© All Rights Reserved

0 views

© All Rights Reserved

- The Password Paradox
- rfcs_as_pdf
- Faqs
- Digit Fast Track Cryptography Vol 07 Issue
- Steps Done in Esats Pch Cl 18
- Cscl 1 marks.docx
- Kaftan
- Cbp Study Guide
- TesisVF
- Lecture-1
- 1.2.1.3 Lab - Compare Data With a Hash
- 1.2.1.3 Lab - Compare Data With a Hash
- CBPStudyGuide.pdf
- 34173566 Network Security Intro
- Block Chain
- A Study of Forensic Imaging in the Absence of Write-blockers JDFSL V9N3 2014 ADFSL
- Java Web Services Training-12 13 October 2015
- 10.1.1.44.9634
- Dinesh Special
- Ria Sat 2011

You are on page 1of 10

DOI 10.1007/s11235-011-9457-9

based on chaotic neural network

Xiaomin Wang · Wei Guo · Wenfang Zhang ·

Muhammad Khurram Khan · Khaled Alghathbar

© Springer Science+Business Media, LLC 2011

Abstract This paper analyzes the security of a chaotic par- raphy [1]. Utilizing the nonlinear property of chaotic dy-

allel keyed hash function in detail, and points out that it is namic, many researchers have proposed chaotic hash func-

susceptible to two kinds of forgery attacks and weak key at- tions in the past few years [2–9]. However, most of these

tack (which results in MAC collision). To remedy such secu- algorithms are of iterative hash structure only processing in

rity flaws, an improved scheme is further proposed, and its sequential mode, which restricts their efficiency on the par-

security and performance are also discussed. The theoreti- allel processing platforms. To salve such limitation, a par-

cal analysis shows that the improved scheme is more secure allel keyed hash function based on piecewise linear chaotic

than the original one. In the meanwhile, it can also keep the map and 4-dimensional Cat map was proposed [10], but our

parallel merit and other performance advantages of the orig- cryptanalysis indicated that it is not secure [11].

inal scheme. Recently, Xiao et al. [12] presented another parallel

keyed hash function using chaotic neural network. Due to

Keywords Chaos · Cryptanalysis · Keyed hash function · the parallel mode of algorithm structure and the inner paral-

Forgery attack · Weak key attack · Neural network

lel mechanism of neural network, their scheme is suitable for

parallel computing platforms. However, this parallel hash

1 Introduction function has some design flaws and is not secure as well.

In this paper, we will analyze the security flaws of Xiao’s

Cryptographic hash function plays a fundamental role for scheme in detail, and show that the scheme is susceptible

data integrity or message authentication in modern cryptog- to equal-length forgery attack and variant-length forgery at-

tack. Moreover, there are large amount of weak keys in the

scheme, which can be utilized by a malicious user to con-

X. Wang () struct message authentication codes (MAC) collisions. To

Key Laboratory of Traffic Information Engineering and Control, remedy such security flaws, an efficient improvement on the

School of Information Science & Technology, Southwest Jiaotong

University, Chengdu, Sichuan 610031, China original scheme is further proposed. The security and per-

e-mail: xmwang@home.swjtu.edu.cn formance analysis show that the improved scheme is more

secure than the original one at the slight computation cost. In

W. Guo · W. Zhang

the meanwhile, the parallelism merit of the original scheme

Key Laboratory of Information Security and National Computing

Grid, School of Information Science & Technology, Southwest can also be conserved.

Jiaotong University, Chengdu, Sichuan 610031, China

Center of Excellence in Information Assurance (CoEIA), King

2 Review of the original parallel keyed hash function

Saud University, Riyadh, Kingdom of Saudi Arabia

The Xiao’s parallel keyed hash function [12] is constructed

K. Alghathbar on a two-layer neural network that has 8 input neurons

Information Systems Department, College of Computer and

Information Sciences, King Saud University, Riyadh, Kingdom

and 4 output neurons. Each input neurons has same pa-

of Saudi Arabia rameters including weights, biases and transfer functions,

516 X. Wang et al.

The left 64-bit is used to denote the length of the original

message M. The padded message M is then separated into

512-bit message blocks as M = (m1 , m2 , . . . , ms ), and each

block is indicated as mi = m1i m2i · · · m512

i .

1, 2, . . . , s), called as Block Hash function in [12], is de-

scribed as follows:

(1) 512-bit mi is divided into 64 units with 8 bits per unit.

These 64 units are denoted in turn by w1 , w2 , . . . , w63 ,

w64 as (2), and are further pre-mapped into wr1 ,

wr2 , . . . , wr64 in [0, 1] by means of linear transform:

wri = wi /256, i = 1, 2, . . . , 64. Then wr1 , wr2 , . . . ,

wr64 are divided into 8 groups as: group 1 is (wr1 ,

wr2 , . . . , wr8 ), group 2 is (wr9 , wr10 , . . . , wr16 ), . . . ,

group 8 is (wr57 , wr58 , . . . , wr64 ).

Fig. 1 Structure of the original parallel keyed hash function in [12].

(a) Diagram of whole algorithm; (b) The chaotic neural network struc-

ture of Block Hash mi = m1i m2i · · · m8i m9i m10

i · · · mi · · · mi mi · · · mi

16 505 506 512

w1 w2 w64

whereas the output neurons has different parameters. The

values of weights and biases are generated from piecewise (2)

linear chaotic map (PWLCM), which is also acted as the

(2) Calculate parameter ui (denoted by uu0 in [12]) for the

transfer function. The PWLCM is defined as [12]:

current ith block as:

x(k + 1) u0 1 i − 1

ui = + ∈ [0, 0.5], (3)

= Fu (x(k)) 2 4s −1

⎧

⎪

⎪ x(k)/u, 0 ≤ x(k) < u where u0 is the part of secret key and s is the total block

⎪

⎪

⎨(x(k) − u)/(0.5 − u), u ≤ x(k) < 0.5 number of padded message M. Then iterate PWLCM

= (1) with initial value x(0) and parameter ui for 97 times,

⎪

⎪ (1 − x(k) − u)/(0.5 − u), 0.5 ≤ x(k) < 1 − u

⎪

⎪ the orbit x(j ), j = 1, 2, . . . , 97 is obtained.

