of Diffie-Hellmanrdquo in Advances in Cryptology vol 1109 of Lecture Notesin Computer Science pp 104ndash113 1996
[8] E Biham andA Shamir ldquoDifferential fault analysis of secret keycryptosystemsrdquo in Advances in Cryptology vol 1294 of LectureNotes in Computer Science pp 513ndash525 1997
[9] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advances inCryptology vol 1233 of Lecture Notes in Computer Science pp37ndash51 1997
6 Journal of Applied Mathematics
[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012
[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012
[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013
[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005
[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-
2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based
RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007
[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 3
Maj(119883 119884 119885) = (119883or119884)oplus (119883or119885)oplus (119884or119885) Σ0(119883) = (119883
⋙2)oplus
(119883⋙13
) oplus (119883⋙22
) and Σ1(119883) = (119883
⋙6) oplus (119883
⋙11) oplus (119883
⋙25)
119879119895
1= 119867119895+ Σ1(119864119895) + Ch (119864
119895 119865119895 119866119895) + 119870119895+119882119895
119879119895
2= Σ0(119860119895) +Maj (119860
119895 119861119895 119862119895)
119860119895+1
= 119879119895
1+ 119879119895
2 119861
119895+1= 119860119895
119862119895+1
= 119861119895 119863
119895+1= 119862119895
119864119895+1
= 119863119895+ 119879119895
1 119865
119895+1= 119864119895
119866119895+1
= 119865119895 119867
119895+1= 119866119895
(5)
SHA-224 outputs the left most 224-bit value of IHV119905+1
as thehash value and SHA-256 outputs IHV
119905+1as the hash value
The structures of SHA-384512 are similar to those ofSHA-224256 In SHA-384512 the word size is double thatof SHA-224256 Thus a message block is 1024 bits and thesize of a chaining value is 512 bits A compression functionconsists of 80 steps
3 Key Recovery Attack on HMAC
Our attack can be applied to HMAC based on the MD-family hash functions As a concrete example we introducea key recovery attack on HMAC-SHA-2 Other cases can beexplained similarly For the detailed attack results see Table 1
31 Fault Assumption Recall that the authors reduced thenumber of rounds in AES to one in [13] We apply thisfault assumption to HMAC That is by using several faultinjections we can reduce the number of steps in the lasttwo compression functions (see Figure 1) Similarly to AESthe MD-family hash functions compute the hash value byiteratively using a step function Moreover there are someresults based on similar fault models [17 18] Thus our faultassumption is reasonable
For the simplicity we denote these two compressionfunctions by 119891lowast
0and 119891lowast
1 Thus we reduce the number of
steps in (119891lowast0 119891lowast
1) to some values by using fault injections
respectively and then recover the secret key 119870 of HMAC-SHA-2 When we reduced the number of steps in 119891lowast
119894to 119895 we
denoted this event by 119891lowast119894119895in this paper
32 Key Recovery Attack on HMAC-SHA-256512 As men-tioned in the previous section the structure of SHA-512 issimilar to that of SHA-256 excluding parameters such as theword size Thus we only propose a key recovery attack onHMAC-SHA-256 in this subsection
Since the word size of SHA-256 is 32 bits we assumethat the length of 119870(= 119870
01198701 sdot sdot sdot 119870
119899minus1) is 32 sdot 119899 bits Our
attack on HMAC-SHA-256 conducts the procedure recov-ering 96-bit (119870
3119894 1198703119894+1 1198703119894+2) iteratively [1198993] times (119894 =
0 [(119899 minus 1)3]) We can recover (1198700 1198701 1198702) as fol-
