scholarly journals Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

2016 ◽  
pp. 33-56
Author(s):  
Jian Guo ◽  
Jérémy Jean ◽  
Ivica Nikolic ◽  
Kexin Qiao ◽  
Yu Sasaki ◽  
...  
Keyword(s):  
Invariant Subspace ◽  
Block Cipher ◽  
Independent Interest ◽  
Design Criteria ◽  
Key Recovery ◽  
Weak Keys

We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 232 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 216 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.

scholarly journals Differential Attacks on CRAFT Exploiting the Involutory S-boxes and Tweak Additions

2020 ◽  
pp. 119-151
Author(s):  
Hao Guo ◽  
Siwei Sun ◽  
Danping Shi ◽  
Ling Sun ◽  
Yao Sun ◽  
...  
Keyword(s):  
Low Cost ◽  
Success Probability ◽  
Schedule Algorithm ◽  
Invariant Property ◽  
Differential Analysis ◽  
Secret Key ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attack ◽  
Truncated Differential

CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct “weak-tweakey” truncated differential distinguishers of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with 260.99 data, 268 memory, 294.59 time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability 2−43 (experimentally verified), a 16-round distinguisher with probability 2−55, and a 20-round weak-key distinguisher (2118 weak keys) with probability 2−63. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.

scholarly journals Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

2021 ◽  
pp. 137-169
Author(s):  
Mostafizar Rahman ◽  
Dhiman Saha ◽  
Goutam Paul
Keyword(s):  
Time Complexity ◽  
Block Cipher ◽  
New Technique ◽  
Small Scale ◽  
Key Recovery ◽  
Boomerang Attack ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

scholarly journals Dismantling the AUT64 Automotive Cipher

2018 ◽  
pp. 46-69
Author(s):  
Christopher Hicks ◽  
Flavio D. Garcia ◽  
David Oswald
Keyword(s):  
Block Cipher ◽  
Authentication Protocol ◽  
Secret Key ◽  
Vehicle Manufacturer ◽  
Key Recovery ◽  
Worst Case ◽  
Remote Keyless Entry ◽  
First Time ◽  
Key Recovery Attacks ◽  
Complete Specification

AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

Weak keys of the full MISTY1 block cipher for related-key amplified boomerang cryptanalysis

2018 ◽  
Vol 12 (5) ◽  
pp. 389-397
Author(s):  
Jiqiang Lu ◽  
Wun-She Yap ◽  
Yongzhuang Wei
Keyword(s):  
Block Cipher ◽  
Weak Keys

IMPROVED RELATED-KEY RECTANGLE ATTACK ON THE FULL HAS-160 ENCRYPTION MODE

2012 ◽  
Vol 23 (03) ◽  
pp. 733-747
Author(s):  
YUECHUAN WEI ◽  
CHAO LI ◽  
DAN CAO
Keyword(s):  
Block Cipher ◽  
Block Size ◽  
Key Recovery ◽  
Key Recovery Attacks ◽  
Mode A

HAS-160, a Korean hash standard, has been widely used in the Korean industry. This paper aims to re-evaluate the security of HAS-160 in the encryption mode, a block cipher with the 512-bit key size and the 160-bit plaintext block size. A previous attack is based on a 71-round related-key distinguisher with probability 2-304. Using some delicate properties of HAS-160 and employing a bit-fixing technique, we present a 72-round related-key rectangle distinguisher with probability 2-290in this paper. Based on this new distinguisher, two key recovery attacks on the encryption mode of the full 80-round HAS-160 are performed, which improve the earlier results. The attacks presented in this paper are the best known results on HAS-160 in the encryption mode in terms of the number of attack rounds and the efficiency of attacks.

scholarly journals Improved Conditional Differential Analysis on NLFSR-Based Block Cipher KATAN32 with MILP

2020 ◽  
Vol 2020 ◽  
pp. 1-14
Author(s):  
Zhaohui Xing ◽  
Wenying Zhang ◽  
Guoyong Han
Keyword(s):  
Mixed Integer Linear Programming ◽  
Time Complexity ◽  
Block Cipher ◽  
Mixed Integer ◽  
Differential Analysis ◽  
Nonlinear Feedback ◽  
Key Recovery ◽  
Nonlinear Feedback Shift Register ◽  
Feedback Shift Register ◽  
Key Recovery Attacks

In this paper, a new method for constructing a Mixed Integer Linear Programming (MILP) model on conditional differential cryptanalysis of the nonlinear feedback shift register- (NLFSR-) based block ciphers is proposed, and an approach to detecting the bit with a strongly biased difference is provided. The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous. In particular, we present two distinguishers for 79 and 81 out of 254 rounds of KATAN32. Based on the 81-round distinguisher, we recover 11 equivalent key bits of 98-round KATAN32 and 13 equivalent key bits of 99-round KATAN32. The time complexity is less than 2 31 encryptions of 98-round KATAN32 and less than 2 33 encryptions of 99-round KATAN32, respectively. Thus far, our results are the best known practical key-recovery attacks for the round-reduced variants of KATAN32 regarding the number of rounds and the time complexity. All the results are verified experimentally.

scholarly journals Weak Keys in Reduced AEGIS and Tiaoxin

2021 ◽  
pp. 104-139
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier ◽  
Kosei Sakamoto
Keyword(s):  
Time Complexity ◽  
High Performance ◽  
Stream Cipher ◽  
Third Party ◽  
Key Recovery ◽  
Weak Keys ◽  
Internal States ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

Sign in / Sign up

Export Citation Format

Share Document