Telecommun Syst (2013) 52:515–524
DOI 10.1007/s11235-011-9457-9
Cryptanalysis and improvement on a parallel keyed hash function
based on chaotic neural network
Xiaomin Wang · Wei Guo · Wenfang Zhang ·
Muhammad Khurram Khan · Khaled Alghathbar
Published online: 15 June 2011
© Springer Science+Business Media, LLC 2011
Abstract This paper analyzes the security of a chaotic par-
allel keyed hash function in detail, and points out that it is
susceptible to two kinds of forgery attacks and weak key at-
tack (which results in MAC collision). To remedy such secu-
rity flaws, an improved scheme is further proposed, and its
security and performance are also discussed. The theoreti-
cal analysis shows that the improved scheme is more secure
than the original one. In the meanwhile, it can also keep the
parallel merit and other performance advantages of the orig-
inal scheme.
Keywords Chaos · Cryptanalysis · Keyed hash function ·
Forgery attack · Weak key attack · Neural network
1 Introduction
Cryptographic hash function plays a fundamental role for
data integrity or message authentication in modern cryptog-
X. Wang ()
Key Laboratory of Traffic Information Engineering and Control,
School of Information Science & Technology, Southwest Jiaotong
University, Chengdu, Sichuan 610031, China
e-mail: xmwang@home.swjtu.edu.cn
W. Guo · W. Zhang
Key Laboratory of Information Security and National Computing
Grid, School of Information Science & Technology, Southwest
Jiaotong University, Chengdu, Sichuan 610031, China
M.K. Khan · K. Alghathbar
Center of Excellence in Information Assurance (CoEIA), King
Saud University, Riyadh, Kingdom of Saudi Arabia
K. Alghathbar
Information Systems Department, College of Computer and
Information Sciences, King Saud University, Riyadh, Kingdom
of Saudi Arabia
raphy [1]. Utilizing the nonlinear property of chaotic dy-
namic, many researchers have proposed chaotic hash func-
tions in the past few years [2–9]. However, most of these
algorithms are of iterative hash structure only processing in
sequential mode, which restricts their efficiency on the par-
allel processing platforms. To salve such limitation, a par-
allel keyed hash function based on piecewise linear chaotic
map and 4-dimensional Cat map was proposed [10], but our
cryptanalysis indicated that it is not secure [11].
Recently, Xiao et al. [12] presented another parallel
keyed hash function using chaotic neural network. Due to
the parallel mode of algorithm structure and the inner paral-
lel mechanism of neural network, their scheme is suitable for
parallel computing platforms. However, this parallel hash
function has some design flaws and is not secure as well.
In this paper, we will analyze the security flaws of Xiao’s
scheme in detail, and show that the scheme is susceptible
to equal-length forgery attack and variant-length forgery at-
tack. Moreover, there are large amount of weak keys in the
scheme, which can be utilized by a malicious user to con-
struct message authentication codes (MAC) collisions. To
remedy such security flaws, an efficient improvement on the
original scheme is further proposed. The security and per-
formance analysis show that the improved scheme is more
secure than the original one at the slight computation cost. In
the meanwhile, the parallelism merit of the original scheme
can also be conserved.
2 Review of the original parallel keyed hash function
The Xiao’s parallel keyed hash function [12] is constructed
on a two-layer neural network that has 8 input neurons
and 4 output neurons. Each input neurons has same pa-
rameters including weights, biases and transfer functions,
516 X. Wang et al.

that (L + n) mod 512 = 448, 1 ≤ n ≤ 512) are appended.

The left 64-bit is used to denote the length of the original
message M. The padded message M is then separated into
512-bit message blocks as M = (m1 , m2 , . . . , ms ), and each
block is indicated as mi = m1i m2i · · · m512
i .

2.2 Block-wise compression phase

The compressing process of the ith message block mi (i =

1, 2, . . . , s), called as Block Hash function in [12], is de-
scribed as follows:
(1) 512-bit mi is divided into 64 units with 8 bits per unit.
These 64 units are denoted in turn by w1 , w2 , . . . , w63 ,
w64 as (2), and are further pre-mapped into wr1 ,
wr2 , . . . , wr64 in [0, 1] by means of linear transform:
wri = wi /256, i = 1, 2, . . . , 64. Then wr1 , wr2 , . . . ,
wr64 are divided into 8 groups as: group 1 is (wr1 ,
wr2 , . . . , wr8 ), group 2 is (wr9 , wr10 , . . . , wr16 ), . . . ,
group 8 is (wr57 , wr58 , . . . , wr64 ).
Fig. 1 Structure of the original parallel keyed hash function in [12].
(a) Diagram of whole algorithm; (b) The chaotic neural network struc-
ture of Block Hash mi = m1i m2i · · · m8i m9i m10
i · · · mi · · · mi mi · · · mi
16 505 506 512
     