⎩(1 − x(k))/u, 1 − u ≤ x(k) ≤ 1

(3) Parameterize neurons of input layer. There are 8 neurons

where x(k) ∈ [0, 1], u ∈ (0, 0.5) are the iteration value and at input layer, and each neuron has 8 input data with

parameter of PWLCM, respectively. The initial value x0 ∈ same parameters, i.e. the weights WC1 , WC2 , . . . , WC8

[0, 1] and parameter u0 ∈ (0, 0.5) consist of the secret key are set by x(j ), j = 51, 52, . . . , 58 respectively; the bias

of keyed hash function. BC is set by x(59); and the parameter QC of the transfer

The original scheme compresses 512-bit message blocks function is set by x(60). (If x(60) > 0.5, then 1 − x (60)

into N -bit Hash value (generally, N = 128 is assumed in is set as QC.)

[12]). The whole algorithm structure can be depicted in (4) Parameterize neurons of output layer. There are 4 out-

Fig. 1 and the hash construction can be summarized as three put neurons with each neuron 8 inputs and different

phases: message padding phase, block-wise compression parameters, i.e. x(j ), j = 61, 62, . . . , 92 are set as

(compression function) phase, and chaining the intermedi- the weights—WH i,1 , WH i,2 , . . . , WH i,8 (i = 1, 2, 3, 4);

ate hash values phase. x(j ), j = 93, 94, 95, 96 are set as the biases—BH1 ,

BH 2 , BH 3 , BH 4 ; and x(97) is set as the parameter QH

2.1 Message padding phase of the transfer function. (If x(97) > 0.5, then 1 − x (97)

is set as QH .)

The original message M is padded such that its length is (5) Computing the outputs of input layer. The input 8-group

a multiple of 512: let L be the length of the original mes- data, including Group 1-wr 1 , wr2 , . . . , wr8 ; Group 2-

sage M; the padding bits (100 · · · 0)2 with length n (such wr9 , wr10 , . . . , wr16 ; . . . ; Group 8-wr57 , wr58 , . . . ,

Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 517

wr64 , are transformed into the output data C = [c1 , a message with a valid MAC can be produced from three

c2 , . . . , c8 ] as (4): related messages and their MACs without the knowledge

of the secret key. In addition, a class of weak-keys in the

ci = f 50 (mod([W C1 , W C2 , . . . , W C8 ] scheme is discussed where keys are considered as weak keys

∗ [wr(i−1)∗8+1 , wr(i−1)∗8+2 , . . . , wr(i−1)∗8+8 ]T in the sense that they turn the chaotic orbit of PWLCM to

fixed point. With these weak keys, different messages would

+ BC, 1), QC), (4) have identical MACs, in other words, MAC collision hap-

pens at this case.

where i = 1, 2, . . . , 8, and f is PWLCM defined by (1)

Note that there are two minor errors in Xiao’s original

with parameter QC.

scheme. One is “The left 64-bit is used to denote the length

(6) Computing the outputs of output layer. The outputs of

of the original message M” in message padding phase in

input layer C = [c1 , c2 , . . . , c8 ] are feed into output

Sect. 2.1, where “left 64-bit” should be corrected to “right

layer to generate final output data MH = [mh1 , mh2 ,

64-bit”. The other is (3) for calculating parameter ui . When

mh3 , mh4 ] as (5):

the padded message has only one block, i.e. s = 1, then u1

mhi = f 50 (mod([W Hi,1 , W Hi,2 , . . . , W Hi,8 ] can not be calculated from (3) because u1 = u0 /2 + 0/0 in

such case. Thus (3) is only suitable for the case of s ≥ 2, i.e.

∗ [c1 , c2 , . . . , c8 ]T the padded message must at least have two blocks. But the

+ BHi , 1), QH ), i = 1, . . . , 4. (5) aforementioned errors do not hamper the following crypt-

analysis.

(7) The obtained mh1 , mh2 , mh3 , mh4 are transformed into

the corresponding binary format, and the 32, 32, 32, 32 3.1 Equal-length forgery attack

bits after the decimal point are extracted. Juxtapose the

four 32-bit binary strings from left to right to get a 128- Here equal-length forgery attack means that a valid message-

bit keystream Ki , i.e. the output of compression func- MAC pair can be obtained from other message-MAC pairs

tion for the ith message block mi . where lengths of these padded messages are all equal. To

The above compression process of mi can be functioned as demonstrate such attack on the original scheme, following

propositions are introduced.

Ki = Block Hash(k, i, mi ), (6)

Proposition 1 Given three equal-length padded messages

where k = {x0 , u0 } is the secret key and Ki is the keystream M1 , M2 , M3 and their corresponding hash values

corresponding to message block mi . H1 = Hk (M1 ), H2 = Hk (M2 ), H3 = Hk (M3 ), if M1 , M2 ,

M3 are of forms as M1 = m1 m2 · · · mi mi+1 · · · ms−1 ms ,

2.3 Chaining the intermediate hash values phase M2 = m∗1 m∗2 · · · m∗i mi+1 · · · ms−1 ms , M3 = m1 m2 · · ·

mi m∗i+1 m∗i+2 · · · m∗s−1 ms , respectively, where mi is the ith

Let Hk (M) denote the final hash value of message M with 512-bit block and ms is the padding block, then for mes-

secret key k, then Hk (M)is obtained by XORing all Ki s sage M4 = m∗1 m∗2 · · · m∗i m∗i+1 · · · m∗s−1 ms , its hash value

with initial vector H0 , which is depicted in Fig. 1 and de- with same secret key can be derived as Hk (M4 ) = Hk (M1 )⊕

scribed by (7). Hk (M2 ) ⊕ Hk (M3 ), without knowledge of the secret key k.

