Practical Key-Recovery Attack on MANTIS5

MANTIS is a lightweight tweakable block cipher published at CRYPTO 2016. In addition to the full 14-round version, MANTIS7, the designers also propose an aggressive 10-round version, MANTIS5. The security claim for MANTIS5 is resistance against “practical attacks”, defined as related-tweak attacks with data complexity 2d less than 230 chosen plaintexts (or 240 known plaintexts), and computational complexity at most 2126−d. We present a key-recovery attack against MANTIS5 with 228 chosen plaintexts and a computational complexity of about 238 block cipher calls, which violates this claim. Our attack is based on a family of differential characteristics and exploits several properties of the lightweight round function and tweakey schedule. To verify the validity of the attack, we also provide a practical implementation which recovers the full key in about 1 core hour using 230 chosen plaintexts.

Download Full-text

Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i3.137-169 ◽

2021 ◽

pp. 137-169

Author(s):

Mostafizar Rahman ◽

Dhiman Saha ◽

Goutam Paul

Keyword(s):

Time Complexity ◽

Block Cipher ◽

New Technique ◽

Small Scale ◽

Key Recovery ◽

Boomerang Attack ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

Download Full-text

Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i1.114-133 ◽

2016 ◽

pp. 114-133 ◽

Cited By ~ 1

Author(s):

Colin Chaigneau ◽

Henri Gilbert

Keyword(s):

Block Cipher ◽

Encryption Algorithm ◽

Instruction Set ◽

Authenticated Encryption ◽

Key Recovery ◽

Security Properties ◽

Software Implementations ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

Download Full-text

The 7-Round Subspace Trail-Based Impossible Differential Distinguisher of Midori-64

Security and Communication Networks ◽

10.1155/2021/6269604 ◽

2021 ◽

Vol 2021 ◽

pp. 1-15

Author(s):

Wenhao Liu ◽

Yang Yang

Keyword(s):

Computational Complexity ◽

Upper Bound ◽

Data Complexity ◽

Mutual Relationship ◽

Key Recovery ◽

Propagation Law ◽

Impossible Differential ◽

Hamming Weights ◽

Key Recovery Attack ◽

Relationship Of

This paper analyzes the subspace trail of Midori-64 and uses the propagation law and mutual relationship of the subspaces of Midori-64 to provide a 6-round Midori-64 subspace trail-based impossible differential key recovery attack. The data complexity of the attack is 2 54.6 chosen plaintexts, and the computational complexity is 2 58.2 lookup operations. Its overall complexity is less than that of the known 6-round truncated impossible differential distinguisher. This distinguisher is also applicable to Midori-128 with a secret S -box. Additionally, utilizing the properties of subspaces, we prove that a subspace trail-based impossible differential distinguisher of Midori-64 contains at most 7 rounds. This is 1 more than the upper bound of Midori-64’s truncated impossible differential distinguisher which is 6. According to the Hamming weights of the starting and ending subspaces, we classify all 7-round Midori-64 subspace trail-based impossible differential distinguishers into two types and they need 2 59.6 and 2 51.4 chosen plaintexts, respectively.

Download Full-text

Clustering Related-Tweak Characteristics: Application to MANTIS-6

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2018.i2.111-132 ◽

2018 ◽

pp. 111-132

Author(s):

Maria Eichlseder ◽

Daniel Kales

Keyword(s):

Block Cipher ◽

Differential Cryptanalysis ◽

Differential Attack ◽

Key Recovery ◽

Popular Approach ◽

Differential Characteristic ◽

Clustering Approach ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Truncated Differential

The TWEAKEY/STK construction is an increasingly popular approach for designing tweakable block ciphers that notably uses a linear tweakey schedule. Several recent attacks have analyzed the implications of this approach for differential cryptanalysis and other attacks that can take advantage of related tweakeys. We generalize the clustering approach of a recent differential attack on the tweakable block cipher MANTIS5 and describe a tool for efficiently finding and evaluating such clusters. More specifically, we consider the set of all differential characteristics compatible with a given truncated characteristic, tweak difference, and optional constraints for the differential. We refer to this set as a semi-truncated characteristic and estimate its probability by analyzing the distribution of compatible differences at each step. We apply this approach to find a semi-truncated differential characteristic for MANTIS6 with probability about 2−67.73 and derive a key-recovery attack with a complexity of about 255.09 chosen-plaintext queries and 255.52 computations. The data-time product is 2110.61 << 2126.