w1 w2 w64
whereas the output neurons has different parameters. The
values of weights and biases are generated from piecewise (2)
linear chaotic map (PWLCM), which is also acted as the
(2) Calculate parameter ui (denoted by uu0 in [12]) for the
transfer function. The PWLCM is defined as [12]:
current ith block as:
x(k + 1) u0 1 i − 1
ui = + ∈ [0, 0.5], (3)
= Fu (x(k)) 2 4s −1
⎧
⎪
⎪ x(k)/u, 0 ≤ x(k) < u where u0 is the part of secret key and s is the total block
⎪
⎪
⎨(x(k) − u)/(0.5 − u), u ≤ x(k) < 0.5 number of padded message M. Then iterate PWLCM
= (1) with initial value x(0) and parameter ui for 97 times,
⎪
⎪ (1 − x(k) − u)/(0.5 − u), 0.5 ≤ x(k) < 1 − u
⎪
⎪ the orbit x(j ), j = 1, 2, . . . , 97 is obtained.
⎩(1 − x(k))/u, 1 − u ≤ x(k) ≤ 1
(3) Parameterize neurons of input layer. There are 8 neurons
where x(k) ∈ [0, 1], u ∈ (0, 0.5) are the iteration value and at input layer, and each neuron has 8 input data with
parameter of PWLCM, respectively. The initial value x0 ∈ same parameters, i.e. the weights WC1 , WC2 , . . . , WC8
[0, 1] and parameter u0 ∈ (0, 0.5) consist of the secret key are set by x(j ), j = 51, 52, . . . , 58 respectively; the bias
of keyed hash function. BC is set by x(59); and the parameter QC of the transfer
The original scheme compresses 512-bit message blocks function is set by x(60). (If x(60) > 0.5, then 1 − x (60)
into N -bit Hash value (generally, N = 128 is assumed in is set as QC.)
[12]). The whole algorithm structure can be depicted in (4) Parameterize neurons of output layer. There are 4 out-
Fig. 1 and the hash construction can be summarized as three put neurons with each neuron 8 inputs and different
phases: message padding phase, block-wise compression parameters, i.e. x(j ), j = 61, 62, . . . , 92 are set as
(compression function) phase, and chaining the intermedi- the weights—WH i,1 , WH i,2 , . . . , WH i,8 (i = 1, 2, 3, 4);
ate hash values phase. x(j ), j = 93, 94, 95, 96 are set as the biases—BH1 ,
BH 2 , BH 3 , BH 4 ; and x(97) is set as the parameter QH
2.1 Message padding phase of the transfer function. (If x(97) > 0.5, then 1 − x (97)
is set as QH .)
The original message M is padded such that its length is (5) Computing the outputs of input layer. The input 8-group
a multiple of 512: let L be the length of the original mes- data, including Group 1-wr 1 , wr2 , . . . , wr8 ; Group 2-
sage M; the padding bits (100 · · · 0)2 with length n (such wr9 , wr10 , . . . , wr16 ; . . . ; Group 8-wr57 , wr58 , . . . ,
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network
wr64 , are transformed into the output data C = [c1 ,
c2 , . . . , c8 ] as (4):
ci = f 50 (mod([W C1 , W C2 , . . . , W C8 ]
∗ [wr(i−1)∗8+1 , wr(i−1)∗8+2 , . . . , wr(i−1)∗8+8 ]T
+ BC, 1), QC),
where i = 1, 2, . . . , 8, and f is PWLCM defined by (1)
with parameter QC.
(6) Computing the outputs of output layer. The outputs of
input layer C = [c1 , c2 , . . . , c8 ] are feed into output
layer to generate final output data MH = [mh1 , mh2 ,
mh3 , mh4 ] as (5):
mhi = f 50 (mod([W Hi,1 , W Hi,2 , . . . , W Hi,8 ]
∗ [c1 , c2 , . . . , c8 ]T
+ BHi , 1), QH ), i = 1, . . . , 4.
(7) The obtained mh1 , mh2 , mh3 , mh4 are transformed into
the corresponding binary format, and the 32, 32, 32, 32
bits after the decimal point are extracted. Juxtapose the
four 32-bit binary strings from left to right to get a 128-
bit keystream Ki , i.e. the output of compression func-
tion for the ith message block mi .
The above compression process of mi can be functioned as
Ki = Block Hash(k, i, mi ),
where k = {x0 , u0 } is the secret key and Ki is the keystream
corresponding to message block mi .
2.3 Chaining the intermediate hash values phase
Let Hk (M) denote the final hash value of message M with
secret key k, then Hk (M)is obtained by XORing all Ki s
with initial vector H0 , which is depicted in Fig. 1 and de-
scribed by (7).
Hk (M) = Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks .
Since keystream Ki in (6) is generated independently from
message block mi , it is obvious that Hk (M) can be gen-
erated by parallel mode, the Xiao’s scheme is therefore a
parallel keyed hash function.
3 Cryptanalysis of the original parallel keyed hash
function
In this section, we will discuss the security problems of the
original scheme, and show that the scheme is vulnerable to
two kinds of forgery attacks and weak key attack. In detail,
517
a message with a valid MAC can be produced from three
related messages and their MACs without the knowledge
of the secret key. In addition, a class of weak-keys in the
scheme is discussed where keys are considered as weak keys
in the sense that they turn the chaotic orbit of PWLCM to
fixed point. With these weak keys, different messages would
(4) have identical MACs, in other words, MAC collision hap-
pens at this case.
Note that there are two minor errors in Xiao’s original
scheme. One is “The left 64-bit is used to denote the length
of the original message M” in message padding phase in
Sect. 2.1, where “left 64-bit” should be corrected to “right
64-bit”. The other is (3) for calculating parameter ui . When
the padded message has only one block, i.e. s = 1, then u1
can not be calculated from (3) because u1 = u0 /2 + 0/0 in
such case. Thus (3) is only suitable for the case of s ≥ 2, i.e.
the padded message must at least have two blocks. But the
(5) aforementioned errors do not hamper the following crypt-
analysis.
3.1 Equal-length forgery attack
Here equal-length forgery attack means that a valid message-
MAC pair can be obtained from other message-MAC pairs
where lengths of these padded messages are all equal. To
demonstrate such attack on the original scheme, following
propositions are introduced.
(6)
Proposition 1 Given three equal-length padded messages
M1 , M2 , M3 and their corresponding hash values
H1 = Hk (M1 ), H2 = Hk (M2 ), H3 = Hk (M3 ), if M1 , M2 ,
M3 are of forms as M1 = m1 m2 · · · mi mi+1 · · · ms−1 ms ,
M2 = m∗1 m∗2 · · · m∗i mi+1 · · · ms−1 ms , M3 = m1 m2 · · ·
mi m∗i+1 m∗i+2 · · · m∗s−1 ms , respectively, where mi is the ith
512-bit block and ms is the padding block, then for mes-
sage M4 = m∗1 m∗2 · · · m∗i m∗i+1 · · · m∗s−1 ms , its hash value
with same secret key can be derived as Hk (M4 ) = Hk (M1 )⊕
Hk (M2 ) ⊕ Hk (M3 ), without knowledge of the secret key k.
(7) Proof Let Ki = Block Hash(k, i, mi ) and Ki∗ = Block Hash
(k, i, m∗i ) be the keystreams of the ith block mi and m∗i with
secret key k, respectively. Regarding (6) and (7) with secret
key k, we have:
Hk (M1 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki ⊕ Ki+1 ⊕ · · ·
⊕ Ks−1 ⊕ Ks ,
Hk (M2 ) = H0 ⊕ K1∗ ⊕ K2∗ ⊕ · · · ⊕ Ki∗ ⊕ Ki+1 ⊕ · · ·
⊕ Ks−1 ⊕ Ks ,
∗
Hk (M3 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki ⊕ Ki+1 ∗
⊕ Ki+2 ⊕ ···
∗
⊕ Ks−1 ⊕ Ks .
518 X. Wang et al.