Hk (M) = Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks . (7) Proof Let Ki = Block Hash(k, i, mi ) and Ki∗ = Block Hash

(k, i, m∗i ) be the keystreams of the ith block mi and m∗i with

Since keystream Ki in (6) is generated independently from

secret key k, respectively. Regarding (6) and (7) with secret

message block mi , it is obvious that Hk (M) can be gen-

key k, we have:

erated by parallel mode, the Xiao’s scheme is therefore a

parallel keyed hash function.

Hk (M1 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki ⊕ Ki+1 ⊕ · · ·

⊕ Ks−1 ⊕ Ks ,

3 Cryptanalysis of the original parallel keyed hash Hk (M2 ) = H0 ⊕ K1∗ ⊕ K2∗ ⊕ · · · ⊕ Ki∗ ⊕ Ki+1 ⊕ · · ·

function

⊕ Ks−1 ⊕ Ks ,

In this section, we will discuss the security problems of the ∗

Hk (M3 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki ⊕ Ki+1 ∗

⊕ Ki+2 ⊕ ···

original scheme, and show that the scheme is vulnerable to

∗

two kinds of forgery attacks and weak key attack. In detail, ⊕ Ks−1 ⊕ Ks .

518 X. Wang et al.

Table 1 Examples of

equal-length forgery attack Secret key k = (x0 = 0.987, u0 = 0.1234)

Message (before padding) Hash value (128-bit, Hexadecimal)

M1 = m1 m2 = aa · · · a aa

· · · a

1B6ED60F97A9C866F5840914CC365583

64 64

M2 = m∗1 m2 = bb · · · b aa

· · · a

92BF413F9C683A9E3A09850BF5EE7035

64 64

M3 = m1 m∗2 = aa · · · a cc

· · · c B0E89B2894916C24C2F9764AD33A87A7

64 64

M4 = m∗1 m∗2 = bb · · · b cc

· · · c 39390C189F509EDC0D74FA55EAE2A211

64 64

4

Hk (M4 ) = Hk (M1 ) ⊕ Hk (M2 ) ⊕ Hk (M3 ) or Hk (Mi ) = Hk (Mj ), i = 1, 2, 3, 4

j =1,j =i

If M4 = m∗1 m∗2 · · · m∗i m∗i+1 · · · m∗s−1 ms and secret key is also Proposition 1 and Corollary 1 show that the valid mes-

k, then sage-MAC pair can be forged from other three message-

MAC pairs (the padded messages are all equal-length and

Hk (M4 ) = H0 ⊕ K1∗ ⊕ K2∗ ⊕ · · · ⊕ Ki∗ ⊕ Ki+1

∗

the padding blocks are identical) without knowledge of se-

∗

⊕ Ki+2 ∗

⊕ · · · ⊕ Ks−1 ⊕ Ks . cret key. The attack example for original messages with two

blocks (before padding) is given in Table 1, which can di-

Obviously, following equality is satisfied rectly extend to the case of messages with more blocks.

Therefore, the hash function is vulnerable against the equal-

Hk (M4 ) = Hk (M1 ) ⊕ Hk (M2 ) ⊕ Hk (M3 ). length forgery attack.

That is to say, M4 ’s hash value can be directly derived by 3.2 Variant-length forgery attack

XORing the hash values of three equal-length messages

whose padding blocks are identical, without knowledge of Comparing to equal-length forgery attack, variant-length

secret key and without invoking hash operation for Hk (M4 ) forgery attack means that a valid message-MAC pair can be

any more. obtained from other variant-length message-MAC pairs. The

variant-length forgery attack given here is different from

Corollary 1 Consider any four padded messages hav- unequal-length forgery attack that we discussed in [11],

ing format as M1 = m1 m2 · · · mi mi+1 · · · ms , M2 = m∗1 m∗2 where the lengths of last two padded messages must be mul-

· · · m∗i mi+1 · · · ms , M3 = m1 m2 · · · mi m∗i+1 m∗i+2 · · · m∗s−1 ms tiple of the first two ones for successful attack, while the

and M4 = m∗1 m∗2 · · · m∗i m∗i+1 m∗i+2 · · · m∗s−1 ms , one can di- variant-length forgery attack given here has no such require-

rectly forge the hash value of anyone of four messages from ment.

other three messages’ hash values, without knowledge of

secret key. Proposition 2 Given three padded messages M5 , M6 , M7

and their corresponding hash values with secret key k : H5 =

Proof with the help of proof of Proposition 1, it is not diffi- Hk (M5 ), H6 = Hk (M6 ), H7 = Hk (M7 ), if M5 , M6 , M7

cult to verify the following equality: are of forms as M5 = m1 m2 · · · mi−1 mi mi+1 · · · ms−1 ms ,

M6 = m∗1 m2 · · · mi−1 m∗i mi+1 · · · ms−1 ms , M7 = M1 M2 · · ·

Hk (Mi ) ⊕ Hk (Mj ) = Hk (Mp ) ⊕ Hk (Mq ) Mj −1 Mj Mj +1 · · · Mp−1 Mp , respectively, where mi and

for i, j, p, q ∈ [1, 2, 3, 4] and i = j = p = q. Mi are the ith 512-bit blocks, and ms and Mp are

the padding blocks. Then for message M8 = M∗1 M2 · · ·

Thus, it has been ready to get Mj −1 M∗j Mj +1 · · · Mp−1 Mp , if mi = Mj , m∗i = M∗j (or

j −1

mi = M∗j , m∗i = Mj ) when i, j satisfy s−1

i−1

= p−1 , its hash

Hk (Mi ) = Hk (Mj ) ⊕ Hk (Mp ) ⊕ Hk (Mq ) value with same secret key k can be derived as Hk (M8 ) =

Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ), without knowledge of the se-

4

= Hk (Mr ), i = 1, 2, 3, 4. cret key k.

r=1,r=i

Proof According to (6) with secret key k, following nota-

The proof is completed. tions are introduced for convenience.

Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 519

Ki = Block Hash(k, i, mi ): keystream of block mi of Corollary 2 Regarding any four padded messages hav-

message M5 , whose total block number is s after padded; ing format as M5 = m1 m2 · · · mi−1 mi mi+1 · · · ms−1 ms ,

Ki∗ = Block Hash(k, i, m∗i ): keystream of block m∗i M6 = m∗1 m2 · · · mi−1 m∗i mi+1 · · · ms−1 ms , M7 = M1 M2 · · ·

of message M6 , whose total block number is s after Mj −1 Mj Mj +1 · · · Mp−1 Mp and M8 = M∗1 M2 · · ·

padded; Mj −1 M∗j Mj +1 · · · Mp−1 Mp , where mi = Mj , m∗i = M∗j

kj = Block Hash(k, j, Mj ): keystream of block Mj of (or mi = M∗j , m∗i = Mj ) when i, j satisfy s−1

i−1 j −1

= p−1 . One

message M7 , whose total block number is p after padded; can directly forge the hash value of anyone of four messages

k∗j = Block Hash(k, j, M∗j ): keystream of block M∗j

from other three messages’ hash values, without knowledge

of message M8 , whose total block number is p after

of secret key.

padded.

From keystream generation given by step (1)–step (7) in

Sect. 2.2, the keystream Ki is only decided by secret key k, Proof with the help of proofs of Proposition 2 and Corol-

i−1

content of mi and s−1 (i.e. the relative position of mi ). Thus, lary 1, it is clear that following equality holds:

j −1

if mi = Mj (or mi = M∗j ) and s−1 i−1

= p−1 , then Ki = kj (or

∗ Hk (Mi ) = Hk (Mj ) ⊕ Hk (Mp ) ⊕ Hk (Mq )

Ki = kj ) holds for same k.

It is clear that i = j = 1 is a trivial solution of equation

8

j −1 = i = 5, 6, 7, 8.

s−1 = p−1 for any s ≥ 2, p ≥ 2. That is, when m1 = M1 ,

i−1 Hk (Mr ),

m1 = M∗1 holds, K1 = k1 , K1∗ = k∗1 also holds for any s and

∗ r=5,r=i

p. Similarly, when mi = Mj , m∗i = M∗j where i, j satisfy

j −1 The proof is completed.

i−1

s−1 = p−1 , it is ready to get Ki = kj , Ki∗ = k∗j .

Regarding (6) and (7) with same secret key k, we have:

Proposition 2 and Corollary 2 show that the valid mes-

Hk (M5 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki−1 ⊕ Ki sage-MAC pair can be forged from other three message-

MAC pairs (the padded messages are unequal length), with-

⊕ Ki+1 ⊕ · · · ⊕ Ks−1 ⊕ Ks

out knowledge of secret key. The attack examples for orig-

Hk (M6 ) = H0 ⊕ K1∗ ⊕ K2 ⊕ · · · ⊕ Ki−1 ⊕ Ki∗ inal messages (before padding) are given in Table 2, which

can directly extend to the case of messages with more

⊕ Ki+1 ⊕ · · · ⊕ Ks−1 ⊕ Ks

blocks. Therefore, the hash function is vulnerable against

Hk (M7 ) = H0 ⊕ k1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ kj variant-length forgery attack.

⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp

3.3 Weak key attack

= H0 ⊕ K1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ Ki

⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp

In (1), there are five singular pairs for (x(k), x(k + 1)),

Hk (M8 ) = H0 ⊕ k∗1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ k∗j i.e., (0, 0), (u, 0), (0.5, 1), (1 − u, 1), and (1, 0). Conse-

quently, x(j ) ≡ 0, j ≥ k + 2 for any given u when x(k) ∈

⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp

{0, u, 0.5, (1 − u), 1}. Although such cases happen rarely

= H0 ⊕ K1∗ ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ Ki∗ in normal, it can be utilized by an adversary to construct

MAC collisions, because x(j ) ≡ 0, j ≥ k + 2 implies Ki =

⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp

{0}128

1 in Xiao’s scheme. Since x(0) ∈ {0, 0.5, 1} leads to

Obviously, following equality is satisfied Ki = {0}1281 for any u, it can be easily identified as weak

keys and excluded from key space. Thus we focus on x(0) ∈

Hk (M5 ) ⊕ Hk (M6 ) = Hk (M7 ) ⊕ Hk (M8 ) {u, (1 − u)} and demonstrate how to utilize weak keys to

= K1 ⊕ K1∗ ⊕ Ki ⊕ Ki∗ construct collision.

