You are on page 1of 10

Telecommun Syst (2013) 52:515–524

DOI 10.1007/s11235-011-9457-9

Cryptanalysis and improvement on a parallel keyed hash function


based on chaotic neural network
Xiaomin Wang · Wei Guo · Wenfang Zhang ·
Muhammad Khurram Khan · Khaled Alghathbar

Published online: 15 June 2011


© Springer Science+Business Media, LLC 2011

Abstract This paper analyzes the security of a chaotic par- raphy [1]. Utilizing the nonlinear property of chaotic dy-
allel keyed hash function in detail, and points out that it is namic, many researchers have proposed chaotic hash func-
susceptible to two kinds of forgery attacks and weak key at- tions in the past few years [2–9]. However, most of these
tack (which results in MAC collision). To remedy such secu- algorithms are of iterative hash structure only processing in
rity flaws, an improved scheme is further proposed, and its sequential mode, which restricts their efficiency on the par-
security and performance are also discussed. The theoreti- allel processing platforms. To salve such limitation, a par-
cal analysis shows that the improved scheme is more secure allel keyed hash function based on piecewise linear chaotic
than the original one. In the meanwhile, it can also keep the map and 4-dimensional Cat map was proposed [10], but our
parallel merit and other performance advantages of the orig- cryptanalysis indicated that it is not secure [11].
inal scheme. Recently, Xiao et al. [12] presented another parallel
keyed hash function using chaotic neural network. Due to
Keywords Chaos · Cryptanalysis · Keyed hash function · the parallel mode of algorithm structure and the inner paral-
Forgery attack · Weak key attack · Neural network
lel mechanism of neural network, their scheme is suitable for
parallel computing platforms. However, this parallel hash
1 Introduction function has some design flaws and is not secure as well.
In this paper, we will analyze the security flaws of Xiao’s
Cryptographic hash function plays a fundamental role for scheme in detail, and show that the scheme is susceptible
data integrity or message authentication in modern cryptog- to equal-length forgery attack and variant-length forgery at-
tack. Moreover, there are large amount of weak keys in the
scheme, which can be utilized by a malicious user to con-
X. Wang () struct message authentication codes (MAC) collisions. To
Key Laboratory of Traffic Information Engineering and Control, remedy such security flaws, an efficient improvement on the
School of Information Science & Technology, Southwest Jiaotong
University, Chengdu, Sichuan 610031, China original scheme is further proposed. The security and per-
e-mail: xmwang@home.swjtu.edu.cn formance analysis show that the improved scheme is more
secure than the original one at the slight computation cost. In
W. Guo · W. Zhang
the meanwhile, the parallelism merit of the original scheme
Key Laboratory of Information Security and National Computing
Grid, School of Information Science & Technology, Southwest can also be conserved.
Jiaotong University, Chengdu, Sichuan 610031, China

M.K. Khan · K. Alghathbar


Center of Excellence in Information Assurance (CoEIA), King
2 Review of the original parallel keyed hash function
Saud University, Riyadh, Kingdom of Saudi Arabia
The Xiao’s parallel keyed hash function [12] is constructed
K. Alghathbar on a two-layer neural network that has 8 input neurons
Information Systems Department, College of Computer and
Information Sciences, King Saud University, Riyadh, Kingdom
and 4 output neurons. Each input neurons has same pa-
of Saudi Arabia rameters including weights, biases and transfer functions,
516 X. Wang et al.

that (L + n) mod 512 = 448, 1 ≤ n ≤ 512) are appended.


The left 64-bit is used to denote the length of the original
message M. The padded message M is then separated into
512-bit message blocks as M = (m1 , m2 , . . . , ms ), and each
block is indicated as mi = m1i m2i · · · m512
i .

2.2 Block-wise compression phase

The compressing process of the ith message block mi (i =


1, 2, . . . , s), called as Block Hash function in [12], is de-
scribed as follows:
(1) 512-bit mi is divided into 64 units with 8 bits per unit.
These 64 units are denoted in turn by w1 , w2 , . . . , w63 ,
w64 as (2), and are further pre-mapped into wr1 ,
wr2 , . . . , wr64 in [0, 1] by means of linear transform:
wri = wi /256, i = 1, 2, . . . , 64. Then wr1 , wr2 , . . . ,
wr64 are divided into 8 groups as: group 1 is (wr1 ,
wr2 , . . . , wr8 ), group 2 is (wr9 , wr10 , . . . , wr16 ), . . . ,
group 8 is (wr57 , wr58 , . . . , wr64 ).
Fig. 1 Structure of the original parallel keyed hash function in [12].
(a) Diagram of whole algorithm; (b) The chaotic neural network struc-
ture of Block Hash mi = m1i m2i · · · m8i m9i m10
i · · · mi · · · mi mi · · · mi
16 505 506 512
     
w1 w2 w64
whereas the output neurons has different parameters. The
values of weights and biases are generated from piecewise (2)
linear chaotic map (PWLCM), which is also acted as the
(2) Calculate parameter ui (denoted by uu0 in [12]) for the
transfer function. The PWLCM is defined as [12]:
current ith block as:
x(k + 1) u0 1 i − 1
ui = + ∈ [0, 0.5], (3)
= Fu (x(k)) 2 4s −1