lows From an event (119891lowast03 119891lowast
11) we compute HMAC(=
HMAC0HMAC
1 sdot sdot sdot HMAC
7) Then we can construct
f f f f f
M0 M1 Mtminus1 Mt
Koplus opad
Koplus ipad
Fault
middot middot middotIHV0
IHV0 IHV1 HMACflowast1flowast
0
Figure 1 Our fault model on HMAC
the following six equations (see Figure 2) Here (119860 119867) =(IHV00 IHV
07)
(119884 + 119885) + (119860 + 119861) = HMAC1
(119883 + 119884) + (119861 + 119862) = HMAC2
119883 + (119860 + 119861 + 119863) = HMAC3
(120573 + 120574) + (119864 + 119865) = HMAC5
(120572 + 120573) + (119865 + 119866) = HMAC6
120572 + (119864 + 119866 + 119867) = HMAC7
(6)
Since (119860 119867) are known values in (6) we can obtain(119883 119884 119885 120572 120573 120574) With these values we can compute(1198700 1198701 1198702) by using the following equations
1198700oplus 0x5c = 119883 minus (119867 + Σ
1 (119864) + Ch (119864 119865 119866) + 1198620
+ Σ0 (119860) +Maj (119860 119861 119862)
1198701oplus 0x5c = 119884 minus (119866 + Σ
1 (120572) + Ch (120572 119864 119865) + 1198621
+ Σ0 (119883) +Maj (119883 119860 119861)
1198702oplus 0x5c = 119885 minus (119865 + Σ
1(120573) + Ch (120573 120572 119864) + 119862
2
+ Σ0 (119884) +Maj (119884119883 119860)
(7)
By repeating the previous procedure we can recover119870 byusing [1198993] fault injections Since this consists of only solvingsimple equations the computational complexity is negligible
33 Key Recovery Attack on HMAC-SHA-224384 Recallthat SHA-224384 outputs the left most 224384 bits of theresulting 256512-bit hash value as the hash valuerespectively For example HMAC-SHA-224 outputs onlyHMAC
0 sdot sdot sdot HMAC
6as the hash value Thus we can not
compute (120572 120573) in (6) (see Figure 2) However we can obtain(119883 119884 119885) in (6) and compute 119870
0in (7) And then we can
obtain 120572 by using 1198700 By repeating this procedure we can
recover (1198701 1198702) sequentially Hence we can recover 119870 of
HMAC-SHA-224384 with [1198993] fault injections and thenegligible computational complexity
4 Journal of Applied Mathematics
A B C D E F G H
X A B C E F G
Ch
Maj
Maj
Y X A B E F
Ch
Z Y X A E
Ch
Maj
Ch
Maj
sum1 sum1
sum0 sum0
sum0
sum0
sum1
sum1
120572
120572120573
120574 120572120573
IHV00 IHV01 IHV02 IHV03 IHV04 IHV05 IHV06 IHV07 IHV10 IHV11 IHV12 IHV13 IHV14 IHV15 IHV16 IHV17
Z + A
Z + A
Y + B
Y + B
X+ C
X+ C
A+ D E + H120574 + E
120574 + E
120573 + F
120573 + F
120572 + G
120572 + G
C2
C1
C0
W0
C0
K1 oplus 0x5c
K2 oplus 0x5c
K0 oplus 0x5c
HMAC0 HMAC1 HMAC2 HMAC3 HMAC4 HMAC5 HMAC6 HMAC7
Figure 2 An event (119891lowast03 119891lowast
11)
4 Key Recovery Attack on NMAC
A key recovery attack on NMAC is similar to that on HMACThis is also applicable to NMAC based on the MD-familyhash functions As a concrete example we present a keyrecovery attack on NMAC-SHA-2 In the case of other MD-family hash functions we can attack in a similar fashionTable 1 gives the detailed results
41 Fault Assumption Differently fromHMAC NMAC usestwo 119899-word secret keys (119870
1 1198702) (see Figure 3) Thus our
attack on NMAC consists of the following two steps Firstlywe recover 119870
2by using a key recovery attack on HMAC-
SHA-2 (Fault1in Figure 3) Secondly to compute 119870
1 we
inject faults to (119891lowast2 119891lowast
3 119891lowast
1) (Fault
2in Figure 3) Note that we
assume that a message119872 is only a single block
42 Key Recovery Attack on NMAC-SHA-256512 Since thestructure of SHA-512 is similar to that of SHA-256 we onlyintroduce a key recovery attack on NMAC-SHA-256 in this
K1
K2
Fault2
Fault1
flowast3
flowast2
flowast0 flowast
1
M
NMACIHV0 IHV1
IHV0
Figure 3 Our fault model on NMAC
subsection We assume that the length of (1198701(= 11987010 sdot sdot sdot
1198701119899minus1
