scholarly journals Extended Truncated-differential Distinguishers on Round-reduced AES

2020 ◽  
pp. 197-261
Author(s):  
Zhenzhen Bao ◽  
Jian Guo ◽  
Eik List
Keyword(s):  
Expected Number ◽  
Key Recovery ◽  
Linear Layer ◽  
Suitable Target ◽  
Key Recovery Attack ◽  
Truncated Differential ◽  
Key Recovery Attacks ◽  
Permutation Networks

Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher.For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives.The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties.

scholarly journals Differential Attacks on CRAFT Exploiting the Involutory S-boxes and Tweak Additions

2020 ◽  
pp. 119-151
Author(s):  
Hao Guo ◽  
Siwei Sun ◽  
Danping Shi ◽  
Ling Sun ◽  
Yao Sun ◽  
...  
Keyword(s):  
Low Cost ◽  
Success Probability ◽  
Schedule Algorithm ◽  
Invariant Property ◽  
Differential Analysis ◽  
Secret Key ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attack ◽  
Truncated Differential

CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct “weak-tweakey” truncated differential distinguishers of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with 260.99 data, 268 memory, 294.59 time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability 2−43 (experimentally verified), a 16-round distinguisher with probability 2−55, and a 20-round weak-key distinguisher (2118 weak keys) with probability 2−63. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.

scholarly journals Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

2021 ◽  
pp. 137-169
Author(s):  
Mostafizar Rahman ◽  
Dhiman Saha ◽  
Goutam Paul
Keyword(s):  
Time Complexity ◽  
Block Cipher ◽  
New Technique ◽  
Small Scale ◽  
Key Recovery ◽  
Boomerang Attack ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

scholarly journals Automatic Search of Cubes for Attacking Stream Ciphers

2021 ◽  
pp. 100-123
Author(s):  
Yao Sun
Keyword(s):  
Heuristic Method ◽  
Stream Ciphers ◽  
Divide And Conquer ◽  
Key Recovery ◽  
Cube Attack ◽  
Automatic Search ◽  
The Common ◽  
Key Recovery Attack ◽  
First Time ◽  
Key Recovery Attacks

Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

scholarly journals Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

2021 ◽  
pp. 249-291
Author(s):  
Lingyue Qin ◽  
Xiaoyang Dong ◽  
Xiaoyun Wang ◽  
Keting Jia ◽  
Yunwen Liu
Keyword(s):  
High Probability ◽  
Block Cipher ◽  
Secret Key ◽  
Key Recovery ◽  
Key Schedule ◽  
Before And After ◽  
Two Phases ◽  
Key Recovery Attack ◽  
Key Recovery Attacks ◽  
Automated Search

Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

scholarly journals Some cryptanalytic results on Lizard

2017 ◽  
pp. 82-98
Author(s):  
Subhadeep Banik ◽  
Takanori Isobe ◽  
Tingting Cui ◽  
Jian Guo
Keyword(s):  
Stream Cipher ◽  
Secret Key ◽  
Key Recovery ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.

scholarly journals Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?

2016 ◽  
pp. 114-133 ◽  
Author(s):  
Colin Chaigneau ◽  
Henri Gilbert
Keyword(s):  
Block Cipher ◽  
Encryption Algorithm ◽  
Instruction Set ◽  
Authenticated Encryption ◽  
Key Recovery ◽  
Security Properties ◽  
Software Implementations ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

AEZ is a parallelizable, AES-based authenticated encryption algorithm that is well suited for software implementations on processors equipped with the AES-NI instruction set. It aims at offering exceptionally strong security properties such as nonce and decryption-misuse resistance and optimal security given the selected ciphertext expansion. AEZ was submitted to the authenticated ciphers competition CAESAR and was selected in 2015 for the second round of the competition. In this paper, we analyse the resilience of the latest algorithm version, AEZ v4.1 (October 2015), against key-recovery attacks. While AEZ modifications introduced in 2015 were partly motivated by thwarting a key-recovery attack of birthday complexity against AEZ v3 published at Asiacrypt 2015 by Fuhr, Leurent and Suder, we show that AEZ v4.1 remains vulnerable to a key-recovery attack of similar complexity and security impact. Our attack leverages the use, in AEZ, of an underlying tweakable block cipher based on a 4-round version of AES. Although the presented key-recovery attack does not violate the security claims of AEZ since the designers made no claim for beyond-birthday security, it can be interpreted as an indication that AEZ does not fully meet the objective of being an extremely conservative and misuse-resilient algorithm.