⎪ x(k)/u, 0 ≤ x(k) < u where u0 is the part of secret key and s is the total block


⎨(x(k) − u)/(0.5 − u), u ≤ x(k) < 0.5 number of padded message M. Then iterate PWLCM
= (1) with initial value x(0) and parameter ui for 97 times,

⎪ (1 − x(k) − u)/(0.5 − u), 0.5 ≤ x(k) < 1 − u

⎪ the orbit x(j ), j = 1, 2, . . . , 97 is obtained.
⎩(1 − x(k))/u, 1 − u ≤ x(k) ≤ 1
(3) Parameterize neurons of input layer. There are 8 neurons
where x(k) ∈ [0, 1], u ∈ (0, 0.5) are the iteration value and at input layer, and each neuron has 8 input data with
parameter of PWLCM, respectively. The initial value x0 ∈ same parameters, i.e. the weights WC1 , WC2 , . . . , WC8
[0, 1] and parameter u0 ∈ (0, 0.5) consist of the secret key are set by x(j ), j = 51, 52, . . . , 58 respectively; the bias
of keyed hash function. BC is set by x(59); and the parameter QC of the transfer
The original scheme compresses 512-bit message blocks function is set by x(60). (If x(60) > 0.5, then 1 − x (60)
into N -bit Hash value (generally, N = 128 is assumed in is set as QC.)
[12]). The whole algorithm structure can be depicted in (4) Parameterize neurons of output layer. There are 4 out-
Fig. 1 and the hash construction can be summarized as three put neurons with each neuron 8 inputs and different
phases: message padding phase, block-wise compression parameters, i.e. x(j ), j = 61, 62, . . . , 92 are set as
(compression function) phase, and chaining the intermedi- the weights—WH i,1 , WH i,2 , . . . , WH i,8 (i = 1, 2, 3, 4);
ate hash values phase. x(j ), j = 93, 94, 95, 96 are set as the biases—BH1 ,
BH 2 , BH 3 , BH 4 ; and x(97) is set as the parameter QH
2.1 Message padding phase of the transfer function. (If x(97) > 0.5, then 1 − x (97)
is set as QH .)
The original message M is padded such that its length is (5) Computing the outputs of input layer. The input 8-group
a multiple of 512: let L be the length of the original mes- data, including Group 1-wr 1 , wr2 , . . . , wr8 ; Group 2-
sage M; the padding bits (100 · · · 0)2 with length n (such wr9 , wr10 , . . . , wr16 ; . . . ; Group 8-wr57 , wr58 , . . . ,
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 517

wr64 , are transformed into the output data C = [c1 , a message with a valid MAC can be produced from three
c2 , . . . , c8 ] as (4): related messages and their MACs without the knowledge
of the secret key. In addition, a class of weak-keys in the
ci = f 50 (mod([W C1 , W C2 , . . . , W C8 ] scheme is discussed where keys are considered as weak keys
∗ [wr(i−1)∗8+1 , wr(i−1)∗8+2 , . . . , wr(i−1)∗8+8 ]T in the sense that they turn the chaotic orbit of PWLCM to
fixed point. With these weak keys, different messages would
+ BC, 1), QC), (4) have identical MACs, in other words, MAC collision hap-
pens at this case.
where i = 1, 2, . . . , 8, and f is PWLCM defined by (1)
Note that there are two minor errors in Xiao’s original
with parameter QC.
scheme. One is “The left 64-bit is used to denote the length
(6) Computing the outputs of output layer. The outputs of
of the original message M” in message padding phase in
input layer C = [c1 , c2 , . . . , c8 ] are feed into output
Sect. 2.1, where “left 64-bit” should be corrected to “right
layer to generate final output data MH = [mh1 , mh2 ,
64-bit”. The other is (3) for calculating parameter ui . When
mh3 , mh4 ] as (5):
the padded message has only one block, i.e. s = 1, then u1
mhi = f 50 (mod([W Hi,1 , W Hi,2 , . . . , W Hi,8 ] can not be calculated from (3) because u1 = u0 /2 + 0/0 in
such case. Thus (3) is only suitable for the case of s ≥ 2, i.e.
∗ [c1 , c2 , . . . , c8 ]T the padded message must at least have two blocks. But the
+ BHi , 1), QH ), i = 1, . . . , 4. (5) aforementioned errors do not hamper the following crypt-
analysis.
(7) The obtained mh1 , mh2 , mh3 , mh4 are transformed into
the corresponding binary format, and the 32, 32, 32, 32 3.1 Equal-length forgery attack
bits after the decimal point are extracted. Juxtapose the
four 32-bit binary strings from left to right to get a 128- Here equal-length forgery attack means that a valid message-
bit keystream Ki , i.e. the output of compression func- MAC pair can be obtained from other message-MAC pairs
tion for the ith message block mi . where lengths of these padded messages are all equal. To
The above compression process of mi can be functioned as demonstrate such attack on the original scheme, following
propositions are introduced.
Ki = Block Hash(k, i, mi ), (6)
Proposition 1 Given three equal-length padded messages
where k = {x0 , u0 } is the secret key and Ki is the keystream M1 , M2 , M3 and their corresponding hash values
corresponding to message block mi . H1 = Hk (M1 ), H2 = Hk (M2 ), H3 = Hk (M3 ), if M1 , M2 ,
M3 are of forms as M1 = m1 m2 · · · mi mi+1 · · · ms−1 ms ,
2.3 Chaining the intermediate hash values phase M2 = m∗1 m∗2 · · · m∗i mi+1 · · · ms−1 ms , M3 = m1 m2 · · ·
mi m∗i+1 m∗i+2 · · · m∗s−1 ms , respectively, where mi is the ith
Let Hk (M) denote the final hash value of message M with 512-bit block and ms is the padding block, then for mes-
secret key k, then Hk (M)is obtained by XORing all Ki s sage M4 = m∗1 m∗2 · · · m∗i m∗i+1 · · · m∗s−1 ms , its hash value
with initial vector H0 , which is depicted in Fig. 1 and de- with same secret key can be derived as Hk (M4 ) = Hk (M1 )⊕
scribed by (7). Hk (M2 ) ⊕ Hk (M3 ), without knowledge of the secret key k.

