Cryptanalysis of LowMC instances using single plaintext/ciphertext pair

Arguably one of the main applications of the LowMC family ciphers is in the post-quantum signature scheme PICNIC. Although LowMC family ciphers have been studied from a cryptanalytic point of view before, none of these studies were directly concerned with the actual use case of this cipher in PICNIC signature scheme. Due to the design paradigm of PICNIC, an adversary trying to perform a forgery attack on the signature scheme instantiated with LowMC would have access to only a single given plaintext/ciphertext pair, i.e. an adversary would only be able to perform attacks with data complexity 1 in a known-plaintext attack scenario. This restriction makes it impossible to employ classical cryptanalysis methodologies such as differential and linear cryptanalysis. In this paper we introduce two key-recovery attacks, both in known-plaintext model and of data complexity 1 for two variants of LowMC, both instances of the LowMC cryptanalysis challenge.

Download Full-text

Subspace Trail Cryptanalysis and its Applications to AES

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i2.192-225 ◽

2017 ◽

pp. 192-225

Author(s):

Lorenzo Grassi ◽

Christian Rechberger ◽

Sondre Rønjom

Keyword(s):

Block Cipher ◽

Data Complexity ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Special Cases ◽

Impossible Differential ◽

The One ◽

Truncated Differential ◽

Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Download Full-text

Cryptanalysis of Low-Data Instances of Full LowMCv2

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2018.i3.163-181 ◽

2018 ◽

pp. 163-181 ◽

Cited By ~ 1

Author(s):

Christian Rechberger ◽

Hadi Soleimany ◽

Tyge Tiessen

Keyword(s):

Block Size ◽

Block Ciphers ◽

Group Signature ◽

Data Complexity ◽

Multiplicative Complexity ◽

Key Recovery ◽

Signature Schemes ◽

Ring Group ◽

Size Number ◽

Key Recovery Attacks

LowMC is a family of block ciphers designed for a low multiplicative complexity. The specification allows a large variety of instantiations, differing in block size, key size, number of S-boxes applied per round and allowed data complexity. The number of rounds deemed secure is determined by evaluating a number of attack vectors and taking the number of rounds still secure against the best of these. In this paper, we demonstrate that the attacks considered by the designers of LowMC in the version 2 of the round-formular were not sufficient to fend off all possible attacks. In the case of instantiations of LowMC with one of the most useful settings, namely with few applied S-boxes per round and only low allowable data complexities, efficient attacks based on difference enumeration techniques can be constructed. We show that it is most effective to consider tuples of differences instead of simple differences, both to increase the range of the distinguishers and to enable key recovery attacks. All applications for LowMC we are aware of, including signature schemes like Picnic and more recent (ring/group) signature schemes have used version 3 of the roundformular for LowMC, which takes our attack already into account.

Download Full-text

Diving Deep into the Weak Keys of Round Reduced Ascon

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i4.74-99 ◽

2021 ◽

pp. 74-99

Author(s):

Raghvendra Rohit ◽

Santanu Sarkar

Keyword(s):

Security Analysis ◽

Theoretical Framework ◽

Algebraic Degree ◽

Data Complexity ◽

Major Result ◽

Secret Key ◽

Key Recovery ◽

Weak Keys ◽

Key Recovery Attacks

At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.

Download Full-text

Key Recovery Attacks on Multivariate Public Key Cryptosystems Derived from Quadratic Forms over an Extension Field

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences ◽

10.1587/transfun.e100.a.18 ◽

2017 ◽

Vol E100.A (1) ◽

pp. 18-25 ◽

Cited By ~ 3

Author(s):

Yasufumi HASHIMOTO

Keyword(s):

Quadratic Forms ◽

Public Key ◽

Extension Field ◽

Key Recovery ◽

Public Key Cryptosystems ◽

Multivariate Public Key ◽

Key Recovery Attacks

Download Full-text

(t,k,n) Multi-Blind Proxy Signature Scheme on Elliptic Curve

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.130-134.291 ◽

2011 ◽

Vol 130-134 ◽

pp. 291-294

Author(s):

Guang Liang Liu ◽

Sheng Xian Xie ◽

Wei Fu

Keyword(s):

Elliptic Curve ◽

Secret Sharing ◽

Proxy Signature ◽

Elliptic Curve Cryptosystem ◽

Secret Sharing Scheme ◽

Signature Scheme ◽

Forgery Attack ◽

Threshold Secret Sharing ◽

Sharing Scheme ◽

Security Properties

On the elliptic curve cryptosystem proposed a new multi-proxy signature scheme - (t, k, n) threshold blind proxy signature scheme.In new program blind proxy signature and (t,k,n) threshold secret sharing scheme will be combined, and will not over-concentration of the rights of the blind proxy signer .Computation of the program is small, security is high, the achieve efficiency and the utility is better .can prevent a malicious user's forgery attack and have the security properties of proxy signature.

Download Full-text

Cryptanalysis of Loiss Stream Cipher-Revisited

Journal of Applied Mathematics ◽

10.1155/2014/457275 ◽

2014 ◽

Vol 2014 ◽

pp. 1-7

Author(s):

Lin Ding ◽

Chenhui Jin ◽

Jie Guan ◽

Qiuyan Wang

Keyword(s):

Time Complexity ◽

Stream Cipher ◽

Linear Equations ◽

Data Complexity ◽

Secret Key ◽

Key Recovery ◽

Systems Of Linear Equations ◽

Key Recovery Attack ◽

Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

Download Full-text

Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

Cybersecurity ◽

10.1186/s42400-021-00096-4 ◽

2021 ◽

Vol 4 (1) ◽

Author(s):

Wenqin Cao ◽

Wentao Zhang

Keyword(s):

Time Complexity ◽

Block Ciphers ◽

Linear Cryptanalysis ◽

Compression Technique ◽

Key Recovery ◽

Linear Approximations ◽

Theoretical Advantage ◽

Multidimensional Linear ◽

Multidimensional Linear Cryptanalysis ◽

Key Recovery Attacks

AbstractFor block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

Download Full-text