scholarly journals Clustering Related-Tweak Characteristics: Application to MANTIS-6

2018 ◽  
pp. 111-132
Author(s):  
Maria Eichlseder ◽  
Daniel Kales
Keyword(s):  
Block Cipher ◽  
Differential Cryptanalysis ◽  
Differential Attack ◽  
Key Recovery ◽  
Popular Approach ◽  
Differential Characteristic ◽  
Clustering Approach ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Truncated Differential

The TWEAKEY/STK construction is an increasingly popular approach for designing tweakable block ciphers that notably uses a linear tweakey schedule. Several recent attacks have analyzed the implications of this approach for differential cryptanalysis and other attacks that can take advantage of related tweakeys. We generalize the clustering approach of a recent differential attack on the tweakable block cipher MANTIS5 and describe a tool for efficiently finding and evaluating such clusters. More specifically, we consider the set of all differential characteristics compatible with a given truncated characteristic, tweak difference, and optional constraints for the differential. We refer to this set as a semi-truncated characteristic and estimate its probability by analyzing the distribution of compatible differences at each step. We apply this approach to find a semi-truncated differential characteristic for MANTIS6 with probability about 2−67.73 and derive a key-recovery attack with a complexity of about 255.09 chosen-plaintext queries and 255.52 computations. The data-time product is 2110.61 << 2126.

scholarly journals Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128

2021 ◽  
pp. 156-184
Author(s):  
Rui Zong ◽  
Xiaoyang Dong ◽  
Huaifeng Chen ◽  
Yiyuan Luo ◽  
Si Wang ◽  
...  
Keyword(s):  
Block Cipher ◽  
Recovery Process ◽  
Low Complexity ◽  
Differential Cryptanalysis ◽  
Linear Cryptanalysis ◽  
Linear Hull ◽  
Differential Attack ◽  
Key Recovery ◽  
Key Recovery Attack

When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

scholarly journals Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

2021 ◽  
pp. 137-169
Author(s):  
Mostafizar Rahman ◽  
Dhiman Saha ◽  
Goutam Paul
Keyword(s):  
Time Complexity ◽  
Block Cipher ◽  
New Technique ◽  
Small Scale ◽  
Key Recovery ◽  
Boomerang Attack ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

scholarly journals Cryptanalysis of Reduced round SKINNY Block Cipher

2018 ◽  
pp. 124-162 ◽  
Author(s):  
Sadegh Sadeghi ◽  
Tahereh Mohammadi ◽  
Nasour Bagheri
Keyword(s):  
Mixed Integer Linear Programming ◽  
Block Cipher ◽  
Mixed Integer ◽  
Differential Attack ◽  
Key Recovery ◽  
Zero Correlation ◽  
Impossible Differential ◽  
Key Recovery Attack ◽  
Correlation Attacks ◽  
Impossible Differential Cryptanalysis

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones.

scholarly journals Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

2016 ◽  
pp. 114-133 ◽  
Author(s):  
Colin Chaigneau ◽  
Henri Gilbert
Keyword(s):  
Block Cipher ◽  
Encryption Algorithm ◽  
Instruction Set ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Security Properties ◽  
Software Implementations ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

scholarly journals Subspace Trail Cryptanalysis and its Applications to AES

2017 ◽  
pp. 192-225
Author(s):  
Lorenzo Grassi ◽  
Christian Rechberger ◽  
Sondre Rønjom
Keyword(s):  
Block Cipher ◽  
Data Complexity ◽  
Secret Key ◽  
Differential Attack ◽  
Key Recovery ◽  
Special Cases ◽  
Impossible Differential ◽  
The One ◽  
Truncated Differential ◽  
Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

scholarly journals Practical Key-Recovery Attack on MANTIS5

2017 ◽  
pp. 248-260
Author(s):  
Christoph Dobraunig ◽  
Maria Eichlseder ◽  
Daniel Kales ◽  
Florian Mendel
Keyword(s):  
Computational Complexity ◽  
Block Cipher ◽  
Practical Implementation ◽  
Data Complexity ◽  
Key Recovery ◽  
Round Function ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack

MANTIS is a lightweight tweakable block cipher published at CRYPTO 2016. In addition to the full 14-round version, MANTIS7, the designers also propose an aggressive 10-round version, MANTIS5. The security claim for MANTIS5 is resistance against “practical attacks”, defined as related-tweak attacks with data complexity 2d less than 230 chosen plaintexts (or 240 known plaintexts), and computational complexity at most 2126−d. We present a key-recovery attack against MANTIS5 with 228 chosen plaintexts and a computational complexity of about 238 block cipher calls, which violates this claim. Our attack is based on a family of differential characteristics and exploits several properties of the lightweight round function and tweakey schedule. To verify the validity of the attack, we also provide a practical implementation which recovers the full key in about 1 core hour using 230 chosen plaintexts.