Hk (M) = Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks . (7) Proof Let Ki = Block Hash(k, i, mi ) and Ki∗ = Block Hash
(k, i, m∗i ) be the keystreams of the ith block mi and m∗i with
Since keystream Ki in (6) is generated independently from
secret key k, respectively. Regarding (6) and (7) with secret
message block mi , it is obvious that Hk (M) can be gen-
key k, we have:
erated by parallel mode, the Xiao’s scheme is therefore a
parallel keyed hash function.
Hk (M1 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki ⊕ Ki+1 ⊕ · · ·
⊕ Ks−1 ⊕ Ks ,
3 Cryptanalysis of the original parallel keyed hash Hk (M2 ) = H0 ⊕ K1∗ ⊕ K2∗ ⊕ · · · ⊕ Ki∗ ⊕ Ki+1 ⊕ · · ·
function
⊕ Ks−1 ⊕ Ks ,
In this section, we will discuss the security problems of the ∗
Hk (M3 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki ⊕ Ki+1 ∗
⊕ Ki+2 ⊕ ···
original scheme, and show that the scheme is vulnerable to

two kinds of forgery attacks and weak key attack. In detail, ⊕ Ks−1 ⊕ Ks .
518 X. Wang et al.

Table 1 Examples of
equal-length forgery attack Secret key k = (x0 = 0.987, u0 = 0.1234)
Message (before padding) Hash value (128-bit, Hexadecimal)

M1 = m1 m2 = aa · · · a aa
  · · · a
  1B6ED60F97A9C866F5840914CC365583
64 64
M2 = m∗1 m2 = bb · · · b aa
  · · · a
  92BF413F9C683A9E3A09850BF5EE7035
64 64
M3 = m1 m∗2 = aa · · · a cc 
  · · · c B0E89B2894916C24C2F9764AD33A87A7
64 64
M4 = m∗1 m∗2 = bb · · · b cc 
  · · · c 39390C189F509EDC0D74FA55EAE2A211
64 64

4
Hk (M4 ) = Hk (M1 ) ⊕ Hk (M2 ) ⊕ Hk (M3 ) or Hk (Mi ) = Hk (Mj ), i = 1, 2, 3, 4
j =1,j =i

If M4 = m∗1 m∗2 · · · m∗i m∗i+1 · · · m∗s−1 ms and secret key is also Proposition 1 and Corollary 1 show that the valid mes-
k, then sage-MAC pair can be forged from other three message-
MAC pairs (the padded messages are all equal-length and
Hk (M4 ) = H0 ⊕ K1∗ ⊕ K2∗ ⊕ · · · ⊕ Ki∗ ⊕ Ki+1

the padding blocks are identical) without knowledge of se-

⊕ Ki+2 ∗
⊕ · · · ⊕ Ks−1 ⊕ Ks . cret key. The attack example for original messages with two
blocks (before padding) is given in Table 1, which can di-
Obviously, following equality is satisfied rectly extend to the case of messages with more blocks.
Therefore, the hash function is vulnerable against the equal-
Hk (M4 ) = Hk (M1 ) ⊕ Hk (M2 ) ⊕ Hk (M3 ). length forgery attack.