Table 1 Examples of
equal-length forgery attack Secret key k = (x0 = 0.987, u0 = 0.1234)
Message (before padding) Hash value (128-bit, Hexadecimal)

M1 = m1 m2 = aa · · · a aa
  · · · a
  1B6ED60F97A9C866F5840914CC365583
64 64
M2 = m∗1 m2 = bb · · · b aa
  · · · a
  92BF413F9C683A9E3A09850BF5EE7035
64 64
M3 = m1 m∗2 = aa · · · a cc 
  · · · c B0E89B2894916C24C2F9764AD33A87A7
64 64
M4 = m∗1 m∗2 = bb · · · b cc 
  · · · c 39390C189F509EDC0D74FA55EAE2A211
64 64

4
Hk (M4 ) = Hk (M1 ) ⊕ Hk (M2 ) ⊕ Hk (M3 ) or Hk (Mi ) = Hk (Mj ), i = 1, 2, 3, 4
j =1,j =i

If M4 = m∗1 m∗2 · · · m∗i m∗i+1 · · · m∗s−1 ms and secret key is also Proposition 1 and Corollary 1 show that the valid mes-
k, then sage-MAC pair can be forged from other three message-
MAC pairs (the padded messages are all equal-length and
Hk (M4 ) = H0 ⊕ K1∗ ⊕ K2∗ ⊕ · · · ⊕ Ki∗ ⊕ Ki+1
∗
the padding blocks are identical) without knowledge of se-
∗
⊕ Ki+2 ∗
⊕ · · · ⊕ Ks−1 ⊕ Ks . cret key. The attack example for original messages with two
blocks (before padding) is given in Table 1, which can di-
Obviously, following equality is satisfied rectly extend to the case of messages with more blocks.
Therefore, the hash function is vulnerable against the equal-
Hk (M4 ) = Hk (M1 ) ⊕ Hk (M2 ) ⊕ Hk (M3 ). length forgery attack.