scholarly journals Subspace Trail Cryptanalysis and its Applications to AES

2017 ◽  
pp. 192-225
Author(s):  
Lorenzo Grassi ◽  
Christian Rechberger ◽  
Sondre Rønjom
Keyword(s):  
Block Cipher ◽  
Data Complexity ◽  
Secret Key ◽  
Differential Attack ◽  
Key Recovery ◽  
Special Cases ◽  
Impossible Differential ◽  
The One ◽  
Truncated Differential ◽  
Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Improved Key Recovery Attacks on Simplified Version of K2 Stream Cipher

2020 ◽  
Author(s):  
Sudong Ma ◽  
Jie Guan
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Linear Feedback ◽  
Dynamic Feedback ◽  
Key Recovery ◽  
Key Recovery Attack ◽  
Dynamic Feedback Control ◽  
Differential Attacks ◽  
Recommended Algorithm ◽  
Key Recovery Attacks

Abstract The K2 stream cipher, designed for 32-bit words, is an ISO/IEC 18033 standard and is listed as a recommended algorithm used by the Japanese government in the CRYPTREC project. The main feature of the K2 algorithm is the use of a dynamic feedback control mechanism between the two linear feedback shift registers, which makes the analysis of the K2 algorithm more difficult. In this paper, for its simplified version algorithm, a key recovery attack is performed by using differential attacks. Firstly, for the unknown key, the same IV is fixed in two chosen IV differential attacks, and we use the input differences and the output differences of the S-box to recover the input of S-box; the internal state values can be uniquely determined by taking intersection of the input of S-box. This technology is used to improve the key recovery attack of seven-round algorithm proposed by Deike Priemuth-Schmid. Secondly, we find the constraint relationship between the keystream equations and the unknown differences by introducing the guess difference bit and eliminate the impossible differences by the constraint relationship. Thus, we expand the key recovery attack from seven to nine rounds. The time complexity of the attack is $\boldsymbol{O} \boldsymbol{(2^{113.93})}$, the data complexity is $\boldsymbol{O}\boldsymbol{(2^{8.71})}$ and the success rate is $\textbf{99.07\%}$.

scholarly journals Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96

2020 ◽  
pp. 289-312 ◽  
Author(s):  
Christoph Dobraunig ◽  
Yann Rotella ◽  
Jan Schoone
Keyword(s):  
Block Cipher ◽  
Slow Growth ◽  
Higher Order ◽  
Authenticated Encryption ◽  
Lightweight Cryptography ◽  
Key Recovery ◽  
Linear Layer ◽  
Depth Analysis ◽  
Key Recovery Attack ◽  
The Cost

Cryptographic competitions, like the ongoing NIST call for lightweight cryptography, always provide a thriving research environment, where new interesting ideas are proposed and new cryptographic insights are made. One proposal for this NIST call that is accepted for the second round is Pyjamask. Pyjamask is an authenticated encryption scheme that builds upon two block ciphers, Pyjamask-96 and Pyjamask-128, that aim to minimize the number of AND operations at the cost of a very strong linear layer. A side-effect of this goal is a slow growth in the algebraic degree. In this paper, we focus on the block cipher Pyjamask-96 and are able to provide a theoretical key-recovery attack reaching 14 (out of 14) rounds as well as a practical attack on 8 rounds. We do this by combining higher-order differentials with an in-depth analysis of the system of equations gotten for 2.5 rounds of Pyjamask-96. The AEAD-scheme Pyjamask itself is not threatened by the work in this paper.

scholarly journals Clustering Related-Tweak Characteristics: Application to MANTIS-6

2018 ◽  
pp. 111-132
Author(s):  
Maria Eichlseder ◽  
Daniel Kales
Keyword(s):  
Block Cipher ◽  
Differential Cryptanalysis ◽  
Differential Attack ◽  
Key Recovery ◽  
Popular Approach ◽  
Differential Characteristic ◽  
Clustering Approach ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Truncated Differential

The TWEAKEY/STK construction is an increasingly popular approach for designing tweakable block ciphers that notably uses a linear tweakey schedule. Several recent attacks have analyzed the implications of this approach for differential cryptanalysis and other attacks that can take advantage of related tweakeys. We generalize the clustering approach of a recent differential attack on the tweakable block cipher MANTIS5 and describe a tool for efficiently finding and evaluating such clusters. More specifically, we consider the set of all differential characteristics compatible with a given truncated characteristic, tweak difference, and optional constraints for the differential. We refer to this set as a semi-truncated characteristic and estimate its probability by analyzing the distribution of compatible differences at each step. We apply this approach to find a semi-truncated differential characteristic for MANTIS6 with probability about 2−67.73 and derive a key-recovery attack with a complexity of about 255.09 chosen-plaintext queries and 255.52 computations. The data-time product is 2110.61 << 2126.

Sign in / Sign up

Export Citation Format

Share Document