That is to say, M4 ’s hash value can be directly derived by 3.2 Variant-length forgery attack
XORing the hash values of three equal-length messages
whose padding blocks are identical, without knowledge of Comparing to equal-length forgery attack, variant-length
secret key and without invoking hash operation for Hk (M4 ) forgery attack means that a valid message-MAC pair can be
any more.  obtained from other variant-length message-MAC pairs. The
variant-length forgery attack given here is different from
Corollary 1 Consider any four padded messages hav- unequal-length forgery attack that we discussed in [11],
ing format as M1 = m1 m2 · · · mi mi+1 · · · ms , M2 = m∗1 m∗2 where the lengths of last two padded messages must be mul-
· · · m∗i mi+1 · · · ms , M3 = m1 m2 · · · mi m∗i+1 m∗i+2 · · · m∗s−1 ms tiple of the first two ones for successful attack, while the
and M4 = m∗1 m∗2 · · · m∗i m∗i+1 m∗i+2 · · · m∗s−1 ms , one can di- variant-length forgery attack given here has no such require-
rectly forge the hash value of anyone of four messages from ment.
other three messages’ hash values, without knowledge of
secret key. Proposition 2 Given three padded messages M5 , M6 , M7
and their corresponding hash values with secret key k : H5 =
Proof with the help of proof of Proposition 1, it is not diffi- Hk (M5 ), H6 = Hk (M6 ), H7 = Hk (M7 ), if M5 , M6 , M7
cult to verify the following equality: are of forms as M5 = m1 m2 · · · mi−1 mi mi+1 · · · ms−1 ms ,
M6 = m∗1 m2 · · · mi−1 m∗i mi+1 · · · ms−1 ms , M7 = M1 M2 · · ·
Hk (Mi ) ⊕ Hk (Mj ) = Hk (Mp ) ⊕ Hk (Mq ) Mj −1 Mj Mj +1 · · · Mp−1 Mp , respectively, where mi and
for i, j, p, q ∈ [1, 2, 3, 4] and i = j = p = q. Mi are the ith 512-bit blocks, and ms and Mp are
the padding blocks. Then for message M8 = M∗1 M2 · · ·
Thus, it has been ready to get Mj −1 M∗j Mj +1 · · · Mp−1 Mp , if mi = Mj , m∗i = M∗j (or
j −1
mi = M∗j , m∗i = Mj ) when i, j satisfy s−1
i−1
= p−1 , its hash
Hk (Mi ) = Hk (Mj ) ⊕ Hk (Mp ) ⊕ Hk (Mq ) value with same secret key k can be derived as Hk (M8 ) =
Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ), without knowledge of the se-

4
= Hk (Mr ), i = 1, 2, 3, 4. cret key k.
r=1,r=i
Proof According to (6) with secret key k, following nota-
The proof is completed.  tions are introduced for convenience.
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 519

