scholarly journals Cube-Based Cryptanalysis of Subterranean-SAE

2020 ◽  
pp. 192-222
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier
Keyword(s):  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Recovery ◽  
Official Document ◽  
Distinguishing Attack ◽  
Input And Output ◽  
State Recovery ◽  
Full State ◽  
Standardization Process ◽  
Key Recovery Attack

Subterranean 2.0 designed by Daemen, Massolino and Rotella is a Round 2 candidate of the NIST Lightweight Cryptography Standardization process. In the official document of Subterranean 2.0, the designers have analyzed the state collisions in unkeyed absorbing by reducing the number of rounds to absorb the message from 2 to 1. However, little cryptanalysis of the authenticated encryption scheme Subterranean-SAE is made. For Subterranean-SAE, the designers introduce 8 blank rounds to separate the controllable input and output, and expect that 8 blank rounds can achieve a sufficient diffusion. Therefore, it is meaningful to investigate the security by reducing the number of blank rounds. Moreover, the designers make no security claim but expect a non-trivial effort to achieve full-state recovery in a nonce-misuse scenario. In this paper, we present the first practical full-state recovery attack in a nonce-misuse scenario with data complexity of 213 32-bit blocks. In addition, in a nonce-respecting scenario and if the number of blank rounds is reduced to 4, we can mount a key-recovery attack with 2122 calls to the internal permutation of Subterranean-SAE and 269.5 32-bit blocks. A distinguishing attack with 233 calls to the internal permutation of Subterranean-SAE and 233 32-bit blocks is achieved as well. Our cryptanalysis does not threaten the security claim for Subterranean-SAE and we hope it can enhance the understanding of Subterranean-SAE.

scholarly journals Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

2020 ◽  
pp. 289-312 ◽  
Author(s):  
Christoph Dobraunig ◽  
Yann Rotella ◽  
Jan Schoone
Keyword(s):  
Block Cipher ◽  
Slow Growth ◽  
Higher Order ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Recovery ◽  
Linear Layer ◽  
Depth Analysis ◽  
Key Recovery Attack ◽  
The Cost

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

scholarly journals Pyjamask: Block Cipher and Authenticated Encryption with Highly Efficient Masked Implementation

2020 ◽  
pp. 31-59
Author(s):  
Dahmun Goudarzi ◽  
Jérémy Jean ◽  
Stefan Kölbl ◽  
Thomas Peyrin ◽  
Matthieu Rivain ◽  
...  
Keyword(s):  
Block Cipher ◽  
High Order ◽  
Side Channel ◽  
Design Rationale ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Standardization Process ◽  
Very High ◽  
Better Than ◽  
Provably Secure

This paper introduces Pyjamask, a new block cipher family and authenticated encryption proposal submitted to the NIST lightweight cryptography standardization process. Pyjamask targets side-channel resistance as one of its main goal. More precisely, it strongly minimizes the number of nonlinear gates used in its internal primitive in order to allow efficient masked implementations, especially for high-order masking in software. Compared to other block ciphers, our proposal has thus among the smallest number of binary AND computations per input bit at the time of writing. Even though Pyjamask minimizes such an important criterion, it remains rather lightweight and efficient, thanks to a general bitslice construction that enables to computation of all nonlinear gates in parallel. For authenticated encryption, we adopt the provably secure AEAD mode OCB which has been extensively studied and has the benefit to offer full parallelization. Of course, other block cipher-based modes can be considered as well if other performance profiles are to be targeted.The paper first gives the specification of the Pyjamask block cipher and the associated AEAD proposal. We also provide a detailed design rationale for the block cipher which is guided by our aim of software efficiency in the presence of high-order masking. The security of the design is analyzed against most commonly known cryptanalysis techniques. We finally describe efficient (masked) implementations in software and provide implementation results with aggressive performances for masking of very high orders (up to 128). We also provide a rough estimation of the hardware performances which remain much better than those of an AES round-based implementation.

scholarly journals Cryptanalysis of NORX v2.0

2017 ◽  
pp. 156-174 ◽  
Author(s):  
Colin Chaigneau ◽  
Thomas Fuhr ◽  
Henri Gilbert ◽  
Jérémy Jean ◽  
Jean-René Reinhard
Keyword(s):  
Authenticated Encryption ◽  
Forgery Attack ◽  
Key Recovery ◽  
Design Decisions ◽  
The Third ◽  
Caesar Competition ◽  
Internal Operations ◽  
Key Recovery Attack ◽  
Associated Data ◽  
Main Change

NORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). In this paper, we investigate the security of the full NORX v2.0 primitive that has been accepted as third-round candidate in the CAESAR competition. We show that some non-conservative design decisions probably motivated by implementation efficiency considerations result in at least one strong structural distinguisher of the underlying sponge permutation that can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266 (resp. 2130) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit, resp. 256-bit security. Furthermore, we show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX. We emphasize that the scheme has recently been tweaked to NORX v3.0 at the beginning of the third round of the CAESAR competition: the main change introduces some key-dependent internal operations, which make NORX v3.0 immune to our attacks. However, the structural distinguisher of the permutation persists.

scholarly journals Security Cryptanalysis of NUX for the Internet of Things

2019 ◽  
Vol 2019 ◽  
pp. 1-12
Author(s):  
Yu Liu ◽  
Xiaolei Liu ◽  
Yanmin Zhao
Keyword(s):  
Internet Of Things ◽  
Radio Frequency Identification ◽  
The Internet ◽  
Differential Attack ◽  
Key Recovery ◽  
Distinguishing Attack ◽  
Restricted Environment ◽  
Linear Attack ◽  
Key Recovery Attack ◽  
The Internet Of Things

In order to adopt the restricted environment, such as radio frequency identification technology or sensor networking, which are the important components of the Internet of Things, lightweight block ciphers are designed. NUX is a 31-round iterative ultralightweight cipher proposed by Bansod et al. In this paper, we examine the resistance of NUX to differential and linear analysis and search for 1~31-round differential characteristics and linear approximations. In design specification, authors claimed that 25-round NUX is resistant to differential and linear attack. However, we can successfully perform 29-round differential attack on NUX with the 22-round differential characteristic found in this paper, which is 4 rounds more than the limitation given by authors. Furthermore, we present the key recovery attack on 22-round NUX using a 19-round linear approximation determined in this paper. Besides, distinguishing attack, whose distinguisher is built utilizing the property of differential propagation through NUX, is implemented on full NUX with data complexity 8.

scholarly journals Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

2016 ◽  
pp. 114-133 ◽  
Author(s):  
Colin Chaigneau ◽  
Henri Gilbert
Keyword(s):  
Block Cipher ◽  
Encryption Algorithm ◽  
Instruction Set ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Security Properties ◽  
Software Implementations ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

scholarly journals Cube-like Attack on Round-Reduced Initialization of Ketje Sr

2017 ◽  
pp. 259-280 ◽  
Author(s):  
Xiaoyang Dong ◽  
Zheng Li ◽  
Xiaoyun Wang ◽  
Ling Qin
Keyword(s):  
Linear Structure ◽  
Auxiliary Variable ◽  
The State ◽  
Divide And Conquer ◽  
Authenticated Encryption ◽  
Dynamic Variable ◽  
Key Recovery ◽  
First Results ◽  
Caesar Competition ◽  
Key Recovery Attack

This paper studies the Keccak-based authenticated encryption (AE) scheme Ketje Sr against cube-like attacks. Ketje is one of the remaining 16 candidates of third round CAESAR competition, whose primary recommendation is Ketje Sr. Although the cube-like method has been successfully applied to Ketje’s sister ciphers, including Keccak-MAC and Keyak – another Keccak-based AE scheme, similar attacks are missing for Ketje. For Ketje Sr, the state (400-bit) is much smaller than Keccak-MAC and Keyak (1600-bit), thus the 128-bit key and cubes with the same dimension would occupy more lanes in Ketje Sr. Hence, the number of key bits independent of the cube sum is very small, which makes the divide-and-conquer method (it has been applied to 7-round attack on Keccak-MAC by Dinur et al.) can not be translated to Ketje Sr trivially. This property seems to be the barrier for the translation of the previous cube-like attacks to Ketje Sr. In this paper, we evaluate Ketje Sr against the divide-and-conquer method. Firstly, by applying the linear structure technique, we find some 32/64-dimension cubes of Ketje Sr that do not multiply with each other as well as some bits of the key in the first round. In addition, we introduce the new dynamic variable instead of the auxiliary variable (it was used in Dinur et al.’s divide-and-conquer attack to reduce the diffusion of the key) to reduce the diffusion of the key as well as the cube variables. Finally, we successfully launch a 6/7-round1 key recovery attack on Ketje Sr v1 and v2 (v2 is presented for the 3rd round CAESAR competition.). In 7-round attack, the complexity of online phase for Ketje Sr v1 is 2113, while for Ketje Sr v2, it is 297 (the preprocessing complexity is the same). We claim 7-round reduced Ketje Sr v2 is weaker than v1 against our attacks. In addition, some results on other Ketje instances and Ketje Sr with smaller nonce are given. Those are the first results on Ketje and bridge the gaps of cryptanalysis between its sister ciphers – Keyak and the Keccak keyed modes.

scholarly journals SKINNY-AEAD and SKINNY-Hash

2020 ◽  
pp. 88-131 ◽  
Author(s):  
Christof Beierle ◽  
Jérémy Jean ◽  
Stefan Kölbl ◽  
Gregor Leander ◽  
Amir Moradi ◽  
...  
Keyword(s):  
Internal State ◽  
Block Ciphers ◽  
Third Party ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
The Family ◽  
Encryption Schemes ◽  
Standardization Process

