Conditional Cube Attack on Round-Reduced ASCON

This paper evaluates the secure level of authenticated encryption Ascon against cube-like method. Ascon submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced Ascon, whose structure is similar to Keccak keyed modes. However, for Ascon the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round Ascon, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced Ascon, and translate the previous theoretic 6-round attack with 266 time complexity to a practical one with 240 time complexity. Moreover, we propose the first 7-round key-recovery attack on Ascon. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about 2103.9. In addition, for a weak-key subset, whose size is 2117, the attack is more efficient and costs only 277 time complexity. Those attacks do not threaten the full round (12 rounds) Ascon.

Download Full-text

Weak Keys in Reduced AEGIS and Tiaoxin

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i2.104-139 ◽

2021 ◽

pp. 104-139

Author(s):

Fukang Liu ◽

Takanori Isobe ◽

Willi Meier ◽

Kosei Sakamoto

Keyword(s):

Time Complexity ◽

High Performance ◽

Stream Cipher ◽

Third Party ◽

Key Recovery ◽

Weak Keys ◽

Internal States ◽

Caesar Competition ◽

Key Recovery Attack ◽

Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

Download Full-text

Cryptanalysis of NORX v2.0

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i1.156-174 ◽

2017 ◽

pp. 156-174 ◽

Cited By ~ 1

Author(s):

Colin Chaigneau ◽

Thomas Fuhr ◽

Henri Gilbert ◽

Jérémy Jean ◽

Jean-René Reinhard

Keyword(s):

Authenticated Encryption ◽

Forgery Attack ◽

Key Recovery ◽

Design Decisions ◽

The Third ◽

Caesar Competition ◽

Internal Operations ◽

Key Recovery Attack ◽

Associated Data ◽

Main Change

NORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). In this paper, we investigate the security of the full NORX v2.0 primitive that has been accepted as third-round candidate in the CAESAR competition. We show that some non-conservative design decisions probably motivated by implementation efficiency considerations result in at least one strong structural distinguisher of the underlying sponge permutation that can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266 (resp. 2130) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit, resp. 256-bit security. Furthermore, we show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX. We emphasize that the scheme has recently been tweaked to NORX v3.0 at the beginning of the third round of the CAESAR competition: the main change introduces some key-dependent internal operations, which make NORX v3.0 immune to our attacks. However, the structural distinguisher of the permutation persists.

Download Full-text

Practical Key-Recovery Attacks On Round-Reduced Ketje Jr, Xoodoo-AE And Xoodyak

The Computer Journal ◽

10.1093/comjnl/bxz152 ◽

2020 ◽

Vol 63 (8) ◽

pp. 1231-1246

Author(s):

Haibo Zhou ◽

Zheng Li ◽

Xiaoyang Dong ◽

Keting Jia ◽

Willi Meier

Keyword(s):

Time Complexity ◽

Third Party ◽

Lightweight Cryptography ◽

Key Recovery ◽

The Third ◽

Cube Attack ◽

Caesar Competition ◽

Memory Cost ◽

Key Recovery Attacks

Abstract A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of Keccak keyed modes. In this paper, we find a new property of Li et al.’s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round Ketje Jr, 6-round Xoodoo-AE and Xoodyak, where Ketje Jr is among the third round CAESAR competition candidates and Xoodyak is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on Xoodyak represent the first third-party cryptanalysis for Xoodyak.

Download Full-text

Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i1.289-312 ◽

2020 ◽

pp. 289-312 ◽

Cited By ~ 1

Author(s):

Christoph Dobraunig ◽

Yann Rotella ◽

Jan Schoone

Keyword(s):

Block Cipher ◽

Slow Growth ◽

Higher Order ◽

Authenticated Encryption ◽

Lightweight Cryptography ◽

Key Recovery ◽

Linear Layer ◽

Depth Analysis ◽

Key Recovery Attack ◽

The Cost

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

Download Full-text

Cube-like Attack on Round-Reduced Initialization of Ketje Sr

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i1.259-280 ◽

2017 ◽

pp. 259-280 ◽

Cited By ~ 1

Author(s):

Xiaoyang Dong ◽

Zheng Li ◽

Xiaoyun Wang ◽

Ling Qin

Keyword(s):