Ki = Block Hash(k, i, mi ): keystream of block mi of Corollary 2 Regarding any four padded messages hav-
message M5 , whose total block number is s after padded; ing format as M5 = m1 m2 · · · mi−1 mi mi+1 · · · ms−1 ms ,
Ki∗ = Block Hash(k, i, m∗i ): keystream of block m∗i M6 = m∗1 m2 · · · mi−1 m∗i mi+1 · · · ms−1 ms , M7 = M1 M2 · · ·
of message M6 , whose total block number is s after Mj −1 Mj Mj +1 · · · Mp−1 Mp and M8 = M∗1 M2 · · ·
padded; Mj −1 M∗j Mj +1 · · · Mp−1 Mp , where mi = Mj , m∗i = M∗j
kj = Block Hash(k, j, Mj ): keystream of block Mj of (or mi = M∗j , m∗i = Mj ) when i, j satisfy s−1
i−1 j −1
= p−1 . One
message M7 , whose total block number is p after padded; can directly forge the hash value of anyone of four messages
k∗j = Block Hash(k, j, M∗j ): keystream of block M∗j
from other three messages’ hash values, without knowledge
of message M8 , whose total block number is p after
of secret key.
padded.
From keystream generation given by step (1)–step (7) in
Sect. 2.2, the keystream Ki is only decided by secret key k, Proof with the help of proofs of Proposition 2 and Corol-
i−1
content of mi and s−1 (i.e. the relative position of mi ). Thus, lary 1, it is clear that following equality holds:
j −1
if mi = Mj (or mi = M∗j ) and s−1 i−1
= p−1 , then Ki = kj (or
∗ Hk (Mi ) = Hk (Mj ) ⊕ Hk (Mp ) ⊕ Hk (Mq )
Ki = kj ) holds for same k.
It is clear that i = j = 1 is a trivial solution of equation
8
j −1 = i = 5, 6, 7, 8.
s−1 = p−1 for any s ≥ 2, p ≥ 2. That is, when m1 = M1 ,
i−1 Hk (Mr ),
m1 = M∗1 holds, K1 = k1 , K1∗ = k∗1 also holds for any s and
∗ r=5,r=i
p. Similarly, when mi = Mj , m∗i = M∗j where i, j satisfy
j −1 The proof is completed. 
i−1
s−1 = p−1 , it is ready to get Ki = kj , Ki∗ = k∗j .
Regarding (6) and (7) with same secret key k, we have:
Proposition 2 and Corollary 2 show that the valid mes-
Hk (M5 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki−1 ⊕ Ki sage-MAC pair can be forged from other three message-
MAC pairs (the padded messages are unequal length), with-
⊕ Ki+1 ⊕ · · · ⊕ Ks−1 ⊕ Ks
out knowledge of secret key. The attack examples for orig-
Hk (M6 ) = H0 ⊕ K1∗ ⊕ K2 ⊕ · · · ⊕ Ki−1 ⊕ Ki∗ inal messages (before padding) are given in Table 2, which
can directly extend to the case of messages with more
⊕ Ki+1 ⊕ · · · ⊕ Ks−1 ⊕ Ks
blocks. Therefore, the hash function is vulnerable against
Hk (M7 ) = H0 ⊕ k1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ kj variant-length forgery attack.
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
3.3 Weak key attack
= H0 ⊕ K1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ Ki
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
In (1), there are five singular pairs for (x(k), x(k + 1)),
Hk (M8 ) = H0 ⊕ k∗1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ k∗j i.e., (0, 0), (u, 0), (0.5, 1), (1 − u, 1), and (1, 0). Conse-
quently, x(j ) ≡ 0, j ≥ k + 2 for any given u when x(k) ∈
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
{0, u, 0.5, (1 − u), 1}. Although such cases happen rarely
= H0 ⊕ K1∗ ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ Ki∗ in normal, it can be utilized by an adversary to construct
MAC collisions, because x(j ) ≡ 0, j ≥ k + 2 implies Ki =
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
{0}128
1 in Xiao’s scheme. Since x(0) ∈ {0, 0.5, 1} leads to
Obviously, following equality is satisfied Ki = {0}1281 for any u, it can be easily identified as weak
keys and excluded from key space. Thus we focus on x(0) ∈
Hk (M5 ) ⊕ Hk (M6 ) = Hk (M7 ) ⊕ Hk (M8 ) {u, (1 − u)} and demonstrate how to utilize weak keys to
= K1 ⊕ K1∗ ⊕ Ki ⊕ Ki∗ construct collision.
Regarding parameter u of PWLCM in Xiao’s scheme,
Thus, it is defined by (3), which is related only with i the cur-
rent block index, s the total number of blocks, and u0 the
Hk (M8 ) = Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ). (8) part of secret key. So parameter u of PWLCM varies with
block index and message length under the same secret key
At the case of mi = M∗j , m∗i = Mj where i, j satisfy i−1
s−1 = k = {x(0), u0 }, while is unconcerned with message content.
j −1
p−1 ,we can derive (8) similarly. Such defect can be utilized by an maliciously authorized
The proof is completed.  user, to choose a weak key {x(0), u0 } in advance purpos-
520 X. Wang et al.

Table 2 Examples of
variant-length forgery attack Secret key k = (x0 = 0.123456, u0 = 0.654321)
Message (before padding) Hash value (128-bit, Hexadecimal)

M5 = m1 = aa · · · a
  9EC8F489DA7008E8F86C6AE66759F746
64
M6 = m∗1 = bb · · · b
  EA9769CED09D8CC50B8D0859B010B227
64
M7 = M1 M2 M3 = m1 M2 M3 = aa · · · a cc
  · · · c dd 
  · · · d EF80AB02CF8B9D82E9AAD1173A879851
64 64 64
M8 = M∗1 M2 M3 = m∗1 M2 M3 = bb · · · b cc 
  · · · c dd · · · d
  9BDF3645C56619AF1A4BB3A8EDCEDD30
64 64 64

M5 = m1 m2 = aa · · · a bb
  · · · b
  C8EC95396B87B26B08436743CAAF8F0E
64 64
M6 = m∗1 m∗2 = cc 
· · · c dd · · · d
  F6BD6882EDA55DDA34377F50C5AA68C0
64 64
M7 = M1 M2 M3 M4 = m1 M2 m2 M4 1E1B5A5D8E8035F1A3D3E91B27B3ACBF
= aa · · · a ee 
  · · · e bb · · · b ff · · · f
   
64 64 64 64
M8 = M∗1 M2 M∗3 M4 = m∗1 M2 m∗2 M4 204AA7E608A2DA409FA7F10828B64B71
= cc · · · c ee
  · · · e dd 
  · · · d ff · · · f
 
64 64 64 64

M5 = m1 m2 = aa · · · a bb
  · · · b
  C8EC95396B87B26B08436743CAAF8F0E
64 64
M6 = m∗1 m∗2 = cc 
· · · c dd · · · d
  F6BD6882EDA55DDA34377F50C5AA68C0
64 64
M7 = M1 M2 M3 M4 = m1 M2 m∗2 M4 AFF426E589A56E18383738E66EBEF486
= aa · · · a ee 
  · · · e dd · · · d ff · · · f
   
64 64 64 64
M8 = M∗1 M2 M∗3 M4 = m∗1 M2 m2 M4 91A5DB5E0F8781A9044320F561BB1348
= cc · · · c ee
  · · · e bb
  · · · b ff · · · f
   
