scholarly journals Cube-like Attack on Round-Reduced Initialization of Ketje Sr

2017 ◽  
pp. 259-280 ◽  
Author(s):  
Xiaoyang Dong ◽  
Zheng Li ◽  
Xiaoyun Wang ◽  
Ling Qin
Keyword(s):  
Linear Structure ◽  
Auxiliary Variable ◽  
The State ◽  
Divide And Conquer ◽  
Authenticated Encryption ◽  
Dynamic Variable ◽  
Key Recovery ◽  
First Results ◽  
Caesar Competition ◽  
Key Recovery Attack

This paper studies the Keccak-based authenticated encryption (AE) scheme Ketje Sr against cube-like attacks. Ketje is one of the remaining 16 candidates of third round CAESAR competition, whose primary recommendation is Ketje Sr. Although the cube-like method has been successfully applied to Ketje’s sister ciphers, including Keccak-MAC and Keyak – another Keccak-based AE scheme, similar attacks are missing for Ketje. For Ketje Sr, the state (400-bit) is much smaller than Keccak-MAC and Keyak (1600-bit), thus the 128-bit key and cubes with the same dimension would occupy more lanes in Ketje Sr. Hence, the number of key bits independent of the cube sum is very small, which makes the divide-and-conquer method (it has been applied to 7-round attack on Keccak-MAC by Dinur et al.) can not be translated to Ketje Sr trivially. This property seems to be the barrier for the translation of the previous cube-like attacks to Ketje Sr. In this paper, we evaluate Ketje Sr against the divide-and-conquer method. Firstly, by applying the linear structure technique, we find some 32/64-dimension cubes of Ketje Sr that do not multiply with each other as well as some bits of the key in the first round. In addition, we introduce the new dynamic variable instead of the auxiliary variable (it was used in Dinur et al.’s divide-and-conquer attack to reduce the diffusion of the key) to reduce the diffusion of the key as well as the cube variables. Finally, we successfully launch a 6/7-round1 key recovery attack on Ketje Sr v1 and v2 (v2 is presented for the 3rd round CAESAR competition.). In 7-round attack, the complexity of online phase for Ketje Sr v1 is 2113, while for Ketje Sr v2, it is 297 (the preprocessing complexity is the same). We claim 7-round reduced Ketje Sr v2 is weaker than v1 against our attacks. In addition, some results on other Ketje instances and Ketje Sr with smaller nonce are given. Those are the first results on Ketje and bridge the gaps of cryptanalysis between its sister ciphers – Keyak and the Keccak keyed modes.

scholarly journals Cryptanalysis of NORX v2.0

2017 ◽  
pp. 156-174 ◽  
Author(s):  
Colin Chaigneau ◽  
Thomas Fuhr ◽  
Henri Gilbert ◽  
Jérémy Jean ◽  
Jean-René Reinhard
Keyword(s):  
Authenticated Encryption ◽  
Forgery Attack ◽  
Key Recovery ◽  
Design Decisions ◽  
The Third ◽  
Caesar Competition ◽  
Internal Operations ◽  
Key Recovery Attack ◽  
Associated Data ◽  
Main Change

NORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). In this paper, we investigate the security of the full NORX v2.0 primitive that has been accepted as third-round candidate in the CAESAR competition. We show that some non-conservative design decisions probably motivated by implementation efficiency considerations result in at least one strong structural distinguisher of the underlying sponge permutation that can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266 (resp. 2130) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit, resp. 256-bit security. Furthermore, we show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX. We emphasize that the scheme has recently been tweaked to NORX v3.0 at the beginning of the third round of the CAESAR competition: the main change introduces some key-dependent internal operations, which make NORX v3.0 immune to our attacks. However, the structural distinguisher of the permutation persists.

scholarly journals Conditional Cube Attack on Round-Reduced ASCON

2017 ◽  
pp. 175-202 ◽  
Author(s):  
Zheng Li ◽  
Xiaoyang Dong ◽  
Xiaoyun Wang
Keyword(s):  
Time Complexity ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Key Space ◽  
Cube Attack ◽  
Linear Layer ◽  
Non Linear ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Total Time Complexity

This paper evaluates the secure level of authenticated encryption Ascon against cube-like method. Ascon submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced Ascon, whose structure is similar to Keccak keyed modes. However, for Ascon the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round Ascon, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced Ascon, and translate the previous theoretic 6-round attack with 266 time complexity to a practical one with 240 time complexity. Moreover, we propose the first 7-round key-recovery attack on Ascon. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about 2103.9. In addition, for a weak-key subset, whose size is 2117, the attack is more efficient and costs only 277 time complexity. Those attacks do not threaten the full round (12 rounds) Ascon.