We present the family of authenticated encryption schemes SKINNY-AEAD and the family of hashing schemes SKINNY-Hash. All of the schemes employ a member of the SKINNY family of tweakable block ciphers, which was presented at CRYPTO 2016, as the underlying primitive. In particular, for authenticated encryption, we show how to instantiate members of SKINNY in the Deoxys-I-like ΘCB3 framework to fulfill the submission requirements of the NIST lightweight cryptography standardization process. For hashing, we use SKINNY to build a function with larger internal state and employ it in a sponge construction. To highlight the extensive amount of third-party analysis that SKINNY obtained since its publication, we briefly survey the existing cryptanalysis results for SKINNY-128-256 and SKINNY-128-384 as of February 2020. In the last part of the paper, we provide a variety of ASIC implementations of our schemes and propose new simple SKINNY-AEAD and SKINNY-Hash variants with a reduced number of rounds while maintaining a very comfortable security margin. https://csrc.nist.gov/Projects/Lightweight-Cryptography

scholarly journals On the Security of Sponge-type Authenticated Encryption Modes

2020 ◽  
pp. 93-119
Author(s):  
Bishwajit Chakraborty ◽  
Ashwin Jha ◽  
Mridul Nandi
Keyword(s):  
Previous Analysis ◽  
Authenticated Encryption ◽  
Expected Number ◽  
Lightweight Cryptography ◽  
Mode Of Operation ◽  
Encryption Schemes ◽  
Type Mode ◽  
Standardization Process ◽  
Tight Security ◽  
Security Bound

The sponge duplex is a popular mode of operation for constructing authenticated encryption schemes. In fact, one can assess the popularity of this mode from the fact that around 25 out of the 56 round 1 submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are based on this mode. Among these, 14 sponge-type constructions are selected for the second round consisting of 32 submissions. In this paper, we generalize the duplexing interface of the duplex mode, which we call Transform-then-Permute. It encompasses Beetle as well as a new sponge-type mode SpoC (both are round 2 submissions to NIST LwC). We show a tight security bound for Transform-then-Permute based on b-bit permutation, which reduces to finding an exact estimation of the expected number of multi-chains (defined in this paper). As a corollary of our general result, authenticated encryption advantage of Beetle and SpoC is about T(D+r2r)/2b where T, D and r denotes the number of offline queries (related to time complexity of the attack), number of construction queries (related to data complexity) and rate of the construction (related to efficiency). Previously the same bound has been proved for Beetle under the limitation that T << min{2r, 2b/2} (that compels to choose larger permutation with higher rate). In the context of NIST LwC requirement, SpoC based on 192-bit permutation achieves the desired security with 64-bit rate, which is not achieved by either duplex or Beetle (as per the previous analysis).

scholarly journals Conditional Cube Attack on Round-Reduced ASCON

2017 ◽  
pp. 175-202 ◽  
Author(s):  
Zheng Li ◽  
Xiaoyang Dong ◽  
Xiaoyun Wang
Keyword(s):  
Time Complexity ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Key Space ◽  
Cube Attack ◽  
Linear Layer ◽  
Non Linear ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Total Time Complexity

This paper evaluates the secure level of authenticated encryption Ascon against cube-like method. Ascon submitted by Dobraunig et al. is one of 16 survivors of the 3rd round CAESAR competition. The cube-like method is first used by Dinur et al. to analyze Keccak keyed modes. At CT-RSA 2015, Dobraunig et al. applied this method to 5/6-round reduced Ascon, whose structure is similar to Keccak keyed modes. However, for Ascon the non-linear layer is more complex and state is much smaller, which make it hard for the attackers to select enough cube variables that do not multiply with each other after the first round. This seems to be the reason why the best previous key-recovery attack is on 6-round Ascon, while for Keccak keyed modes (Keccak-MAC and Keyak) the attacked round is no less than 7-round. In this paper, we generalize the conditional cube attack proposed by Huang et al., and find new cubes depending on some key bit conditions for 5/6-round reduced Ascon, and translate the previous theoretic 6-round attack with 266 time complexity to a practical one with 240 time complexity. Moreover, we propose the first 7-round key-recovery attack on Ascon. By introducing the cube-like key-subset technique, we divide the full key space into many subsets according to different key conditions. For each key subset, we launch the cube tester to determine if the key falls into it. Finally, we recover the full key space by testing all the key subsets. The total time complexity is about 2103.9. In addition, for a weak-key subset, whose size is 2117, the attack is more efficient and costs only 277 time complexity. Those attacks do not threaten the full round (12 rounds) Ascon.

Sign in / Sign up

Export Citation Format

Share Document