64 64 64 64

8
Hk (M8 ) = Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ) or Hk (Mi ) = Hk (Mr ), i = 5, 6, 7, 8
r=5,r=i

edly to satisfy x(0) ∈ {u, (1 − u)} for certain i and s as fol- struct up to 2512 collisions using one weak key that exists for
lows: any message.
⎧ To illustrate the weak key attack, two simple examples

⎪ x(0) = u = (u0 + (i − 1)/(2(s − 1)))/2 (9.1) are given. Assume H0 = {0}128 without loss of generality
⎨ 1
since original scheme does not set it explicit value.
or

⎪ Consider message M with two 512-bit blocks and each

x(0) = 1 − u = 1 − (u0 + (i − 1)/(2(s − 1)))/2. (9.2) block with 64 ASCII characters as

For convenience, we denote such certain i and s with ĩ M = m1 m2 = aaa


 · · · a aaa
 · · · a , (10)
and s̃ respectively. Consequently, chaotic trajectory x(j ) ≡ 64 64
0, j ≥ 2 for ĩth block, which results in Kĩ = {0}128
1 regard- then the padded message is with three blocks as Mpadded =
less of the block content. In such circumstances, the autho- m1 m2 ms , where ms is the padding block and s = 3. If a ma-
rized user chooses a weak key k = {x(0), u0 } beforehand licious user wants to construct collisions for the ith block
in accordance with message M and (9.1, 9.2), then he/she (i = 2 for example), he can randomly choose x0 = 0.3456
can freely substitute the ĩth block of M to construct col- and calculate u0 = 2x0 − (i − 1)/(2(s − 1)) = 0.4412 ac-
lision message M . Obviously, Hk (M) = Hk (M ) due to cording to (9.1). The chosen weak key is then k = {x0 =
Kĩ = K = {0}128
1 under the same weak key. Through this 0.3456, u0 = 0.4412}, and the hash value of M is Hk (M) =

malicious method, the authorized user can theoretically con- 58E8A8C7CACF6FA2CC5577D0BE5FA0EB.
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 521

Table 3 Examples of collision attack with weak key k = (x0 , u0 )*

Weak key k Message (before padding) Hash value (128-bit, Hexadecimal)

x0 = 0.3456, M1 = m1 m2 = aa · · · a aa · · · a 58E8A8C7CACF6FA2CC5577D0BE5FA0EB
u0 = 0.4412    
64 64
(s = 3, i = 2)
M1 = m1 m 2 = aa
  · · ·∗
· · · a ∗∗  58E8A8C7CACF6FA2CC5577D0BE5FA0EB
64 64

x0 = 0.7654321, M2 = m1 m2 = aa · · · a aa · · · a 9D14FD75CEE12B85935FD911A25E8C82
u0 = 0.2191358    
64 64
(s = 3, i = 2)
M2 = m1 m 2 = aa
  · · ·∗
· · · a ∗∗  9D14FD75CEE12B85935FD911A25E8C82
64 64

x0 = 0.33333, M3 = m1 m2 m3 m4 = aa · · · a bb · · · b cc 
· · · c dd · · · d E36273035F07CECA9255C8A82E318976
u0 = 0.41666      
64 64 64 64
(s = 5, i = 3)
M3 = m1 m2 m 3 m4 = aa · · · a bb
  · · · b ∗∗
  · · ·∗ dd
  · · · d
  E36273035F07CECA9255C8A82E318976
64 64 64 64

Hk (Mj ) = Hk (Mj ), j = 1, 2, 3, i.e. collision happens

* k = (x0 , u0 ) are calculated from (9.1, 9.2) after x0 was randomly selected; symbol “ * ” denotes any ASCII character