) 1198702(= 11987020 sdot sdot sdot 119870
2119899minus1)) is 32 sdot 119899 bits respectively By
using a key recovery attack on HMAC-SHA-256 we firstlyrecover 119870
2with [1198993] fault injections and the negligible
Journal of Applied Mathematics 5
Table 3 Recovery of (11987010 11987011 11987012)
Chaining value Message
119891lowast
23
(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010
(119883 119886 119887 119888 119890 119891 119892) 11987011
(119884119883 119886 119887 119890 119891) 11987012
(119885 119884119883 119886 119890) mdash
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-
forward
119891lowast
31
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872
(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +
119886 + 119888 + 119889 )
feed-forward
119891lowast
14
(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886
(1205721 119860 119861 119862 120573
1 119864 119865 119866) 119884+119885+119886+119887
(1205722 1205721 119860 119861 120573
2 1205731 119864 119865) 119883+119884+119887+119888
(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889
(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash
(1205724+ 119860 120572
3+ 119861 120572
2+ 119862 120572
1+ 119863 120573
4+ 119864 120573
3+
119865 1205732+ 119866 120573
1+ 119867)
feed-forward
computational complexity And then we compute 1198701from
an event (119891lowast2119894 119891lowast
3119895 119891lowast
1119896)
Table 3 shows the results of an event (119891lowast23 119891lowast
31 119891lowast
14) From
Table 3 we can compute (11987010 11987011 11987012) as follows Since
we know HMAC and can compute IHV1(= 119860119861 sdot sdot sdot 119867)
by using 1198702 we can compute (120572
1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by
using the following equations
1205721= HMAC
3minus 119863 120573
1= HMAC
7minus 119867
1205722= HMAC
2minus 119862 120573
2= HMAC
6minus 119866
1205723= HMAC
1minus 119861 120573
3= HMAC
5minus 119865
1205724= HMAC
0minus 119860 120573
4= HMAC
4minus 119864
(8)
By using (1205721 1205722 1205723 1205724 1205731 1205732 1205733 1205734) we can compute the
messages of 119891lowast1(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887 119883 + 119884 + 119887 +
119888 119883 + 119886 + 119888 + 119889) easily Since we know IHV0(= 119886119887 sdot sdot sdot ℎ)
we can obtain (119883 119884 119885)Thus we can recover (11987010 11987011 11987012)
similarly to a key recovery attack on HMAC-SHA-256By repeating the previous procedure we can recover
(1198701 1198702) by using 2 sdot [1198993] fault injections Its computational
complexity is also negligible
43 Key Recovery Attack on NMAC-SHA-224384 SinceSHA-224384 outputs the left most 224384 bits of the result-ing 256512-bit hash value as the hash value respectively wedo not know (120573
1 1205732) (see Table 3) In this case we can not
compute 1198701 Thus we consider different events on these
algorithms To recover (11987010 11987011) of NMAC-SHA-224 we
use an event (119891lowast22 119891lowast
31 119891lowast
13) This attack needs [1198993] + [1198992]
fault injections and the negligible computational complex-ity In the case of NMAC-SHA-384 we consider an event(119891lowast
21 119891lowast
31 119891lowast
12) to recover 119870
10 This attack requires [1198993] + 119899
fault injections with a negligible computational complexity
5 Conclusion
In this paper we proposed key recovery attacks onHMACNAC by using a fault injection attack Our attack canbe applied to HMACNMAC based on the MD-family hashfunctions and requires a small number of fault injections witha negligible computational complexity As concrete exampleswe applied our attack to HMACNMAC based on MD4MD5 and SHA-2 The results on HMACNMAC-SHA-2 arethe first known key recovery attacks on them