scholarly journals An Improved Truncated Differential Cryptanalysis of Klein

2016 ◽  
Vol 67 (1) ◽  
pp. 135-147
Author(s):  
Shahram Rasoolzadeh ◽  
Zahra Ahmadian ◽  
Mahmoud Salmasizadeh ◽  
Mohammad Reza Aref
Keyword(s):  
Block Cipher ◽  
Slight Modification ◽  
Secret Key ◽  
Differential Attack ◽  
Key Recovery ◽  
Recovery Method ◽  
Software And Hardware ◽  
State Size ◽  
Truncated Differential ◽  
Better Than

Abstract KLEIN is a family of lightweight block ciphers which was proposed at RFIDSec 2011 by Gong et. al. It has three versions with 64, 80 or 96-bit key size, all with a 64-bit state size. It uses 16 identical 4-bit S-boxes combined with two AES’s MixColumn transformations for each round. This approach allows compact implementations of KLEIN in both low-end software and hardware. Such an unconventional combination attracts the attention of cryptanalysts, and several security analyses have been published. The most successful one was presented at FSE 2014 which was a truncated differential attack. They could attack up to 12, 13 and 14 rounds out of total number of 12, 16 and 20 rounds for KLEIN-64, -80 and -96, respectively. In this paper, we present improved attacks on three versions of KLEIN block cipher, which recover the full secret key with better time and data complexities for the previously analyzed number of rounds. The improvements also enable us to attack up to 14 and 15 rounds for KLEIN-80 and -96, respectively, which are the highest rounds ever analyzed. Our improvements are twofold: the first, finding two new truncated differential paths with probabilities better than that of the previous ones, and the second, a slight modification in the key recovery method which makes it faster.

On optimal size in truncated differential attacks

2015 ◽  
Vol 52 (2) ◽  
pp. 246-254 ◽  
Author(s):  
Nicolas T. Courtois ◽  
Theodosis Mourouzis ◽  
Anna Grocholewska-Czuryło ◽  
Jean-Jacques Quisquater
Keyword(s):  
Block Cipher ◽  
Ad Hoc ◽  
Differential Cryptanalysis ◽  
Optimal Size ◽  
Potential Space ◽  
Differential Attack ◽  
Pass Through ◽  
Differential Attacks ◽  
Differential Properties ◽  
Truncated Differential

Differential Cryptanalysis (DC) is one of the oldest known attacks on block ciphers. DC is based on tracking of changes in the differences between two messages as they pass through the consecutive rounds of encryption. However DC remains very poorly understood. In his textbook written in the late 1990s Schneier wrote that against differential cryptanalysis, GOST is “probably stronger than DES”. In fact Knudsen have soon proposed more powerful advanced differential attacks however the potential space of such attacks is truly immense. To this day there is no method which allows to evaluate the security of a cipher against such attacks in a systematic way. Instead, attacks are designed and improved in ad-hoc ways with heuristics [6–13,21]. The best differential attack known has time complexity of 2179 [13]. In this paper we show that for a given block cipher there exists an optimal size for advanced differential properties. This new understanding allows to considerably reduce the space to be searched for “good” truncated differential properties suitable for an attack.

scholarly journals Different Types of Attacks on Block Ciphers

2020 ◽  
Vol 9 (3) ◽  
pp. 28-31
Keyword(s):  
Block Cipher ◽  
Classical Method ◽  
System Of Nonlinear Equations ◽  
Algebraic Attack ◽  
Differential Attack ◽  
Different Types ◽  
Important Challenge ◽  
Impossible Differential ◽  
Linear Differential ◽  
Truncated Differential

Cryptanalysis is a very important challenge that faces cryptographers. It has several types that should be well studied by cryptographers to be able to design cryptosystem more secure and able to resist any type of attacks. This paper introduces six types of attacks: Linear, Differential , Linear-Differential, Truncated differential Impossible differential attack and Algebraic attacks. In this paper, algebraic attack is used to formulate the substitution box(S-box) of a block cipher to system of nonlinear equations and solve this system by using a classical method called Grobner  Bases . By Solving these equations, we made algebraic attack on S-box.

scholarly journals Provable Security Against a Differential Attack

1994 ◽  
Vol 23 (473) ◽  
Author(s):  
Kaisa Nyberg ◽  
Lars Ramkilde Knudsen
Keyword(s):  
Upper Bound ◽  
Provable Security ◽  
Block Cipher ◽  
Differential Cryptanalysis ◽  
Font Size ◽  
Differential Attack ◽  
Round Function ◽  
Differential Attacks

The purpose of this paper is to show that there exist DES-like iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of <em>s</em>-round differentials, as defined in <em>Markov Ciphers and Differential Cryptanalysis </em> by X. Lai et al. and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2<sup><span style="font-size: x-small;">3-n</span></sup>, where <em>n</em> is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks.

Sign in / Sign up

Export Citation Format

Share Document