Since the malicious user is aiming at attacking the 2nd message length satisfies s ≥ 2; there exists large amount of
block with weak key, he can freely substitute the 2nd block weak keys which cause MAC collisions; and it is susceptible
of M with any other 512-bit block, i.e. the modified message to two kinds of forgery attacks.
has following form: i−1
The first flaw can be patched by replacing factor s−1 with
i
s in (3), where i is the current block index and s is the total
M = m1 m 2 = aaa ∗∗∗
 · · · a  · · · ∗ (11) block number of padded message. The second flaw can be
64 64 repaired by explicitly excluding the weak keys defined by
where ‘*’ denotes any 8-bit ASCII character. Hashing M (9.1, 9.2) during the key derivation.
with the same weak key k, the hash value is To remedy the third flaw, i.e. susceptibility to forgery at-
Hk (M ) = 58E8A8C7CACF6FA2CC5577D0BE5FA0EB, tacks, we propose the improved scheme as depicted in Fig. 2
i.e. Hk (M ) = Hk (M). and formulated by:
Similarly, if x0 is chosen randomly with x0 = 0.7654321,
Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks
then u0 = 0.2191358 according to (9.2) for i = 2, (12)
s = 3. The weak key is thus k = {x0 = 0.7654321, Hk (M) = Block Hash(k, 1, Hs )
u0 = 0.2191358}, and Hk (M ) = Hk (M) =
9D14FD75CEE12B85935FD911A25E8C82 for M and M , where k is the secret key and Block Hash(·) is block hash
which are given by (10) and (11) respectively. The method operation defined by (6).
can be directly extended to other cases for messages with It can be seen that, in the improved scheme, we perform
different i and s, and the attack examples are given in Ta- one more block hash operation on Hs after all XOR opera-
ble 3. tions. In other words, the value Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕
It should be stressed that there are large amount of weak Ks in the improved scheme is no longer the final hash value.
keys {x(0), u0 } satisfying (9.1, 9.2) for every fixed i and s. An output transformation using block hash is further intro-
Also, a malicious user can choose weak keys for an expected duced into Hs to obtain the final hash value Hk (M).
block index i according to (9.1, 9.2) to construct meaningful
or meaningless collisions. Thus, the hash scheme is suscep- 4.1 Security analysis of the improved scheme
tible to weak key attack that results in MAC collisions.
The first two flaws in original scheme, such as incapabil-
ity to hash message with only one block and susceptibility
4 Our improved scheme to MAC collision, can be overcome by minor modifications
above in the improved scheme.
Based on the cryptanalysis of Sect. 3, there are three flaws in The forgery attacks on original scheme are based on the
original scheme: it can work only for the case where padded utilization of the characteristic of XOR operation since the
522 X. Wang et al.

Fig. 2 Structure of the


improved parallel keyed hash
function

final hash value Hk (M) = Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks Table 4 Speed comparison between the original scheme and improved
scheme
is obtained through simple XOR operations with Ki (i =
1, 2, . . . , s). In our improved scheme, the output transfor- Operation mode The original scheme The improved scheme
mation has introduced complicated nonlinear connections
Sequential mode T1 = 3.25 + 13τ
T1 (1 + 1s )
among the different parts of the final hash value Hk (M). Ob- 64

viously, both Corollary 1 and Corollary 2 are invalid at this Parallel mode T2 = 72+3τ
64p T2 (1 + ps )
case. Therefore, the improved scheme can resist the forgery
Note: τ -the pre-iterations of PWLCM;
attacks described in Sect. 3.
s-the total block number of padded message;
The reason that we use Block Hash(.) operation on orig-
p-the number of parallel processing units
inal hash value Hs to resist the forgery attacks, is based
on two factors: (1) Since the Block Hash(.) operation has
already repeatedly used as compression function for each increasing of the block number s. The calculation of our im-
message block, one more used it again as output trans- proved scheme is as follows:
formation can facilitate the reuse of software and hard- In sequential mode, the original scheme needs T1 =
ware implementation. (2) Assume the compression function 3.25 + 13τ
64 multiplicative operation for each character [12],
Block Hash(.) is security, then the output transformation us- where τ is the pre-iterations of PWLCM. Based on the cal-
ing Block Hash(.) is also security. It is unnecessary to give culation analysis of original scheme, the improved scheme
further security proof for output transformation to satisfy the needs T1new = T1 + Ts1 = T1 (1 + 1s ) multiplicative opera-
security requirement of hash function. tion for each character, where s is the total block number
of padded message. In parallel mode, the multiplicative op-
eration of original scheme is T2 = 72+3τ
64p for each character
4.2 Performance analysis of the improved scheme
p
[12], while it is T2new = T2 + 72+3τ
64×s = T2 (1 + s ) for the
The improved scheme uses one more Block Hash(.) on orig- improved scheme. Here p represents the number of paral-
inal hash value to derive the final hash value, as depicted in lel processing units, and s the total block number of padded
Fig. 2. It is not difficult to conclude that the performance of message.
improved scheme, such as sensitivity to message, confusion It can be seen that the computation of the improved
and diffusion, resistance to collision attack and meet-in-the- scheme has little higher than that of the original scheme both
in sequential mode and in parallel mode. But with the in-
middle attack, is not worse than that of the original scheme.
creasing of the total number s of message block, the hash
In the following, we will thus focus on the speed comparison
speed of improved scheme is approximately to that of the
between the improved scheme and the original scheme.
original scheme. Considering the tradeoff between security
Referring to the original scheme [12], the speed of im-
and performance, the improved scheme is therefore efficient.
proved scheme is evaluated by the number of the required
multiplicative operation for each ASCII character (8-bit)
message during the hash process. The speed comparison 5 Conclusion
is listed in Table 4. Although the output transformation is
added after the XOR operation, the effect on the entire ef- In this paper, we point out the security flaws of Xiao et al.’s
ficiency of the algorithm is very slight, especially with the parallel keyed hash function based on chaotic neural net-
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 523

work. Their scheme is susceptible to equal-length forgery Xiaomin Wang is currently work-
ing as Associate Professor at the
attack and variant-length forgery attack. Moreover, there are School of Information Science and
large amount of weak keys for any message, which can be Technology, Southwest Jiaotong
University, China. His research in-
used to construct MAC collisions. To remedy such secu-
terests include chaotic cryptogra-
rity flaws, enhancement measures are further proposed to phy, multimedia and biometrics in-
resist such attacks. The theoretical analysis shows that the formation security, pattern recog-
nition and machine vision. He has
improved scheme is more secure than the original one. In
published more than 40 journal and
the meanwhile, it can also keep the parallel merit and other conference papers in the areas of his
performance advantages of the original scheme. research.