Conflict of Interests
The authors declare that there is no conflict of interests re-garding the publication of this paper
Acknowledgments
This research was supported by the MSIP (Ministry ofScience ICTampFuture Planning) Korea under the C-ITRC(Convergence Information Technology Research Center)support program (NIPA-2013-H0301-13-3007) supervised bythe NIPA (National IT Industry Promotion Agency)
References
[1] M Bellare R Canetti and H Krawczyk ldquoKeying hash func-tions for message authenticationrdquo in Proceedings of the AnnualInternational Cryptology Conference (CRYPTO rsquo96) vol 1109 ofLecture Notes in Computer Science pp 10ndash15 August 1996
[2] S Contini and Y L Yin ldquoForgery and partial key-recoveryattacks on HMAC and NMAC using hash collisionsrdquo inAdvan-ces in Cryptology vol 4284 ofLectureNotes in Computer Sciencepp 37ndash53 2006
[3] P A Fouque G Leurent and P Q Nguyen ldquoFull key-recovery attacks on HMACNMAC-MD4 and NMAC-MD5rdquoin Advances in Cryptology vol 4622 of Lecture Notes in Com-puter Science pp 13ndash30 2007
[4] L Wang K Ohta and N Kunihiro ldquoNew key-recovery attackson HMACNMAC-MD4 and NMAC-MD5rdquo in Advances inCryptology (EUROCRYPT 2008) vol 4965 of Lecture Notes inComputer Science pp 237ndash253 2008
[5] RMcEvoyM Tunstall C CMurphy andW PMarnane ldquoDif-ferential power analysis of HMAC based on SHA-2 and coun-termeasuresrdquo in Advances in Cryptology vol 4867 of LectureNotes in Computer Science pp 317ndash332 2007
[6] O Benoıt and T Peyrin ldquoSide-channel analysis of six sha-3candidatesrdquo in Advances in Cryptology vol 6225 of LectureNotes in Computer Science pp 140ndash157 2010
[7] P Kocher ldquoTiming attacks on implementation of Diffie-Hellmanrdquo in Advances in Cryptology vol 1109 of Lecture Notesin Computer Science pp 104ndash113 1996
[8] E Biham andA Shamir ldquoDifferential fault analysis of secret keycryptosystemsrdquo in Advances in Cryptology vol 1294 of LectureNotes in Computer Science pp 513ndash525 1997
[9] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advances inCryptology vol 1233 of Lecture Notes in Computer Science pp37ndash51 1997
6 Journal of Applied Mathematics
[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012
[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012
[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013
[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005
[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-
2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based
RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007
[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
4 Journal of Applied Mathematics
A B C D E F G H
X A B C E F G
Ch
Maj
Maj
Y X A B E F
Ch
Z Y X A E
Ch
Maj
Ch
Maj
sum1 sum1
sum0 sum0
sum0
sum0
sum1
sum1
120572
120572120573
120574 120572120573
IHV00 IHV01 IHV02 IHV03 IHV04 IHV05 IHV06 IHV07 IHV10 IHV11 IHV12 IHV13 IHV14 IHV15 IHV16 IHV17
Z + A
Z + A
Y + B
Y + B
X+ C
X+ C
A+ D E + H120574 + E
120574 + E
120573 + F
120573 + F
120572 + G
120572 + G
C2
C1
C0
W0
C0
K1 oplus 0x5c
K2 oplus 0x5c
K0 oplus 0x5c
HMAC0 HMAC1 HMAC2 HMAC3 HMAC4 HMAC5 HMAC6 HMAC7
Figure 2 An event (119891lowast03 119891lowast
11)
4 Key Recovery Attack on NMAC
A key recovery attack on NMAC is similar to that on HMACThis is also applicable to NMAC based on the MD-familyhash functions As a concrete example we present a keyrecovery attack on NMAC-SHA-2 In the case of other MD-family hash functions we can attack in a similar fashionTable 1 gives the detailed results
41 Fault Assumption Differently fromHMAC NMAC usestwo 119899-word secret keys (119870
1 1198702) (see Figure 3) Thus our
attack on NMAC consists of the following two steps Firstlywe recover 119870