Linear Structure ◽

Auxiliary Variable ◽

The State ◽

Divide And Conquer ◽

Authenticated Encryption ◽

Dynamic Variable ◽

Key Recovery ◽

First Results ◽

Caesar Competition ◽

Key Recovery Attack

This paper studies the Keccak-based authenticated encryption (AE) scheme Ketje Sr against cube-like attacks. Ketje is one of the remaining 16 candidates of third round CAESAR competition, whose primary recommendation is Ketje Sr. Although the cube-like method has been successfully applied to Ketje’s sister ciphers, including Keccak-MAC and Keyak – another Keccak-based AE scheme, similar attacks are missing for Ketje. For Ketje Sr, the state (400-bit) is much smaller than Keccak-MAC and Keyak (1600-bit), thus the 128-bit key and cubes with the same dimension would occupy more lanes in Ketje Sr. Hence, the number of key bits independent of the cube sum is very small, which makes the divide-and-conquer method (it has been applied to 7-round attack on Keccak-MAC by Dinur et al.) can not be translated to Ketje Sr trivially. This property seems to be the barrier for the translation of the previous cube-like attacks to Ketje Sr. In this paper, we evaluate Ketje Sr against the divide-and-conquer method. Firstly, by applying the linear structure technique, we find some 32/64-dimension cubes of Ketje Sr that do not multiply with each other as well as some bits of the key in the first round. In addition, we introduce the new dynamic variable instead of the auxiliary variable (it was used in Dinur et al.’s divide-and-conquer attack to reduce the diffusion of the key) to reduce the diffusion of the key as well as the cube variables. Finally, we successfully launch a 6/7-round1 key recovery attack on Ketje Sr v1 and v2 (v2 is presented for the 3rd round CAESAR competition.). In 7-round attack, the complexity of online phase for Ketje Sr v1 is 2113, while for Ketje Sr v2, it is 297 (the preprocessing complexity is the same). We claim 7-round reduced Ketje Sr v2 is weaker than v1 against our attacks. In addition, some results on other Ketje instances and Ketje Sr with smaller nonce are given. Those are the first results on Ketje and bridge the gaps of cryptanalysis between its sister ciphers – Keyak and the Keccak keyed modes.

Download Full-text

Cryptanalysis of Loiss Stream Cipher-Revisited

Journal of Applied Mathematics ◽

10.1155/2014/457275 ◽

2014 ◽

Vol 2014 ◽

pp. 1-7

Author(s):

Lin Ding ◽

Chenhui Jin ◽

Jie Guan ◽

Qiuyan Wang

Keyword(s):

Time Complexity ◽

Stream Cipher ◽

Linear Equations ◽

Data Complexity ◽

Secret Key ◽

Key Recovery ◽

Systems Of Linear Equations ◽

Key Recovery Attack ◽

Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

Download Full-text

Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i3.137-169 ◽

2021 ◽

pp. 137-169

Author(s):

Mostafizar Rahman ◽

Dhiman Saha ◽

Goutam Paul

Keyword(s):

Time Complexity ◽

Block Cipher ◽

New Technique ◽

Small Scale ◽

Key Recovery ◽

Boomerang Attack ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

Download Full-text

Understanding RUP Integrity of COLM

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.143-161 ◽

2017 ◽

pp. 143-161

Author(s):

Nilanjan Datta ◽

Atul Luykx ◽

Bart Mennink ◽

Mridul Nandi

Keyword(s):

Time Complexity ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Caesar Competition ◽

Mixing Functions

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

Download Full-text

Automatic Search of Cubes for Attacking Stream Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i4.100-123 ◽

2021 ◽

pp. 100-123

Author(s):

Yao Sun

Keyword(s):

Heuristic Method ◽

Stream Ciphers ◽

Divide And Conquer ◽

Key Recovery ◽

Cube Attack ◽

Automatic Search ◽

The Common ◽

Key Recovery Attack ◽

First Time ◽

Key Recovery Attacks

Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

Download Full-text

Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i1.114-133 ◽

2016 ◽

pp. 114-133 ◽

Cited By ~ 1

Author(s):

Colin Chaigneau ◽

Henri Gilbert

Keyword(s):

Block Cipher ◽

Encryption Algorithm ◽

Instruction Set ◽

Authenticated Encryption ◽

Key Recovery ◽

Security Properties ◽

Software Implementations ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

Download Full-text