Acknowledgements This work was supported by the National Nat-


ural Science Foundation of China (Grant Nos. 60903202, 61003245), Wei Guo received B.S. and Ph.D.
the Specialized Research Fund for the Doctoral Program of Higher Ed- degree from Southwest Jiaotong
ucation of China (Grant No. 20090184120024), the Fund for Outstand- University, China in 2001 and 2007,
ing Young researcher of Sichuan Province (Grant No. 2011JQ0027), respectively. Currently, she is with
and the Foundation Sciences Southwest Jiaotong University (Grant the Key Lab of Information Secu-
No. 2008B08). rity and National Computing Grid,
Southwest Jiaotong University,
Chengdu, China, where she is an
associate professor of information
security. Her main research inter-
ests include information security,
References threshold signature, and cryptology.

1. ISO/IEC 9797-1 (1999). Information technology-security


techniques-Message Authentication Code (MACs), Geneve,
Switzerland. Wenfang Zhang received the B.S.
degree in School of Computer Sci-
2. Wong, K. W. (2003). A combined chaotic cryptographic and hash-
ence & Technology in 2002 and is
ing scheme. Physics Letters A, 307(5–6), 292–298. pursuing the Ph.D. degree in School
3. Zhang, J. S., Wang, X. M., & Zhang, W. F. (2007). Chaotic keyed of Information Sciences & Technol-
hash function based on feedforward–feedback nonlinear digital fil- ogy , Southwest Jiaotong Univer-
ter. Physics Letters A, 362(5–6), 439–448. sity, Chengdu, China. His research
4. Wang, X. M., Zhang, J. S., & Zhang, W. F. (2003). One way Hash interests include chaotic hash de-
function construction based on the extended chaotic maps switch. sign, chaos cryptanalysis, and hard-
Acta Physica Sinica, 52(11), 2737–2742 (in Chinese). ware implementations of security
5. Wang, Y., Liao, X., Xiao, D., & Wong, K. W. (2008). One-way and cryptographic algorithms.
hash function construction based on 2D coupled map lattices. In-
formation Sciences, 178(5), 1391–406.
6. Yang, H., Wong, K., & Liao, X. et al. (2009). One-way hash func-
tion construction based on chaotic map network. Chaos, Solitons
and Fractals, 41(5), 2566–2574. Muhammad Khurram Khan is
7. Yi, X. (2005). Hash function based on chaotic tent maps. IEEE currently working as Associate Pro-
Transactions on Circuits and Systems II, Express Briefs, 52(6), fessor at Center of Excellence in
354–357. Information Assurance (CoEIA),
8. Wang, X. M., Zhang, J. S., & Zhang, W. F. (2005). Keyed Hash King Saud University, Saudi Ara-
function based on composite nonlinear autoregressive filter. Acta bia. He is the Founding Editor of
‘Bahria University Journal of In-
Physica Sinica, 54(12), 5566–5573 (in Chinese).
formation & Communication Tech-
9. Khan, M. K., Zhang, J. S., & Wang, X. M. (2008). Chaotic hash- nology (BUJICT)’. He also plays
based fingerprint biometric remote user authentication scheme on role of Editor of several interna-
mobile devices. Chaos, Solitons and Fractals, 35(3), 519–524. tional journals of Elsevier Science
10. Xiao, D., Liao, X. F., & Deng, S. J. (2008). Parallel keyed hash and Springer-Verlag. Dr. Khurram
function construction based on chaotic maps. Physics Letters A, has published more than 100 re-
372(26), 4682–4688. search papers in the journals and
11. Guo, W., Wang, X. M., He, D. K., & Cao, Y. (2009). Cryptanalysis conferences of international repute.
on a parallel keyed hash function based on chaotic maps. Physics His areas of interest are biometrics, information security, multime-
Letters A, 373(36), 3201–3206. dia security, and digital data hiding. His profile can be visited at
12. Xiao, D., Liao, X. F., & Wong, Y. (2009). Parallel keyed hash func- http://faculty.ksu.edu.sa/khurram
tion construction based on chaotic neural network. Neurocomput-
ing, 72(10–12), 2288–2296.
524 X. Wang et al.

Khaled Alghathbar Ph.D., CISSP,


CISM, PMP, MCSE: Security, Se-
curiy+, BS7799 Lead Auditor, is an
associate professor and the director
of the Center of Excellence in In-
formation Assurance in King Saud
University, Riyadh, Saudi Arabia.
He is a security advisor for several
government agencies. His main re-
search interest is in information se-
curity management, policies and de-
sign. He received his Ph.D. in In-
formation Technology from George
Mason University, USA.