Regarding parameter u of PWLCM in Xiao’s scheme,

Thus, it is defined by (3), which is related only with i the cur-

rent block index, s the total number of blocks, and u0 the

Hk (M8 ) = Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ). (8) part of secret key. So parameter u of PWLCM varies with

block index and message length under the same secret key

At the case of mi = M∗j , m∗i = Mj where i, j satisfy i−1

s−1 = k = {x(0), u0 }, while is unconcerned with message content.

j −1

p−1 ,we can derive (8) similarly. Such defect can be utilized by an maliciously authorized

The proof is completed. user, to choose a weak key {x(0), u0 } in advance purpos-

520 X. Wang et al.

Table 2 Examples of

variant-length forgery attack Secret key k = (x0 = 0.123456, u0 = 0.654321)

Message (before padding) Hash value (128-bit, Hexadecimal)

M5 = m1 = aa · · · a

9EC8F489DA7008E8F86C6AE66759F746

64

M6 = m∗1 = bb · · · b

EA9769CED09D8CC50B8D0859B010B227

64

M7 = M1 M2 M3 = m1 M2 M3 = aa · · · a cc

· · · c dd

· · · d EF80AB02CF8B9D82E9AAD1173A879851

64 64 64

M8 = M∗1 M2 M3 = m∗1 M2 M3 = bb · · · b cc

· · · c dd · · · d

9BDF3645C56619AF1A4BB3A8EDCEDD30

64 64 64

M5 = m1 m2 = aa · · · a bb

· · · b

C8EC95396B87B26B08436743CAAF8F0E

64 64

M6 = m∗1 m∗2 = cc

· · · c dd · · · d

F6BD6882EDA55DDA34377F50C5AA68C0

64 64

M7 = M1 M2 M3 M4 = m1 M2 m2 M4 1E1B5A5D8E8035F1A3D3E91B27B3ACBF

= aa · · · a ee

· · · e bb · · · b ff · · · f

64 64 64 64

M8 = M∗1 M2 M∗3 M4 = m∗1 M2 m∗2 M4 204AA7E608A2DA409FA7F10828B64B71

= cc · · · c ee

· · · e dd

· · · d ff · · · f

64 64 64 64

M5 = m1 m2 = aa · · · a bb

· · · b

C8EC95396B87B26B08436743CAAF8F0E

64 64

M6 = m∗1 m∗2 = cc

· · · c dd · · · d

F6BD6882EDA55DDA34377F50C5AA68C0

64 64

M7 = M1 M2 M3 M4 = m1 M2 m∗2 M4 AFF426E589A56E18383738E66EBEF486

= aa · · · a ee

· · · e dd · · · d ff · · · f

64 64 64 64

M8 = M∗1 M2 M∗3 M4 = m∗1 M2 m2 M4 91A5DB5E0F8781A9044320F561BB1348

= cc · · · c ee

· · · e bb

· · · b ff · · · f

64 64 64 64

8

Hk (M8 ) = Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ) or Hk (Mi ) = Hk (Mr ), i = 5, 6, 7, 8

r=5,r=i

edly to satisfy x(0) ∈ {u, (1 − u)} for certain i and s as fol- struct up to 2512 collisions using one weak key that exists for

lows: any message.

⎧ To illustrate the weak key attack, two simple examples

⎪

⎪ x(0) = u = (u0 + (i − 1)/(2(s − 1)))/2 (9.1) are given. Assume H0 = {0}128 without loss of generality

⎨ 1

since original scheme does not set it explicit value.

or

⎪

⎪ Consider message M with two 512-bit blocks and each

⎩

x(0) = 1 − u = 1 − (u0 + (i − 1)/(2(s − 1)))/2. (9.2) block with 64 ASCII characters as

· · · a aaa

· · · a , (10)

and s̃ respectively. Consequently, chaotic trajectory x(j ) ≡ 64 64

0, j ≥ 2 for ĩth block, which results in Kĩ = {0}128

1 regard- then the padded message is with three blocks as Mpadded =

less of the block content. In such circumstances, the autho- m1 m2 ms , where ms is the padding block and s = 3. If a ma-

rized user chooses a weak key k = {x(0), u0 } beforehand licious user wants to construct collisions for the ith block

in accordance with message M and (9.1, 9.2), then he/she (i = 2 for example), he can randomly choose x0 = 0.3456

can freely substitute the ĩth block of M to construct col- and calculate u0 = 2x0 − (i − 1)/(2(s − 1)) = 0.4412 ac-

lision message M . Obviously, Hk (M) = Hk (M ) due to cording to (9.1). The chosen weak key is then k = {x0 =

Kĩ = K = {0}128

1 under the same weak key. Through this 0.3456, u0 = 0.4412}, and the hash value of M is Hk (M) =

ĩ

malicious method, the authorized user can theoretically con- 58E8A8C7CACF6FA2CC5577D0BE5FA0EB.

Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 521

x0 = 0.3456, M1 = m1 m2 = aa · · · a aa · · · a 58E8A8C7CACF6FA2CC5577D0BE5FA0EB

u0 = 0.4412

64 64

(s = 3, i = 2)

M1 = m1 m 2 = aa

· · ·∗

· · · a ∗∗ 58E8A8C7CACF6FA2CC5577D0BE5FA0EB

64 64

x0 = 0.7654321, M2 = m1 m2 = aa · · · a aa · · · a 9D14FD75CEE12B85935FD911A25E8C82

u0 = 0.2191358

64 64

(s = 3, i = 2)

M2 = m1 m 2 = aa

· · ·∗

· · · a ∗∗ 9D14FD75CEE12B85935FD911A25E8C82

64 64

x0 = 0.33333, M3 = m1 m2 m3 m4 = aa · · · a bb · · · b cc

· · · c dd · · · d E36273035F07CECA9255C8A82E318976

u0 = 0.41666

64 64 64 64

(s = 5, i = 3)

M3 = m1 m2 m 3 m4 = aa · · · a bb

· · · b ∗∗

· · ·∗ dd

· · · d

E36273035F07CECA9255C8A82E318976

64 64 64 64

Hk (Mj ) = Hk (Mj ), j = 1, 2, 3, i.e. collision happens

* k = (x0 , u0 ) are calculated from (9.1, 9.2) after x0 was randomly selected; symbol “ * ” denotes any ASCII character