That is to say, M4 ’s hash value can be directly derived by
XORing the hash values of three equal-length messages
whose padding blocks are identical, without knowledge of
secret key and without invoking hash operation for Hk (M4 )
any more.  obtained from other variant-length message-MAC pairs. The
Corollary 1 Consider any four padded messages hav-
ing format as M1 = m1 m2 · · · mi mi+1 · · · ms , M2 = m∗1 m∗2
· · · m∗i mi+1 · · · ms , M3 = m1 m2 · · · mi m∗i+1 m∗i+2 · · · m∗s−1 ms
and M4 = m∗1 m∗2 · · · m∗i m∗i+1 m∗i+2 · · · m∗s−1 ms , one can di-
rectly forge the hash value of anyone of four messages from
other three messages’ hash values, without knowledge of
secret key.
Proof with the help of proof of Proposition 1, it is not diffi-
cult to verify the following equality:
Hk (Mi ) ⊕ Hk (Mj ) = Hk (Mp ) ⊕ Hk (Mq )
for i, j, p, q ∈ [1, 2, 3, 4] and i = j = p = q.
Thus, it has been ready to get
Hk (Mi ) = Hk (Mj ) ⊕ Hk (Mp ) ⊕ Hk (Mq )
4
= Hk (Mr ), i = 1, 2, 3, 4.
r=1,r=i
The proof is completed.
3.2 Variant-length forgery attack
Comparing to equal-length forgery attack, variant-length
forgery attack means that a valid message-MAC pair can be
variant-length forgery attack given here is different from
unequal-length forgery attack that we discussed in [11],
where the lengths of last two padded messages must be mul-
tiple of the first two ones for successful attack, while the
variant-length forgery attack given here has no such require-
ment.
Proposition 2 Given three padded messages M5 , M6 , M7
and their corresponding hash values with secret key k : H5 =
Hk (M5 ), H6 = Hk (M6 ), H7 = Hk (M7 ), if M5 , M6 , M7
are of forms as M5 = m1 m2 · · · mi−1 mi mi+1 · · · ms−1 ms ,
M6 = m∗1 m2 · · · mi−1 m∗i mi+1 · · · ms−1 ms , M7 = M1 M2 · · ·
Mj −1 Mj Mj +1 · · · Mp−1 Mp , respectively, where mi and
Mi are the ith 512-bit blocks, and ms and Mp are
the padding blocks. Then for message M8 = M∗1 M2 · · ·
Mj −1 M∗j Mj +1 · · · Mp−1 Mp , if mi = Mj , m∗i = M∗j (or
j −1
mi = M∗j , m∗i = Mj ) when i, j satisfy s−1
i−1
= p−1 , its hash
value with same secret key k can be derived as Hk (M8 ) =
Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ), without knowledge of the se-
cret key k.
Proof According to (6) with secret key k, following nota-
 tions are introduced for convenience.
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network
Ki = Block Hash(k, i, mi ): keystream of block mi of
message M5 , whose total block number is s after padded;
Ki∗ = Block Hash(k, i, m∗i ): keystream of block m∗i
of message M6 , whose total block number is s after
padded;
kj = Block Hash(k, j, Mj ): keystream of block Mj of
message M7 , whose total block number is p after padded;
k∗j = Block Hash(k, j, M∗j ): keystream of block M∗j
of message M8 , whose total block number is p after
padded.
From keystream generation given by step (1)–step (7) in
Sect. 2.2, the keystream Ki is only decided by secret key k,
i−1
content of mi and s−1 (i.e. the relative position of mi ). Thus,
j −1
if mi = Mj (or mi = M∗j ) and s−1 i−1
= p−1 , then Ki = kj (or
∗ Hk (Mi ) = Hk (Mj ) ⊕ Hk (Mp ) ⊕ Hk (Mq )
Ki = kj ) holds for same k.
It is clear that i = j = 1 is a trivial solution of equation
j −1
s−1 = p−1 for any s ≥ 2, p ≥ 2. That is, when m1 = M1 ,
i−1
m1 = M∗1 holds, K1 = k1 , K1∗ = k∗1 also holds for any s and
∗ r=5,r=i
p. Similarly, when mi = Mj , m∗i = M∗j where i, j satisfy
j −1
i−1
s−1 = p−1 , it is ready to get Ki = kj , Ki∗ = k∗j .
Regarding (6) and (7) with same secret key k, we have:
Hk (M5 ) = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ki−1 ⊕ Ki
⊕ Ki+1 ⊕ · · · ⊕ Ks−1 ⊕ Ks
Hk (M6 ) = H0 ⊕ K1∗ ⊕ K2 ⊕ · · · ⊕ Ki−1 ⊕ Ki∗
⊕ Ki+1 ⊕ · · · ⊕ Ks−1 ⊕ Ks
Hk (M7 ) = H0 ⊕ k1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ kj
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
= H0 ⊕ K1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ Ki
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
Hk (M8 ) = H0 ⊕ k∗1 ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ k∗j
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
= H0 ⊕ K1∗ ⊕ k2 ⊕ · · · ⊕ kj −1 ⊕ Ki∗
⊕ kj +1 ⊕ · · · ⊕ kp−1 ⊕ kp
Obviously, following equality is satisfied
Hk (M5 ) ⊕ Hk (M6 ) = Hk (M7 ) ⊕ Hk (M8 )
= K1 ⊕ K1∗ ⊕ Ki ⊕ Ki∗
Thus,
Hk (M8 ) = Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ).
At the case of mi = M∗j , m∗i = Mj where i, j satisfy i−1
s−1
j −1
p−1 ,we can derive (8) similarly.
The proof is completed.
519
Corollary 2 Regarding any four padded messages hav-
ing format as M5 = m1 m2 · · · mi−1 mi mi+1 · · · ms−1 ms ,
M6 = m∗1 m2 · · · mi−1 m∗i mi+1 · · · ms−1 ms , M7 = M1 M2 · · ·
Mj −1 Mj Mj +1 · · · Mp−1 Mp and M8 = M∗1 M2 · · ·
Mj −1 M∗j Mj +1 · · · Mp−1 Mp , where mi = Mj , m∗i = M∗j
(or mi = M∗j , m∗i = Mj ) when i, j satisfy s−1
i−1 j −1
= p−1 . One
can directly forge the hash value of anyone of four messages
from other three messages’ hash values, without knowledge
of secret key.
Proof with the help of proofs of Proposition 2 and Corol-
lary 1, it is clear that following equality holds:

