Ubiquitous Weak-Key Classes of BRW-Polynomial Function

  • Kaiyan Zheng
  • Peng Wang
  • Dingfeng Ye
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10831)


BRW-polynomial function is suggested as a preferred alternative of polynomial function, owing to its high efficiency and seemingly non-existent weak keys. In this paper we investigate the weak-key issue of BRW-polynomial function as well as BRW-instantiated cryptographic schemes. Though, in BRW-polynomial evaluation, the relationship between coefficients and input blocks is indistinct, we give out a recursive algorithm to compute another \((2^{v+1}-1)\)-block message, for any given \((2^{v+1}-1)\)-block message, such that their output-differential through BRW-polynomial evaluation, equals any given s-degree polynomial, where \(v\ge \lfloor \log _2(s+1)\rfloor \). With such algorithm, we illustrate that any non-empty key subset is a weak-key class in BRW-polynomial function. Moreover any key subset of BRW-polynomial function, consisting of at least 2 keys, is a weak-key class in BRW-instantiated cryptographic schemes like the Wegman-Carter scheme, the UHF-then-PRF scheme, DCT, etc. Especially in the AE scheme DCT, its confidentiality, as well as its integrity, collapses totally, when using weak keys of BRW-polynomial function, which are ubiquitous.


Weak key Polynomial evaluation hash BRW-polynomial DCT Message authentication code Authenticated encryption 



The authors would like to thank the anonymous reviewers for their helpful comments and suggestions. The work of this paper is supported by the National Key Basic Research Program of China (2014CB340603) and the National Natural Science Foundation of China (Grants 61472415, 61732021, 61772519).


  1. 1.
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). Scholar
  2. 2.
    Abdelraheem, M.A., Bogdanov, A., Tischhauser, E.: Weak-key analysis of poet. Cryptology ePrint Archive, Report 2014/226 (2014).
  3. 3.
    Abed, F., Fluhrer, S., Foley, J., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: The POET family of on-line authenticated encryption schemes (2014).
  4. 4.
    Andreeva, E., Bogdanov, A., Lauridsen, M.M., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COBRA (2014).
  5. 5.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). Scholar
  6. 6.
    Bernstein, D.J.: Polynomial Evaluation and Message Authentication (2011).
  7. 7.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener [38], pp. 216–233 (1999).
  8. 8.
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Chakraborty, D., Mancillas-López, C.: Double ciphertext mode: a proposal for secure backup. IJACT 2(3), 271–287 (2012). Scholar
  10. 10.
    Chakraborty, D., Sarkar, P.: HCH: a new tweakable enciphering scheme using the hash-encrypt-hash approach. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 287–302. Springer, Heidelberg (2006). Scholar
  11. 11.
    Etzel, M., Patel, S., Ramzan, Z.: SQUARE hash: fast message authenication via optimized universal hash functions. In: Wiener [38], pp. 234–251 (1999).
  12. 12.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Efficient beyond-birthday-bound-secure deterministic authenticated encryption with minimal stretch. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 317–332. Springer, Cham (2016). Scholar
  13. 13.
    Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997). Scholar
  14. 14.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). Scholar
  15. 15.
    Harris, S.: The Enchilada authenticated ciphers (2014).
  16. 16.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). Scholar
  17. 17.
    IEEE Std 1619.2-2010: IEEE standard for wide-block encryption for shared storage media (2011)Google Scholar
  18. 18.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994). Scholar
  19. 19.
    McGrew, D.A., Fluhrer, S.R.: The extended codebook (XCB) mode of operation. IACR Cryptology ePrint Archive 2004, 278 (2004).
  20. 20.
    McGrew, D.A., Viega, J.: The Galois/Counter mode of operation (GCM) (2004).
  21. 21.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter mode of operation (full version). IACR Cryptology ePrint Archive 2004, 193 (2004).
  22. 22.
    Mennink, B.: Weak keys for AEZ, and the external key padding attack. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 223–237. Springer, Cham (2017). Scholar
  23. 23.
    Morales-Luna, G.: On formal expressions of BRW-polynomials. IACR Cryptology ePrint Archive 2013, 3 (2013).
  24. 24.
    Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). Scholar
  25. 25.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). Scholar
  26. 26.
    Rabin, M.O., Winograd, S.: Fast evaluation of polynomials by rational preparation. Commun. Pure Appl. Math. 25(4), 433–458 (1972)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012). Scholar
  28. 28.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans. Inf. Theory 55(10), 4749–4760 (2009). Scholar
  29. 29.
    Sarkar, P.: Tweakable enciphering schemes using only the encryption function of a block cipher. Inf. Process. Lett. 111(19), 945–955 (2011). Scholar
  30. 30.
    Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Crypt. Commun. 6(3), 189–231 (2014). Scholar
  31. 31.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004, 332 (2004).
  32. 32.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992). Scholar
  33. 33.
    Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 2, no. 52 (1995).
  34. 34.
    Sun, Z., Wang, P., Zhang, L.: Weak-key and related-key analysis of hash-counter-hash tweakable enciphering schemes. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 3–19. Springer, Cham (2015). Scholar
  35. 35.
    Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005). Scholar
  36. 36.
    Wang, P., Li, Y., Zhang, L., Zheng, K.: Related-key almost universal hash functions: definitions, constructions and applications. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 514–532. Springer, Heidelberg (2016). Scholar
  37. 37.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). Scholar
  39. 39.
    Zhu, B., Tan, Y., Gong, G.: Revisiting MAC forgeries, weak keys and provable security of galois/counter mode of operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 20–38. Springer, Cham (2013). Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.School of Cyber SecurityUniversity of Chinese Academic ScienceBeijingChina

Personalised recommendations