Since the malicious user is aiming at attacking the 2nd message length satisfies s ≥ 2; there exists large amount of

block with weak key, he can freely substitute the 2nd block weak keys which cause MAC collisions; and it is susceptible

of M with any other 512-bit block, i.e. the modified message to two kinds of forgery attacks.

has following form: i−1

The first flaw can be patched by replacing factor s−1 with

i

s in (3), where i is the current block index and s is the total

M = m1 m 2 = aaa ∗∗∗

· · · a · · · ∗ (11) block number of padded message. The second flaw can be

64 64 repaired by explicitly excluding the weak keys defined by

where ‘*’ denotes any 8-bit ASCII character. Hashing M (9.1, 9.2) during the key derivation.

with the same weak key k, the hash value is To remedy the third flaw, i.e. susceptibility to forgery at-

Hk (M ) = 58E8A8C7CACF6FA2CC5577D0BE5FA0EB, tacks, we propose the improved scheme as depicted in Fig. 2

i.e. Hk (M ) = Hk (M). and formulated by:

Similarly, if x0 is chosen randomly with x0 = 0.7654321,

Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks

then u0 = 0.2191358 according to (9.2) for i = 2, (12)

s = 3. The weak key is thus k = {x0 = 0.7654321, Hk (M) = Block Hash(k, 1, Hs )

u0 = 0.2191358}, and Hk (M ) = Hk (M) =

9D14FD75CEE12B85935FD911A25E8C82 for M and M , where k is the secret key and Block Hash(·) is block hash

which are given by (10) and (11) respectively. The method operation defined by (6).

can be directly extended to other cases for messages with It can be seen that, in the improved scheme, we perform

different i and s, and the attack examples are given in Ta- one more block hash operation on Hs after all XOR opera-

ble 3. tions. In other words, the value Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕

It should be stressed that there are large amount of weak Ks in the improved scheme is no longer the final hash value.

keys {x(0), u0 } satisfying (9.1, 9.2) for every fixed i and s. An output transformation using block hash is further intro-

Also, a malicious user can choose weak keys for an expected duced into Hs to obtain the final hash value Hk (M).

block index i according to (9.1, 9.2) to construct meaningful

or meaningless collisions. Thus, the hash scheme is suscep- 4.1 Security analysis of the improved scheme

tible to weak key attack that results in MAC collisions.

The first two flaws in original scheme, such as incapabil-

ity to hash message with only one block and susceptibility

4 Our improved scheme to MAC collision, can be overcome by minor modifications

above in the improved scheme.

Based on the cryptanalysis of Sect. 3, there are three flaws in The forgery attacks on original scheme are based on the

original scheme: it can work only for the case where padded utilization of the characteristic of XOR operation since the

522 X. Wang et al.

improved parallel keyed hash

function

final hash value Hk (M) = Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks Table 4 Speed comparison between the original scheme and improved

scheme

is obtained through simple XOR operations with Ki (i =

1, 2, . . . , s). In our improved scheme, the output transfor- Operation mode The original scheme The improved scheme

mation has introduced complicated nonlinear connections

Sequential mode T1 = 3.25 + 13τ

T1 (1 + 1s )

among the different parts of the final hash value Hk (M). Ob- 64

viously, both Corollary 1 and Corollary 2 are invalid at this Parallel mode T2 = 72+3τ

64p T2 (1 + ps )

case. Therefore, the improved scheme can resist the forgery

Note: τ -the pre-iterations of PWLCM;

attacks described in Sect. 3.

s-the total block number of padded message;

The reason that we use Block Hash(.) operation on orig-

p-the number of parallel processing units

inal hash value Hs to resist the forgery attacks, is based

on two factors: (1) Since the Block Hash(.) operation has

already repeatedly used as compression function for each increasing of the block number s. The calculation of our im-

message block, one more used it again as output trans- proved scheme is as follows:

formation can facilitate the reuse of software and hard- In sequential mode, the original scheme needs T1 =

ware implementation. (2) Assume the compression function 3.25 + 13τ

64 multiplicative operation for each character [12],

Block Hash(.) is security, then the output transformation us- where τ is the pre-iterations of PWLCM. Based on the cal-

ing Block Hash(.) is also security. It is unnecessary to give culation analysis of original scheme, the improved scheme

further security proof for output transformation to satisfy the needs T1new = T1 + Ts1 = T1 (1 + 1s ) multiplicative opera-

security requirement of hash function. tion for each character, where s is the total block number

of padded message. In parallel mode, the multiplicative op-

eration of original scheme is T2 = 72+3τ

64p for each character

4.2 Performance analysis of the improved scheme

p

[12], while it is T2new = T2 + 72+3τ

64×s = T2 (1 + s ) for the

The improved scheme uses one more Block Hash(.) on orig- improved scheme. Here p represents the number of paral-

inal hash value to derive the final hash value, as depicted in lel processing units, and s the total block number of padded

Fig. 2. It is not difficult to conclude that the performance of message.

improved scheme, such as sensitivity to message, confusion It can be seen that the computation of the improved

and diffusion, resistance to collision attack and meet-in-the- scheme has little higher than that of the original scheme both

in sequential mode and in parallel mode. But with the in-

middle attack, is not worse than that of the original scheme.

creasing of the total number s of message block, the hash

In the following, we will thus focus on the speed comparison

speed of improved scheme is approximately to that of the

between the improved scheme and the original scheme.

original scheme. Considering the tradeoff between security

Referring to the original scheme [12], the speed of im-

and performance, the improved scheme is therefore efficient.

proved scheme is evaluated by the number of the required

multiplicative operation for each ASCII character (8-bit)

message during the hash process. The speed comparison 5 Conclusion

is listed in Table 4. Although the output transformation is

added after the XOR operation, the effect on the entire ef- In this paper, we point out the security flaws of Xiao et al.’s

ficiency of the algorithm is very slight, especially with the parallel keyed hash function based on chaotic neural net-

Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 523

work. Their scheme is susceptible to equal-length forgery Xiaomin Wang is currently work-

ing as Associate Professor at the

attack and variant-length forgery attack. Moreover, there are School of Information Science and

large amount of weak keys for any message, which can be Technology, Southwest Jiaotong

University, China. His research in-

used to construct MAC collisions. To remedy such secu-

terests include chaotic cryptogra-

rity flaws, enhancement measures are further proposed to phy, multimedia and biometrics in-

resist such attacks. The theoretical analysis shows that the formation security, pattern recog-

nition and machine vision. He has

improved scheme is more secure than the original one. In

published more than 40 journal and

the meanwhile, it can also keep the parallel merit and other conference papers in the areas of his

performance advantages of the original scheme. research.

ural Science Foundation of China (Grant Nos. 60903202, 61003245), Wei Guo received B.S. and Ph.D.

the Specialized Research Fund for the Doctoral Program of Higher Ed- degree from Southwest Jiaotong

ucation of China (Grant No. 20090184120024), the Fund for Outstand- University, China in 2001 and 2007,

ing Young researcher of Sichuan Province (Grant No. 2011JQ0027), respectively. Currently, she is with

and the Foundation Sciences Southwest Jiaotong University (Grant the Key Lab of Information Secu-

No. 2008B08). rity and National Computing Grid,

Southwest Jiaotong University,

Chengdu, China, where she is an

associate professor of information

security. Her main research inter-

ests include information security,

References threshold signature, and cryptology.

techniques-Message Authentication Code (MACs), Geneve,

Switzerland. Wenfang Zhang received the B.S.

degree in School of Computer Sci-

2. Wong, K. W. (2003). A combined chaotic cryptographic and hash-

ence & Technology in 2002 and is

ing scheme. Physics Letters A, 307(5–6), 292–298. pursuing the Ph.D. degree in School

3. Zhang, J. S., Wang, X. M., & Zhang, W. F. (2007). Chaotic keyed of Information Sciences & Technol-

hash function based on feedforward–feedback nonlinear digital fil- ogy , Southwest Jiaotong Univer-

ter. Physics Letters A, 362(5–6), 439–448. sity, Chengdu, China. His research

4. Wang, X. M., Zhang, J. S., & Zhang, W. F. (2003). One way Hash interests include chaotic hash de-

function construction based on the extended chaotic maps switch. sign, chaos cryptanalysis, and hard-

Acta Physica Sinica, 52(11), 2737–2742 (in Chinese). ware implementations of security

5. Wang, Y., Liao, X., Xiao, D., & Wong, K. W. (2008). One-way and cryptographic algorithms.

hash function construction based on 2D coupled map lattices. In-

formation Sciences, 178(5), 1391–406.

6. Yang, H., Wong, K., & Liao, X. et al. (2009). One-way hash func-

tion construction based on chaotic map network. Chaos, Solitons

and Fractals, 41(5), 2566–2574. Muhammad Khurram Khan is

7. Yi, X. (2005). Hash function based on chaotic tent maps. IEEE currently working as Associate Pro-

Transactions on Circuits and Systems II, Express Briefs, 52(6), fessor at Center of Excellence in

354–357. Information Assurance (CoEIA),

8. Wang, X. M., Zhang, J. S., & Zhang, W. F. (2005). Keyed Hash King Saud University, Saudi Ara-

function based on composite nonlinear autoregressive filter. Acta bia. He is the Founding Editor of

‘Bahria University Journal of In-

Physica Sinica, 54(12), 5566–5573 (in Chinese).

formation & Communication Tech-

9. Khan, M. K., Zhang, J. S., & Wang, X. M. (2008). Chaotic hash- nology (BUJICT)’. He also plays

based fingerprint biometric remote user authentication scheme on role of Editor of several interna-

mobile devices. Chaos, Solitons and Fractals, 35(3), 519–524. tional journals of Elsevier Science

10. Xiao, D., Liao, X. F., & Deng, S. J. (2008). Parallel keyed hash and Springer-Verlag. Dr. Khurram

function construction based on chaotic maps. Physics Letters A, has published more than 100 re-

372(26), 4682–4688. search papers in the journals and

11. Guo, W., Wang, X. M., He, D. K., & Cao, Y. (2009). Cryptanalysis conferences of international repute.

on a parallel keyed hash function based on chaotic maps. Physics His areas of interest are biometrics, information security, multime-

Letters A, 373(36), 3201–3206. dia security, and digital data hiding. His profile can be visited at

12. Xiao, D., Liao, X. F., & Wong, Y. (2009). Parallel keyed hash func- http://faculty.ksu.edu.sa/khurram

tion construction based on chaotic neural network. Neurocomput-

ing, 72(10–12), 2288–2296.

524 X. Wang et al.

CISM, PMP, MCSE: Security, Se-

curiy+, BS7799 Lead Auditor, is an

associate professor and the director

of the Center of Excellence in In-

formation Assurance in King Saud

University, Riyadh, Saudi Arabia.

He is a security advisor for several

government agencies. His main re-

search interest is in information se-

curity management, policies and de-

sign. He received his Ph.D. in In-

formation Technology from George

Mason University, USA.