8
= i = 5, 6, 7, 8.
Hk (Mr ),
The proof is completed. 
Proposition 2 and Corollary 2 show that the valid mes-
sage-MAC pair can be forged from other three message-
MAC pairs (the padded messages are unequal length), with-
out knowledge of secret key. The attack examples for orig-
inal messages (before padding) are given in Table 2, which
can directly extend to the case of messages with more
blocks. Therefore, the hash function is vulnerable against
variant-length forgery attack.
3.3 Weak key attack
In (1), there are five singular pairs for (x(k), x(k + 1)),
i.e., (0, 0), (u, 0), (0.5, 1), (1 − u, 1), and (1, 0). Conse-
quently, x(j ) ≡ 0, j ≥ k + 2 for any given u when x(k) ∈
{0, u, 0.5, (1 − u), 1}. Although such cases happen rarely
in normal, it can be utilized by an adversary to construct
MAC collisions, because x(j ) ≡ 0, j ≥ k + 2 implies Ki =
{0}128
1 in Xiao’s scheme. Since x(0) ∈ {0, 0.5, 1} leads to
Ki = {0}1281 for any u, it can be easily identified as weak
keys and excluded from key space. Thus we focus on x(0) ∈
{u, (1 − u)} and demonstrate how to utilize weak keys to
construct collision.
Regarding parameter u of PWLCM in Xiao’s scheme,
it is defined by (3), which is related only with i the cur-
rent block index, s the total number of blocks, and u0 the
(8) part of secret key. So parameter u of PWLCM varies with
block index and message length under the same secret key
= k = {x(0), u0 }, while is unconcerned with message content.
Such defect can be utilized by an maliciously authorized
 user, to choose a weak key {x(0), u0 } in advance purpos-
520 X. Wang et al.

Table 2 Examples of
variant-length forgery attack Secret key k = (x0 = 0.123456, u0 = 0.654321)
Message (before padding) Hash value (128-bit, Hexadecimal)

M5 = m1 = aa · · · a
  9EC8F489DA7008E8F86C6AE66759F746
64
M6 = m∗1 = bb · · · b
  EA9769CED09D8CC50B8D0859B010B227
64
M7 = M1 M2 M3 = m1 M2 M3 = aa · · · a cc
  · · · c dd 
  · · · d EF80AB02CF8B9D82E9AAD1173A879851
64 64 64
M8 = M∗1 M2 M3 = m∗1 M2 M3 = bb · · · b cc 
  · · · c dd · · · d
  9BDF3645C56619AF1A4BB3A8EDCEDD30
64 64 64

M5 = m1 m2 = aa · · · a bb
  · · · b
  C8EC95396B87B26B08436743CAAF8F0E
64 64
M6 = m∗1 m∗2 = cc 
· · · c dd · · · d
  F6BD6882EDA55DDA34377F50C5AA68C0
64 64
M7 = M1 M2 M3 M4 = m1 M2 m2 M4 1E1B5A5D8E8035F1A3D3E91B27B3ACBF
= aa · · · a ee 
  · · · e bb · · · b ff · · · f
   
64 64 64 64
M8 = M∗1 M2 M∗3 M4 = m∗1 M2 m∗2 M4 204AA7E608A2DA409FA7F10828B64B71
= cc · · · c ee
  · · · e dd 
  · · · d ff · · · f
 
64 64 64 64

M5 = m1 m2 = aa · · · a bb
  · · · b
  C8EC95396B87B26B08436743CAAF8F0E
64 64
M6 = m∗1 m∗2 = cc 
· · · c dd · · · d
  F6BD6882EDA55DDA34377F50C5AA68C0
64 64
M7 = M1 M2 M3 M4 = m1 M2 m∗2 M4 AFF426E589A56E18383738E66EBEF486
= aa · · · a ee 
  · · · e dd · · · d ff · · · f
   
64 64 64 64
M8 = M∗1 M2 M∗3 M4 = m∗1 M2 m2 M4 91A5DB5E0F8781A9044320F561BB1348
= cc · · · c ee
  · · · e bb
  · · · b ff · · · f
   
