Low-Complexity Key Recovery Attacks on GOST Block Cipher

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

Download Full-text

Dismantling the AUT64 Automotive Cipher

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.46-69 ◽

2018 ◽

pp. 46-69

Author(s):

Christopher Hicks ◽

Flavio D. Garcia ◽

David Oswald

Keyword(s):

Block Cipher ◽

Authentication Protocol ◽

Secret Key ◽

Vehicle Manufacturer ◽

Key Recovery ◽

Worst Case ◽

Remote Keyless Entry ◽

First Time ◽

Key Recovery Attacks ◽

Complete Specification

AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

Download Full-text

IMPROVED RELATED-KEY RECTANGLE ATTACK ON THE FULL HAS-160 ENCRYPTION MODE

International Journal of Foundations of Computer Science ◽

10.1142/s0129054112500074 ◽

2012 ◽

Vol 23 (03) ◽

pp. 733-747

Author(s):

YUECHUAN WEI ◽

CHAO LI ◽

DAN CAO

Keyword(s):

Block Cipher ◽

Block Size ◽

Key Recovery ◽

Key Recovery Attacks ◽

Mode A

HAS-160, a Korean hash standard, has been widely used in the Korean industry. This paper aims to re-evaluate the security of HAS-160 in the encryption mode, a block cipher with the 512-bit key size and the 160-bit plaintext block size. A previous attack is based on a 71-round related-key distinguisher with probability 2-304. Using some delicate properties of HAS-160 and employing a bit-fixing technique, we present a 72-round related-key rectangle distinguisher with probability 2-290in this paper. Based on this new distinguisher, two key recovery attacks on the encryption mode of the full 80-round HAS-160 are performed, which improve the earlier results. The attacks presented in this paper are the best known results on HAS-160 in the encryption mode in terms of the number of attack rounds and the efficiency of attacks.

Download Full-text

Improved Conditional Differential Analysis on NLFSR-Based Block Cipher KATAN32 with MILP

Wireless Communications and Mobile Computing ◽

10.1155/2020/8883557 ◽

2020 ◽

Vol 2020 ◽

pp. 1-14

Author(s):

Zhaohui Xing ◽

Wenying Zhang ◽

Guoyong Han

Keyword(s):

Mixed Integer Linear Programming ◽

Time Complexity ◽

Block Cipher ◽

Mixed Integer ◽

Differential Analysis ◽

Nonlinear Feedback ◽

Key Recovery ◽

Nonlinear Feedback Shift Register ◽

Feedback Shift Register ◽

Key Recovery Attacks

In this paper, a new method for constructing a Mixed Integer Linear Programming (MILP) model on conditional differential cryptanalysis of the nonlinear feedback shift register- (NLFSR-) based block ciphers is proposed, and an approach to detecting the bit with a strongly biased difference is provided. The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous. In particular, we present two distinguishers for 79 and 81 out of 254 rounds of KATAN32. Based on the 81-round distinguisher, we recover 11 equivalent key bits of 98-round KATAN32 and 13 equivalent key bits of 99-round KATAN32. The time complexity is less than 2 31 encryptions of 98-round KATAN32 and less than 2 33 encryptions of 99-round KATAN32, respectively. Thus far, our results are the best known practical key-recovery attacks for the round-reduced variants of KATAN32 regarding the number of rounds and the time complexity. All the results are verified experimentally.