- The Password ParadoxUploaded byLuke O'Connor
- rfcs_as_pdfUploaded byapi-3710188
- FaqsUploaded byta6ish
- Digit Fast Track Cryptography Vol 07 IssueUploaded byBharat Mutha
- Steps Done in Esats Pch Cl 18Uploaded byradiumtau
- Cscl 1 marks.docxUploaded bySurendra Dawadi
- KaftanUploaded bypaulwa
- Cbp Study GuideUploaded bydeepakbarhate
- TesisVFUploaded byDaniel Santiago Nataret
- Lecture-1Uploaded byAzeem Sarwar
- 1.2.1.3 Lab - Compare Data With a HashUploaded byAsad Mahmood
- 1.2.1.3 Lab - Compare Data With a HashUploaded byAndrés Eloy
- CBPStudyGuide.pdfUploaded bydeepakbarhate
- 34173566 Network Security IntroUploaded bySatyam Gupta
- Block ChainUploaded byShubham Jain
- A Study of Forensic Imaging in the Absence of Write-blockers JDFSL V9N3 2014 ADFSLUploaded bysh0101
- Java Web Services Training-12 13 October 2015Uploaded byManoj Kumar
- 10.1.1.44.9634Uploaded byMarcos Corrêa
- Dinesh SpecialUploaded bydinesh_geit3650
- Ria Sat 2011Uploaded byPrashant Locham
- Enhanced Three Tier Security Scheme for Data in NetworkUploaded byEighthSenseGroup
- Lucky ThirteenUploaded byMossad News
- CryptographyUploaded byWaheed Akhter
- 1711.04235Uploaded byArgyris Xafis
- ch-12Uploaded byasin12336
- ISGT2012-000051Uploaded bya_damrong
- 20110923-Ataque a SSLUploaded byjuanolillo
- CCNA Exp4 - Chapter06 - Teleworker ServicesUploaded byhttp://heiserz.com/
- Secure Video Processing using ROI Extraction and ECC EncryptionUploaded byInternational Journal of Advanced Scientific Research and Development
- Network SecurityUploaded byKrish Nithyan

- lv2011.pdfUploaded byMadhuravani Peddi
- shanthi2016.pdfUploaded byMadhuravani Peddi
- yao2016.pdfUploaded byMadhuravani Peddi
- zhang2016.pdfUploaded byMadhuravani Peddi
- tripathy2013.pdfUploaded byMadhuravani Peddi
- FdpUploaded byMadhuravani Peddi
- Zhao 2015Uploaded byMadhuravani Peddi
- alriyami2016.pdfUploaded byMadhuravani Peddi
- zaibi2013.pdfUploaded byMadhuravani Peddi
- zhan2017.pdfUploaded byMadhuravani Peddi
- turkanovi2014.pdfUploaded byMadhuravani Peddi
- ferng2016.pdfUploaded byMadhuravani Peddi
- sensors-14-11379Uploaded bybharath
- teh2015.pdfUploaded byMadhuravani Peddi
- nomula2016.pdfUploaded byMadhuravani Peddi
- luo2015.pdfUploaded byMadhuravani Peddi
- he2015.pdfUploaded byMadhuravani Peddi
- naik2015.pdfUploaded byMadhuravani Peddi
- lin2013.pdfUploaded byMadhuravani Peddi
- hur2011.pdfUploaded byMadhuravani Peddi
- lu2016.pdfUploaded byMadhuravani Peddi
- lin2015.pdfUploaded byMadhuravani Peddi
- li2011.pdfUploaded byMadhuravani Peddi
- lee2015.pdfUploaded byMadhuravani Peddi
- kenaza2014.pdfUploaded byMadhuravani Peddi
- chen2010.pdfUploaded byMadhuravani Peddi
- guan2017.pdfUploaded byMadhuravani Peddi
- Design-Pattern_Text_bookUploaded byyatri
- RPS.docUploaded byMadhuravani Peddi

- An Overview on Message Authentication in Wireless Sensor Networks Based on Analysis of Block Cipher Algorithm.pdfUploaded bySelva Raj
- cast-256Uploaded byFull Name
- Panda GDIntegra & GreenBow IPsec VPN ConfigurationUploaded bygreenbow
- Hipam FeaturesUploaded byHitachiID
- Yum List AllUploaded bymajor_minor
- WalletUploaded byPhani Kumar
- iso15408-2Uploaded byRowatinex Ros
- Anderson J 2012finalUploaded bynvbond
- “Feistel and Coppersmith Rule: Sixteen Rounds AndUploaded bysasifrehman
- BMC ARS Remedy and ITSM Tips and Tricks_ Functions Used in ARS RemedyUploaded bykkuppachi
- Security in Cloud Computing using AES & DESUploaded byEditor IJRITCC
- Secure Distributed Deduplication Systems With Improved Reliability_2Uploaded byPalash Gourshettiwar
- Tutorial Squid-3 HEAD Support HttpsTutorial squid-3 HEAD Support httpsUploaded byIman Rahmat Hidayat
- Dual Encrypted Global Metadata: an approach to secure metadataUploaded byJournal of Computer Science and Engineering
- A Technical View of TheOpenSSL Heartbleed VulnerabilityUploaded byMario
- Network Defense StrategiesWAUploaded bywasirifie
- Information Security Principles and Practice Mark StampUploaded byalpanatewari
- Information Security Governance Assessment Tool (158926517)Uploaded byEDUCAUSE
- 02 Threat ModelingUploaded byfaaizhussain
- Alliance Lite2 Security White PaperUploaded byMuhammad Hamid Ashraf
- 210 250 Secfnd Exam Help2Uploaded byPatricio Montes
- UTMUploaded byDatta Pkd Kumar Pushan
- LSB RSAUploaded byvin
- NETWORK SECURITY USING ENCRYPTION TECHNIQUESUploaded byAnonymous vQrJlEN
- Creating Java CertificateUploaded byevelina
- paper (1)Uploaded byeffy naru
- 06356883ewwe fwef wef wefUploaded byRushi Bage
- Rfc 3830Uploaded bychetan666123
- LAN−to−LAN IPsec Tunnel BetweenUploaded byMohammed Nabil
- 412-79v8 EC-Council Certified Security Analyst (ECSA)Uploaded byBob Polo