2by using a key recovery attack on HMAC-
SHA-2 (Fault1in Figure 3) Secondly to compute 119870
1 we
inject faults to (119891lowast2 119891lowast
3 119891lowast
1) (Fault
2in Figure 3) Note that we
assume that a message119872 is only a single block
42 Key Recovery Attack on NMAC-SHA-256512 Since thestructure of SHA-512 is similar to that of SHA-256 we onlyintroduce a key recovery attack on NMAC-SHA-256 in this
K1
K2
Fault2
Fault1
flowast3
flowast2
flowast0 flowast
1
M
NMACIHV0 IHV1
IHV0
Figure 3 Our fault model on NMAC
subsection We assume that the length of (1198701(= 11987010 sdot sdot sdot
1198701119899minus1
) 1198702(= 11987020 sdot sdot sdot 119870
2119899minus1)) is 32 sdot 119899 bits respectively By
using a key recovery attack on HMAC-SHA-256 we firstlyrecover 119870
2with [1198993] fault injections and the negligible
Journal of Applied Mathematics 5
Table 3 Recovery of (11987010 11987011 11987012)
Chaining value Message
119891lowast
23
(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010
(119883 119886 119887 119888 119890 119891 119892) 11987011
(119884119883 119886 119887 119890 119891) 11987012
(119885 119884119883 119886 119890) mdash
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-
forward
119891lowast
31
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872
(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +
119886 + 119888 + 119889 )
feed-forward
119891lowast
14
(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886
(1205721 119860 119861 119862 120573
1 119864 119865 119866) 119884+119885+119886+119887
(1205722 1205721 119860 119861 120573
2 1205731 119864 119865) 119883+119884+119887+119888
(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889
(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash
(1205724+ 119860 120572
3+ 119861 120572
2+ 119862 120572
1+ 119863 120573
4+ 119864 120573
3+
119865 1205732+ 119866 120573
1+ 119867)
feed-forward
computational complexity And then we compute 1198701from
an event (119891lowast2119894 119891lowast
3119895 119891lowast
1119896)
Table 3 shows the results of an event (119891lowast23 119891lowast
31 119891lowast
14) From
Table 3 we can compute (11987010 11987011 11987012) as follows Since
we know HMAC and can compute IHV1(= 119860119861 sdot sdot sdot 119867)
by using 1198702 we can compute (120572
1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by
using the following equations
1205721= HMAC
3minus 119863 120573
1= HMAC
7minus 119867
1205722= HMAC
2minus 119862 120573
2= HMAC
6minus 119866
1205723= HMAC
1minus 119861 120573
3= HMAC
5minus 119865
1205724= HMAC
0minus 119860 120573
4= HMAC
4minus 119864
(8)
By using (1205721 1205722 1205723 1205724 1205731 1205732 1205733 1205734) we can compute the
messages of 119891lowast1(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887 119883 + 119884 + 119887 +
119888 119883 + 119886 + 119888 + 119889) easily Since we know IHV0(= 119886119887 sdot sdot sdot ℎ)
we can obtain (119883 119884 119885)Thus we can recover (11987010 11987011 11987012)
similarly to a key recovery attack on HMAC-SHA-256By repeating the previous procedure we can recover
(1198701 1198702) by using 2 sdot [1198993] fault injections Its computational
complexity is also negligible
43 Key Recovery Attack on NMAC-SHA-224384 SinceSHA-224384 outputs the left most 224384 bits of the result-ing 256512-bit hash value as the hash value respectively wedo not know (120573
1 1205732) (see Table 3) In this case we can not
compute 1198701 Thus we consider different events on these
algorithms To recover (11987010 11987011) of NMAC-SHA-224 we
use an event (119891lowast22 119891lowast
31 119891lowast
13) This attack needs [1198993] + [1198992]
fault injections and the negligible computational complex-ity In the case of NMAC-SHA-384 we consider an event(119891lowast