64 64 64 64

8
Hk (M8 ) = Hk (M5 ) ⊕ Hk (M6 ) ⊕ Hk (M7 ) or Hk (Mi ) = Hk (Mr ), i = 5, 6, 7, 8
r=5,r=i

edly to satisfy x(0) ∈ {u, (1 − u)} for certain i and s as fol- struct up to 2512 collisions using one weak key that exists for
lows: any message.
⎧ To illustrate the weak key attack, two simple examples
⎪
⎪ x(0) = u = (u0 + (i − 1)/(2(s − 1)))/2 (9.1) are given. Assume H0 = {0}128 without loss of generality
⎨ 1
since original scheme does not set it explicit value.
or
⎪
⎪ Consider message M with two 512-bit blocks and each
⎩
x(0) = 1 − u = 1 − (u0 + (i − 1)/(2(s − 1)))/2. (9.2) block with 64 ASCII characters as

For convenience, we denote such certain i and s with ĩ M = m1 m2 = aaa

and s̃ respectively. Consequently, chaotic trajectory x(j ) ≡
0, j ≥ 2 for ĩth block, which results in Kĩ = {0}128
1 regard-
less of the block content. In such circumstances, the autho-
rized user chooses a weak key k = {x(0), u0 } beforehand
in accordance with message M and (9.1, 9.2), then he/she
can freely substitute the ĩth block of M to construct col-
lision message M . Obviously, Hk (M) = Hk (M ) due to
Kĩ = K = {0}128
1 under the same weak key. Through this
ĩ
malicious method, the authorized user can theoretically con-
 · · · a aaa
 · · · a , (10)
64 64
then the padded message is with three blocks as Mpadded =
m1 m2 ms , where ms is the padding block and s = 3. If a ma-
licious user wants to construct collisions for the ith block
(i = 2 for example), he can randomly choose x0 = 0.3456
and calculate u0 = 2x0 − (i − 1)/(2(s − 1)) = 0.4412 ac-
cording to (9.1). The chosen weak key is then k = {x0 =
0.3456, u0 = 0.4412}, and the hash value of M is Hk (M) =
58E8A8C7CACF6FA2CC5577D0BE5FA0EB.
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 521

Table 3 Examples of collision attack with weak key k = (x0 , u0 )*

Weak key k Message (before padding) Hash value (128-bit, Hexadecimal)

x0 = 0.3456, M1 = m1 m2 = aa · · · a aa · · · a 58E8A8C7CACF6FA2CC5577D0BE5FA0EB
u0 = 0.4412    
64 64
(s = 3, i = 2)
M1 = m1 m 2 = aa
  · · ·∗
· · · a ∗∗  58E8A8C7CACF6FA2CC5577D0BE5FA0EB
64 64

x0 = 0.7654321, M2 = m1 m2 = aa · · · a aa · · · a 9D14FD75CEE12B85935FD911A25E8C82
u0 = 0.2191358    
64 64
(s = 3, i = 2)
M2 = m1 m 2 = aa
  · · ·∗
· · · a ∗∗  9D14FD75CEE12B85935FD911A25E8C82
64 64

x0 = 0.33333, M3 = m1 m2 m3 m4 = aa · · · a bb · · · b cc 
· · · c dd · · · d E36273035F07CECA9255C8A82E318976
u0 = 0.41666      
64 64 64 64
(s = 5, i = 3)
M3 = m1 m2 m 3 m4 = aa · · · a bb
  · · · b ∗∗
  · · ·∗ dd
  · · · d
  E36273035F07CECA9255C8A82E318976
64 64 64 64

Hk (Mj ) = Hk (Mj ), j = 1, 2, 3, i.e. collision happens

* k = (x0 , u0 ) are calculated from (9.1, 9.2) after x0 was randomly selected; symbol “ * ” denotes any ASCII character