scholarly journals The State of the Authenticated Encryption

2016 ◽  
Vol 67 (1) ◽  
pp. 167-190
Author(s):  
Damian Vizár
Keyword(s):  
The State ◽  
Authenticated Encryption ◽  
Research Activity ◽  
Cryptographic Primitive ◽  
Encryption Schemes ◽  
Caesar Competition ◽  
Symmetric Key

Abstract Ensuring confidentiality and integrity of communication remains among the most important goals of cryptography. The notion of authenticated encryption marries these two security goals in a single symmetric-key, cryptographic primitive. A lot of effort has been invested in authenticated encryption during the fifteen years of its existence. The recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) has boosted the research activity in this area even more. As a result, the area of authenticated encryption boasts numerous results, both theoretically and practically oriented, and perhaps even greater number of constructions of authenticated encryption schemes. We explore the current landscape of results on authenticated encryption. We review the CEASAR competition and its candidates, the most popular construction principles, and various design goals for authenticated encryption, many of which appeared during the CAESAR competition. We also take a closer look at the candidate Offset Merkle-Damgård (OMD).

scholarly journals Automatic Search of Cubes for Attacking Stream Ciphers

2021 ◽  
pp. 100-123
Author(s):  
Yao Sun
Keyword(s):  
Heuristic Method ◽  
Stream Ciphers ◽  
Divide And Conquer ◽  
Key Recovery ◽  
Cube Attack ◽  
Automatic Search ◽  
The Common ◽  
Key Recovery Attack ◽  
First Time ◽  
Key Recovery Attacks

Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

scholarly journals Weak Keys in Reduced AEGIS and Tiaoxin

2021 ◽  
pp. 104-139
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier ◽  
Kosei Sakamoto
Keyword(s):  
Time Complexity ◽  
High Performance ◽  
Stream Cipher ◽  
Third Party ◽  
Key Recovery ◽  
Weak Keys ◽  
Internal States ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

scholarly journals Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

2016 ◽  
pp. 114-133 ◽  
Author(s):  
Colin Chaigneau ◽  
Henri Gilbert
Keyword(s):  
Block Cipher ◽  
Encryption Algorithm ◽  
Instruction Set ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Security Properties ◽  
Software Implementations ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

scholarly journals Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

2020 ◽  
pp. 289-312 ◽  
Author(s):  
Christoph Dobraunig ◽  
Yann Rotella ◽  
Jan Schoone
Keyword(s):  
Block Cipher ◽  
Slow Growth ◽  
Higher Order ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Recovery ◽  
Linear Layer ◽  
Depth Analysis ◽  
Key Recovery Attack ◽  
The Cost

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

scholarly journals Cube-Based Cryptanalysis of Subterranean-SAE

2020 ◽  
pp. 192-222
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier
Keyword(s):  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Recovery ◽  
Official Document ◽  
Distinguishing Attack ◽  
Input And Output ◽  
State Recovery ◽  
Full State ◽  
Standardization Process ◽  
Key Recovery Attack

Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of 213 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with 2122 calls to the internal permutation of Subterranean-SAE and 269.5 32-bit blocks. A distinguishing attack with 233 calls to the internal permutation of Subterranean-SAE and 233 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.

scholarly journals State-Recovery Attacks on Modified Ketje Jr

2018 ◽  
pp. 29-56
Author(s):  
Thomas Fuhr ◽  
María Naya-Plasencia ◽  
Yann Rotella
Keyword(s):  
Hash Function ◽  
Internal State ◽  
Design Principles ◽  
Original Version ◽  
Divide And Conquer ◽  
Encryption Algorithm ◽  
Authenticated Encryption ◽  
State Recovery ◽  
Caesar Competition

In this article we study the security of the authenticated encryption algorithm Ketje against divide-and-conquer attacks. Ketje is a third-round candidate in the ongoing CAESAR competition, which shares most of its design principles with the SHA-3 hash function. Several versions of Ketje have been submitted, with different sizes for its internal state. We describe several state-recovery attacks on the smaller variant, called Ketje Jr. We show that if one increases the amount of keystream output after each round from 16 bits to 40 bits, Ketje Jr becomes vulnerable to divide-and-conquer attacks with time complexities 271.5 for the original version and 282.3 for the current tweaked version, both with a key of 96 bits. We also propose a similar attack when considering rates of 32 bits for the non-tweaked version. Our findings do not threaten the security of Ketje, but should be taken as a warning against potential future modifications that would aim at increasing the performance of the algorithm.

Sign in / Sign up

Export Citation Format

Share Document