21 119891lowast
31 119891lowast
12) to recover 119870
10 This attack requires [1198993] + 119899
fault injections with a negligible computational complexity
5 Conclusion
In this paper we proposed key recovery attacks onHMACNAC by using a fault injection attack Our attack canbe applied to HMACNMAC based on the MD-family hashfunctions and requires a small number of fault injections witha negligible computational complexity As concrete exampleswe applied our attack to HMACNMAC based on MD4MD5 and SHA-2 The results on HMACNMAC-SHA-2 arethe first known key recovery attacks on them
Conflict of Interests
The authors declare that there is no conflict of interests re-garding the publication of this paper
Acknowledgments
This research was supported by the MSIP (Ministry ofScience ICTampFuture Planning) Korea under the C-ITRC(Convergence Information Technology Research Center)support program (NIPA-2013-H0301-13-3007) supervised bythe NIPA (National IT Industry Promotion Agency)
References
[1] M Bellare R Canetti and H Krawczyk ldquoKeying hash func-tions for message authenticationrdquo in Proceedings of the AnnualInternational Cryptology Conference (CRYPTO rsquo96) vol 1109 ofLecture Notes in Computer Science pp 10ndash15 August 1996
[2] S Contini and Y L Yin ldquoForgery and partial key-recoveryattacks on HMAC and NMAC using hash collisionsrdquo inAdvan-ces in Cryptology vol 4284 ofLectureNotes in Computer Sciencepp 37ndash53 2006
[3] P A Fouque G Leurent and P Q Nguyen ldquoFull key-recovery attacks on HMACNMAC-MD4 and NMAC-MD5rdquoin Advances in Cryptology vol 4622 of Lecture Notes in Com-puter Science pp 13ndash30 2007
[4] L Wang K Ohta and N Kunihiro ldquoNew key-recovery attackson HMACNMAC-MD4 and NMAC-MD5rdquo in Advances inCryptology (EUROCRYPT 2008) vol 4965 of Lecture Notes inComputer Science pp 237ndash253 2008
[5] RMcEvoyM Tunstall C CMurphy andW PMarnane ldquoDif-ferential power analysis of HMAC based on SHA-2 and coun-termeasuresrdquo in Advances in Cryptology vol 4867 of LectureNotes in Computer Science pp 317ndash332 2007
[6] O Benoıt and T Peyrin ldquoSide-channel analysis of six sha-3candidatesrdquo in Advances in Cryptology vol 6225 of LectureNotes in Computer Science pp 140ndash157 2010
[7] P Kocher ldquoTiming attacks on implementation of Diffie-Hellmanrdquo in Advances in Cryptology vol 1109 of Lecture Notesin Computer Science pp 104ndash113 1996
[8] E Biham andA Shamir ldquoDifferential fault analysis of secret keycryptosystemsrdquo in Advances in Cryptology vol 1294 of LectureNotes in Computer Science pp 513ndash525 1997
[9] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advances inCryptology vol 1233 of Lecture Notes in Computer Science pp37ndash51 1997
6 Journal of Applied Mathematics
[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012
[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012
[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013
[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005
[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-
2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based
RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007
[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 5
Table 3 Recovery of (11987010 11987011 11987012)
Chaining value Message
119891lowast
23
(119886 119887 119888 119889 119890 119891 119892 ℎ) 11987010
(119883 119886 119887 119888 119890 119891 119892) 11987011
(119884119883 119886 119887 119890 119891) 11987012
(119885 119884119883 119886 119890) mdash
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ)feed-
forward
119891lowast
31
(119885 + 119886 119884 + 119887119883 + 119888 119886 + 119889 119890 + ℎ) 119872