Since the malicious user is aiming at attacking the 2nd
block with weak key, he can freely substitute the 2nd block
of M with any other 512-bit block, i.e. the modified message
has following form:
M = m1 m 2 = aaa ∗∗∗
 · · · a  · · · ∗
64 64
where ‘*’ denotes any 8-bit ASCII character. Hashing M (9.1, 9.2) during the key derivation.
with the same weak key k, the hash value is
Hk (M ) = 58E8A8C7CACF6FA2CC5577D0BE5FA0EB,
i.e. Hk (M ) = Hk (M).
Similarly, if x0 is chosen randomly with x0 = 0.7654321,
then u0 = 0.2191358 according to (9.2) for i = 2,
s = 3. The weak key is thus k = {x0 = 0.7654321,
u0 = 0.2191358}, and Hk (M ) = Hk (M) =
9D14FD75CEE12B85935FD911A25E8C82 for M and M ,
which are given by (10) and (11) respectively. The method
can be directly extended to other cases for messages with
different i and s, and the attack examples are given in Ta-
ble 3.
It should be stressed that there are large amount of weak
keys {x(0), u0 } satisfying (9.1, 9.2) for every fixed i and s.
Also, a malicious user can choose weak keys for an expected
block index i according to (9.1, 9.2) to construct meaningful
or meaningless collisions. Thus, the hash scheme is suscep-
tible to weak key attack that results in MAC collisions.
4 Our improved scheme
Based on the cryptanalysis of Sect. 3, there are three flaws in
original scheme: it can work only for the case where padded
message length satisfies s ≥ 2; there exists large amount of
weak keys which cause MAC collisions; and it is susceptible
to two kinds of forgery attacks.
i−1
The first flaw can be patched by replacing factor s−1 with
i
s in (3), where i is the current block index and s is the total
(11) block number of padded message. The second flaw can be
repaired by explicitly excluding the weak keys defined by
To remedy the third flaw, i.e. susceptibility to forgery at-
tacks, we propose the improved scheme as depicted in Fig. 2
and formulated by:
Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks
(12)
Hk (M) = Block Hash(k, 1, Hs )
where k is the secret key and Block Hash(·) is block hash
operation defined by (6).
It can be seen that, in the improved scheme, we perform
one more block hash operation on Hs after all XOR opera-
tions. In other words, the value Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕
Ks in the improved scheme is no longer the final hash value.
An output transformation using block hash is further intro-
duced into Hs to obtain the final hash value Hk (M).
4.1 Security analysis of the improved scheme
The first two flaws in original scheme, such as incapabil-
ity to hash message with only one block and susceptibility
to MAC collision, can be overcome by minor modifications
above in the improved scheme.
The forgery attacks on original scheme are based on the
utilization of the characteristic of XOR operation since the
522
Fig. 2 Structure of the
improved parallel keyed hash
function
final hash value Hk (M) = Hs = H0 ⊕ K1 ⊕ K2 ⊕ · · · ⊕ Ks
is obtained through simple XOR operations with Ki (i =
1, 2, . . . , s). In our improved scheme, the output transfor-
mation has introduced complicated nonlinear connections
among the different parts of the final hash value Hk (M). Ob-
viously, both Corollary 1 and Corollary 2 are invalid at this
case. Therefore, the improved scheme can resist the forgery
attacks described in Sect. 3.
The reason that we use Block Hash(.) operation on orig-
inal hash value Hs to resist the forgery attacks, is based
on two factors: (1) Since the Block Hash(.) operation has
already repeatedly used as compression function for each
message block, one more used it again as output trans-
formation can facilitate the reuse of software and hard-
ware implementation. (2) Assume the compression function
Block Hash(.) is security, then the output transformation us-
ing Block Hash(.) is also security. It is unnecessary to give
further security proof for output transformation to satisfy the
security requirement of hash function.
4.2 Performance analysis of the improved scheme
The improved scheme uses one more Block Hash(.) on orig-
inal hash value to derive the final hash value, as depicted in
Fig. 2. It is not difficult to conclude that the performance of
improved scheme, such as sensitivity to message, confusion
and diffusion, resistance to collision attack and meet-in-the-
middle attack, is not worse than that of the original scheme.
In the following, we will thus focus on the speed comparison
between the improved scheme and the original scheme.
Referring to the original scheme [12], the speed of im-
proved scheme is evaluated by the number of the required
multiplicative operation for each ASCII character (8-bit)
message during the hash process. The speed comparison
is listed in Table 4. Although the output transformation is
added after the XOR operation, the effect on the entire ef-
ficiency of the algorithm is very slight, especially with the
X. Wang et al.
Table 4 Speed comparison between the original scheme and improved
scheme
Operation mode The original scheme The improved scheme
Sequential mode T1 = 3.25 + 13τ
T1 (1 + 1s )
64
Parallel mode T2 = 72+3τ
64p T2 (1 + ps )
Note: τ -the pre-iterations of PWLCM;
s-the total block number of padded message;
p-the number of parallel processing units
increasing of the block number s. The calculation of our im-
proved scheme is as follows:
In sequential mode, the original scheme needs T1 =
3.25 + 13τ
64 multiplicative operation for each character [12],
where τ is the pre-iterations of PWLCM. Based on the cal-
culation analysis of original scheme, the improved scheme
needs T1new = T1 + Ts1 = T1 (1 + 1s ) multiplicative opera-
tion for each character, where s is the total block number
of padded message. In parallel mode, the multiplicative op-
eration of original scheme is T2 = 72+3τ
64p for each character
p
[12], while it is T2new = T2 + 72+3τ
64×s = T2 (1 + s ) for the
improved scheme. Here p represents the number of paral-
lel processing units, and s the total block number of padded
message.
It can be seen that the computation of the improved
scheme has little higher than that of the original scheme both
in sequential mode and in parallel mode. But with the in-
creasing of the total number s of message block, the hash
speed of improved scheme is approximately to that of the
original scheme. Considering the tradeoff between security
and performance, the improved scheme is therefore efficient.
5 Conclusion
In this paper, we point out the security flaws of Xiao et al.’s
parallel keyed hash function based on chaotic neural net-
Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network 523

work. Their scheme is susceptible to equal-length forgery Xiaomin Wang is currently work-
ing as Associate Professor at the
attack and variant-length forgery attack. Moreover, there are School of Information Science and
large amount of weak keys for any message, which can be Technology, Southwest Jiaotong
University, China. His research in-
used to construct MAC collisions. To remedy such secu-
terests include chaotic cryptogra-
rity flaws, enhancement measures are further proposed to phy, multimedia and biometrics in-
resist such attacks. The theoretical analysis shows that the formation security, pattern recog-
nition and machine vision. He has
improved scheme is more secure than the original one. In
published more than 40 journal and
the meanwhile, it can also keep the parallel merit and other conference papers in the areas of his
performance advantages of the original scheme. research.