Download Full-text

Cryptanalysis of Loiss Stream Cipher-Revisited

Journal of Applied Mathematics ◽

10.1155/2014/457275 ◽

2014 ◽

Vol 2014 ◽

pp. 1-7

Author(s):

Lin Ding ◽

Chenhui Jin ◽

Jie Guan ◽

Qiuyan Wang

Keyword(s):

Time Complexity ◽

Stream Cipher ◽

Linear Equations ◽

Data Complexity ◽

Secret Key ◽

Key Recovery ◽

Systems Of Linear Equations ◽

Key Recovery Attack ◽

Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

Download Full-text

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i2.249-291 ◽

2021 ◽

pp. 249-291

Author(s):

Lingyue Qin ◽

Xiaoyang Dong ◽

Xiaoyun Wang ◽

Keting Jia ◽

Yunwen Liu

Keyword(s):

High Probability ◽

Block Cipher ◽

Secret Key ◽

Key Recovery ◽

Key Schedule ◽

Before And After ◽

Two Phases ◽

Key Recovery Attack ◽

Key Recovery Attacks ◽

Automated Search

Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Download Full-text

Cryptanalysis of Reduced round SKINNY Block Cipher

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2018.i3.124-162 ◽

2018 ◽

pp. 124-162 ◽

Cited By ~ 1

Author(s):

Sadegh Sadeghi ◽

Tahereh Mohammadi ◽

Nasour Bagheri

Keyword(s):

Mixed Integer Linear Programming ◽

Block Cipher ◽

Mixed Integer ◽

Differential Attack ◽

Key Recovery ◽

Zero Correlation ◽

Impossible Differential ◽

Key Recovery Attack ◽

Correlation Attacks ◽

Impossible Differential Cryptanalysis

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones.

Download Full-text

New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4

Security and Communication Networks ◽

10.1155/2017/1461520 ◽

2017 ◽

Vol 2017 ◽

pp. 1-10

Author(s):

Yu Liu ◽

Huicong Liang ◽

Wei Wang ◽

Meiqin Wang

Keyword(s):

Wireless Communication ◽

Linear Approximation ◽

Block Cipher ◽

Linear Cryptanalysis ◽

Key Recovery ◽

Linear Approximations ◽

Partial Linear ◽

Key Recovery Attack ◽

Better Than

SM4 is a Chinese commercial block cipher standard used for wireless communication in China. In this paper, we use the partial linear approximation table of S-box to search for three rounds of iterative linear approximations of SM4, based on which the linear approximation for 20-round SM4 has been constructed. However, the best previous identified linear approximation only covers 19 rounds. At the same time, a linear approximation for 19-round SM4 is obtained, which is better than the known results. Furthermore, we show the key recovery attack on 24-round SM4 which is the best attack according to the number of rounds.

Download Full-text

Subspace Trail Cryptanalysis and its Applications to AES

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i2.192-225 ◽

2017 ◽

pp. 192-225

Author(s):

Lorenzo Grassi ◽

Christian Rechberger ◽

Sondre Rønjom

Keyword(s):

Block Cipher ◽

Data Complexity ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Special Cases ◽

Impossible Differential ◽

The One ◽

Truncated Differential ◽

Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Download Full-text

Information Leakage of VGF2 Structure

Mathematical Problems in Engineering ◽

10.1155/2013/962342 ◽

2013 ◽

Vol 2013 ◽

pp. 1-4

Author(s):

Ting Cui ◽

Chen-hui Jin ◽

Ke-feng Huang

Keyword(s):

Block Cipher ◽

Information Leakage ◽

Key Recovery ◽

New Variant ◽

Key Recovery Attack ◽

Feistel Structure

The block cipher VGF2 was designed at Inscrypt 2009. It was based on a new variant of generalized Feistel structure. By checking the property of the linear permutation, we find a full round differential in VGF2 with probability 1. Since this differential cannot distinguish the correct unknown key from the wrong keys, we fail in launching a key-recovery attack on this structure. However, we may guess half part of the plaintext without calculating the key. And we notice that this weakness may cause insecurity in some special environments.

Download Full-text