(119882119885 + 119886 119884 + 119887119883 + 119888 ) mdash(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887119883 + 119884 + 119887 + 119888119883 +
119886 + 119888 + 119889 )
feed-forward
119891lowast
14
(119860 119861 119862119863 119864 119865 119866119867) 119882 + 119885 + 119886
(1205721 119860 119861 119862 120573
1 119864 119865 119866) 119884+119885+119886+119887
(1205722 1205721 119860 119861 120573
2 1205731 119864 119865) 119883+119884+119887+119888
(1205723 1205722 1205721 119860 1205733 1205732 1205731 119864) 119883+119886+119888+119889
(1205724 1205723 1205722 1205721 1205734 1205733 1205732 1205731) mdash
(1205724+ 119860 120572
3+ 119861 120572
2+ 119862 120572
1+ 119863 120573
4+ 119864 120573
3+
119865 1205732+ 119866 120573
1+ 119867)
feed-forward
computational complexity And then we compute 1198701from
an event (119891lowast2119894 119891lowast
3119895 119891lowast
1119896)
Table 3 shows the results of an event (119891lowast23 119891lowast
31 119891lowast
14) From
Table 3 we can compute (11987010 11987011 11987012) as follows Since
we know HMAC and can compute IHV1(= 119860119861 sdot sdot sdot 119867)
by using 1198702 we can compute (120572
1 1205722 1205723 1205724 1205731 1205732 1205733 1205734) by
using the following equations
1205721= HMAC
3minus 119863 120573
1= HMAC
7minus 119867
1205722= HMAC
2minus 119862 120573
2= HMAC
6minus 119866
1205723= HMAC
1minus 119861 120573
3= HMAC
5minus 119865
1205724= HMAC
0minus 119860 120573
4= HMAC
4minus 119864
(8)
By using (1205721 1205722 1205723 1205724 1205731 1205732 1205733 1205734) we can compute the
messages of 119891lowast1(119882 + 119885 + 119886 119884 + 119885 + 119886 + 119887 119883 + 119884 + 119887 +
119888 119883 + 119886 + 119888 + 119889) easily Since we know IHV0(= 119886119887 sdot sdot sdot ℎ)
we can obtain (119883 119884 119885)Thus we can recover (11987010 11987011 11987012)
similarly to a key recovery attack on HMAC-SHA-256By repeating the previous procedure we can recover
(1198701 1198702) by using 2 sdot [1198993] fault injections Its computational
complexity is also negligible
43 Key Recovery Attack on NMAC-SHA-224384 SinceSHA-224384 outputs the left most 224384 bits of the result-ing 256512-bit hash value as the hash value respectively wedo not know (120573
1 1205732) (see Table 3) In this case we can not
compute 1198701 Thus we consider different events on these
algorithms To recover (11987010 11987011) of NMAC-SHA-224 we
use an event (119891lowast22 119891lowast
31 119891lowast
13) This attack needs [1198993] + [1198992]
fault injections and the negligible computational complex-ity In the case of NMAC-SHA-384 we consider an event(119891lowast
21 119891lowast
31 119891lowast
12) to recover 119870
10 This attack requires [1198993] + 119899
fault injections with a negligible computational complexity
5 Conclusion
In this paper we proposed key recovery attacks onHMACNAC by using a fault injection attack Our attack canbe applied to HMACNMAC based on the MD-family hashfunctions and requires a small number of fault injections witha negligible computational complexity As concrete exampleswe applied our attack to HMACNMAC based on MD4MD5 and SHA-2 The results on HMACNMAC-SHA-2 arethe first known key recovery attacks on them
Conflict of Interests
The authors declare that there is no conflict of interests re-garding the publication of this paper
Acknowledgments
This research was supported by the MSIP (Ministry ofScience ICTampFuture Planning) Korea under the C-ITRC(Convergence Information Technology Research Center)support program (NIPA-2013-H0301-13-3007) supervised bythe NIPA (National IT Industry Promotion Agency)
References