Acknowledgements This work was supported by the National Nat-

ural Science Foundation of China (Grant Nos. 60903202, 61003245), Wei Guo received B.S. and Ph.D.
the Specialized Research Fund for the Doctoral Program of Higher Ed- degree from Southwest Jiaotong
ucation of China (Grant No. 20090184120024), the Fund for Outstand- University, China in 2001 and 2007,
ing Young researcher of Sichuan Province (Grant No. 2011JQ0027), respectively. Currently, she is with
and the Foundation Sciences Southwest Jiaotong University (Grant the Key Lab of Information Secu-
No. 2008B08). rity and National Computing Grid,
Southwest Jiaotong University,
Chengdu, China, where she is an
associate professor of information
security. Her main research inter-
ests include information security,
References threshold signature, and cryptology.

1. ISO/IEC 9797-1 (1999). Information technology-security

techniques-Message Authentication Code (MACs), Geneve,
Switzerland. Wenfang Zhang received the B.S.
degree in School of Computer Sci-
2. Wong, K. W. (2003). A combined chaotic cryptographic and hash-
ence & Technology in 2002 and is
ing scheme. Physics Letters A, 307(5–6), 292–298. pursuing the Ph.D. degree in School
3. Zhang, J. S., Wang, X. M., & Zhang, W. F. (2007). Chaotic keyed of Information Sciences & Technol-
hash function based on feedforward–feedback nonlinear digital fil- ogy , Southwest Jiaotong Univer-
ter. Physics Letters A, 362(5–6), 439–448. sity, Chengdu, China. His research
4. Wang, X. M., Zhang, J. S., & Zhang, W. F. (2003). One way Hash interests include chaotic hash de-
function construction based on the extended chaotic maps switch. sign, chaos cryptanalysis, and hard-
Acta Physica Sinica, 52(11), 2737–2742 (in Chinese). ware implementations of security
5. Wang, Y., Liao, X., Xiao, D., & Wong, K. W. (2008). One-way and cryptographic algorithms.
hash function construction based on 2D coupled map lattices. In-
formation Sciences, 178(5), 1391–406.
6. Yang, H., Wong, K., & Liao, X. et al. (2009). One-way hash func-
tion construction based on chaotic map network. Chaos, Solitons
and Fractals, 41(5), 2566–2574. Muhammad Khurram Khan is
7. Yi, X. (2005). Hash function based on chaotic tent maps. IEEE currently working as Associate Pro-
Transactions on Circuits and Systems II, Express Briefs, 52(6), fessor at Center of Excellence in
354–357. Information Assurance (CoEIA),
8. Wang, X. M., Zhang, J. S., & Zhang, W. F. (2005). Keyed Hash King Saud University, Saudi Ara-
function based on composite nonlinear autoregressive filter. Acta bia. He is the Founding Editor of
‘Bahria University Journal of In-
Physica Sinica, 54(12), 5566–5573 (in Chinese).
formation & Communication Tech-
9. Khan, M. K., Zhang, J. S., & Wang, X. M. (2008). Chaotic hash- nology (BUJICT)’. He also plays
based fingerprint biometric remote user authentication scheme on role of Editor of several interna-
mobile devices. Chaos, Solitons and Fractals, 35(3), 519–524. tional journals of Elsevier Science
10. Xiao, D., Liao, X. F., & Deng, S. J. (2008). Parallel keyed hash and Springer-Verlag. Dr. Khurram
function construction based on chaotic maps. Physics Letters A, has published more than 100 re-
372(26), 4682–4688. search papers in the journals and
11. Guo, W., Wang, X. M., He, D. K., & Cao, Y. (2009). Cryptanalysis conferences of international repute.
on a parallel keyed hash function based on chaotic maps. Physics His areas of interest are biometrics, information security, multime-
Letters A, 373(36), 3201–3206. dia security, and digital data hiding. His profile can be visited at
12. Xiao, D., Liao, X. F., & Wong, Y. (2009). Parallel keyed hash func- http://faculty.ksu.edu.sa/khurram
tion construction based on chaotic neural network. Neurocomput-
ing, 72(10–12), 2288–2296.
524 X. Wang et al.

Khaled Alghathbar Ph.D., CISSP,

CISM, PMP, MCSE: Security, Se-
curiy+, BS7799 Lead Auditor, is an
associate professor and the director
of the Center of Excellence in In-
formation Assurance in King Saud
University, Riyadh, Saudi Arabia.
He is a security advisor for several
government agencies. His main re-
search interest is in information se-
curity management, policies and de-
sign. He received his Ph.D. in In-
formation Technology from George
Mason University, USA.