Download Full-text

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i2.249-291 ◽

2021 ◽

pp. 249-291

Author(s):

Lingyue Qin ◽

Xiaoyang Dong ◽

Xiaoyun Wang ◽

Keting Jia ◽

Yunwen Liu

Keyword(s):

High Probability ◽

Block Cipher ◽

Secret Key ◽

Key Recovery ◽

Key Schedule ◽

Before And After ◽

Two Phases ◽

Key Recovery Attack ◽

Key Recovery Attacks ◽

Automated Search

Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Download Full-text

Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i1.114-133 ◽

2016 ◽

pp. 114-133 ◽

Cited By ~ 1

Author(s):

Colin Chaigneau ◽

Henri Gilbert

Keyword(s):

Block Cipher ◽

Encryption Algorithm ◽

Instruction Set ◽

Authenticated Encryption ◽

Key Recovery ◽

Security Properties ◽

Software Implementations ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

Download Full-text

Subspace Trail Cryptanalysis and its Applications to AES

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i2.192-225 ◽

2017 ◽

pp. 192-225

Author(s):

Lorenzo Grassi ◽

Christian Rechberger ◽

Sondre Rønjom

Keyword(s):

Block Cipher ◽

Data Complexity ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Special Cases ◽

Impossible Differential ◽

The One ◽

Truncated Differential ◽

Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Download Full-text

Meet-in-the-Middle Attacks on Reduced-Round Midori64

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i1.215-239 ◽

2017 ◽

pp. 215-239

Author(s):

Li Lin ◽

Wenling Wu

Keyword(s):

Energy Consumption ◽

Lower Bound ◽

Block Cipher ◽

The State ◽

Low Energy ◽

Key Recovery ◽

Low Energy Consumption ◽

Lightweight Block Cipher ◽

Key Recovery Attacks

Midori is a lightweight block cipher designed by Banik et al. at ASIACRYPT 2015 to achieve low energy consumption. One version of Midori uses a 64-bit state, another uses a 128-bit state and we denote these versions Midori64 and Midori128. Each of these versions uses a 128-bit key. In this paper, we focus on the key-recovery attacks on reduced-round Midori64 with meet-in-the-middle method. We use the differential enumeration, key-bridging and key-dependent sieve techniques which are popular to analyze AES to attack Midori64. Using key-bridging and key-dependent sieve techniques directly to achieve the complexity lower bound is almost impossible, we give the model on how to achieve the complexity lower bound using these techniques. We also propose the state-bridge technique to use some key relations that are quite complicated and divided by some rounds. With a 6-round distinguisher, we achieve a 10-round attack. After that, by adding one round at the end, we get an 11-round attack. Finally, with a 7-round distinguisher, we get an attack on 12-round Midori64. To the best of our knowledge, these are recently the best attacks on Midori64 in the single-key setting.

Download Full-text

Cryptanalysis of the Lightweight Block Cipher BORON

Security and Communication Networks ◽

10.1155/2019/7862738 ◽

2019 ◽

Vol 2019 ◽

pp. 1-12 ◽

Cited By ~ 1

Author(s):

Huicong Liang ◽

Meiqin Wang

Keyword(s):

Block Cipher ◽

Security Analysis ◽

Third Party ◽

Linear Cryptanalysis ◽

Key Recovery ◽

Smt Solver ◽

Optimal Probability ◽

Lightweight Block Cipher ◽

Security Evaluations ◽

Key Recovery Attacks

This paper provides security evaluations of a lightweight block cipher called BORON proposed by Bansod et al. There is no third-party cryptanalysis towards BORON. Designers only provided coarse and simple security analysis. To fill this gap, security bounds of BORON against differential and linear cryptanalysis are presented in this paper. By automatic models based on the SMT solver STP, we search for differential and linear trails with the minimal number of active S-boxes and trails with optimal probability and bias. Then, we present key-recovery attacks towards round-reduced BORON. This paper is the first third-party cryptanalysis towards BORON.

Download Full-text

Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i1.156-184 ◽

2021 ◽

pp. 156-184

Author(s):

Rui Zong ◽

Xiaoyang Dong ◽

Huaifeng Chen ◽

Yiyuan Luo ◽

Si Wang ◽

...

Keyword(s):

Block Cipher ◽

Recovery Process ◽

Low Complexity ◽

Differential Cryptanalysis ◽

Linear Cryptanalysis ◽

Linear Hull ◽

Differential Attack ◽

Key Recovery ◽

Key Recovery Attack

When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Download Full-text