[1] M Bellare R Canetti and H Krawczyk ldquoKeying hash func-tions for message authenticationrdquo in Proceedings of the AnnualInternational Cryptology Conference (CRYPTO rsquo96) vol 1109 ofLecture Notes in Computer Science pp 10ndash15 August 1996
[2] S Contini and Y L Yin ldquoForgery and partial key-recoveryattacks on HMAC and NMAC using hash collisionsrdquo inAdvan-ces in Cryptology vol 4284 ofLectureNotes in Computer Sciencepp 37ndash53 2006
[3] P A Fouque G Leurent and P Q Nguyen ldquoFull key-recovery attacks on HMACNMAC-MD4 and NMAC-MD5rdquoin Advances in Cryptology vol 4622 of Lecture Notes in Com-puter Science pp 13ndash30 2007
[4] L Wang K Ohta and N Kunihiro ldquoNew key-recovery attackson HMACNMAC-MD4 and NMAC-MD5rdquo in Advances inCryptology (EUROCRYPT 2008) vol 4965 of Lecture Notes inComputer Science pp 237ndash253 2008
[5] RMcEvoyM Tunstall C CMurphy andW PMarnane ldquoDif-ferential power analysis of HMAC based on SHA-2 and coun-termeasuresrdquo in Advances in Cryptology vol 4867 of LectureNotes in Computer Science pp 317ndash332 2007
[6] O Benoıt and T Peyrin ldquoSide-channel analysis of six sha-3candidatesrdquo in Advances in Cryptology vol 6225 of LectureNotes in Computer Science pp 140ndash157 2010
[7] P Kocher ldquoTiming attacks on implementation of Diffie-Hellmanrdquo in Advances in Cryptology vol 1109 of Lecture Notesin Computer Science pp 104ndash113 1996
[8] E Biham andA Shamir ldquoDifferential fault analysis of secret keycryptosystemsrdquo in Advances in Cryptology vol 1294 of LectureNotes in Computer Science pp 513ndash525 1997
[9] D Boneh R A DeMillo and R J Lipton ldquoOn the importanceof checking cryptographic protocols for faultsrdquo in Advances inCryptology vol 1233 of Lecture Notes in Computer Science pp37ndash51 1997
6 Journal of Applied Mathematics
[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012
[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012
[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013
[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005
[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-
2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based
RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007
[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
6 Journal of Applied Mathematics
[10] K Jeong Y Lee J Sung and S Hong ldquoDifferential fault analysison block cipher SEEDrdquoMathematical and Computer Modellingvol 55 no 1-2 pp 26ndash34 2012
[11] K Jeong and C Lee ldquoDifferential fault analysis on block cipherLED-64rdquo in Future Information Technology Application andService vol 164 of Lecture Notes in Electrical Engineering pp747ndash755 2012
[12] K Jeong J Sung S Hong and C Lee ldquoA new approachof differential fault analysis on block ciphers with S-boxrdquoInformation vol 16 no 3 pp 1915ndash1928 2013
[13] H Choukri and M Tunstall ldquoRound reduction using faultsrdquo inProceedings of theWorkshop on Fault Diagnosis and Tolerance inCryptography (FDTC rsquo05) pp 13ndash24 2005
[14] R Rivest ldquoTheMD4message digest algorithmrdquo RFC 1320 1992[15] R Rivest ldquoTheMD5message digest algorithmrdquo RFC 1321 1992[16] National Institute of Standards and Technology FIPS PUB 180-
2 Secure Hash Standard 2002[17] C H Kim and J J Quisquater ldquoFault attacks for CRT based
RSA new attacks new results and new countermeasuresrdquo inProceedings of theWorkshop on Information SecurityTheory andPractices vol 4462 of Lecture Notes in Computer Science pp215ndash228 May 2007
[18] J G J Van Woudenberg M F Witteman and F MenarinildquoPractical optical fault injection on secure microcontrollersrdquo inProceedings of the 8th InternationalWorkshop on Fault Diagnosisand Tolerance in Cryptography (FDTC rsquo11) pp 91ndash99 September2011
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of