Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to 7 (out of 12) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 264 blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2d-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2123 7-round Ascon permutations and requires 264 data and 2101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.

Download Full-text

Practical Key-Recovery Attacks On Round-Reduced Ketje Jr, Xoodoo-AE And Xoodyak

The Computer Journal ◽

10.1093/comjnl/bxz152 ◽

2020 ◽

Vol 63 (8) ◽

pp. 1231-1246

Author(s):

Haibo Zhou ◽

Zheng Li ◽

Xiaoyang Dong ◽

Keting Jia ◽

Willi Meier

Keyword(s):

Time Complexity ◽

Third Party ◽

Lightweight Cryptography ◽

Key Recovery ◽

The Third ◽

Cube Attack ◽

Caesar Competition ◽

Memory Cost ◽

Key Recovery Attacks

Abstract A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of Keccak keyed modes. In this paper, we find a new property of Li et al.’s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round Ketje Jr, 6-round Xoodoo-AE and Xoodyak, where Ketje Jr is among the third round CAESAR competition candidates and Xoodyak is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on Xoodyak represent the first third-party cryptanalysis for Xoodyak.

Download Full-text

Cryptanalysis of the Lightweight Block Cipher BORON

Security and Communication Networks ◽

10.1155/2019/7862738 ◽

2019 ◽

Vol 2019 ◽

pp. 1-12 ◽

Cited By ~ 1

Author(s):

Huicong Liang ◽

Meiqin Wang

Keyword(s):

Block Cipher ◽

Security Analysis ◽

Third Party ◽

Linear Cryptanalysis ◽

Key Recovery ◽

Smt Solver ◽

Optimal Probability ◽

Lightweight Block Cipher ◽

Security Evaluations ◽

Key Recovery Attacks

This paper provides security evaluations of a lightweight block cipher called BORON proposed by Bansod et al. There is no third-party cryptanalysis towards BORON. Designers only provided coarse and simple security analysis. To fill this gap, security bounds of BORON against differential and linear cryptanalysis are presented in this paper. By automatic models based on the SMT solver STP, we search for differential and linear trails with the minimal number of active S-boxes and trails with optimal probability and bias. Then, we present key-recovery attacks towards round-reduced BORON. This paper is the first third-party cryptanalysis towards BORON.

Download Full-text

Diving Deep into the Weak Keys of Round Reduced Ascon

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i4.74-99 ◽

2021 ◽

pp. 74-99

Author(s):

Raghvendra Rohit ◽

Santanu Sarkar

Keyword(s):

Security Analysis ◽

Theoretical Framework ◽

Algebraic Degree ◽

Data Complexity ◽

Major Result ◽

Secret Key ◽

Key Recovery ◽

Weak Keys ◽

Key Recovery Attacks

At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.

Download Full-text

Security Analysis of HMAC/NMAC by Using Fault Injection

Journal of Applied Mathematics ◽

10.1155/2013/101907 ◽

2013 ◽

Vol 2013 ◽

pp. 1-6 ◽

Cited By ~ 1

Author(s):

Kitae Jeong ◽

Yuseop Lee ◽

Jaechul Sung ◽

Seokhie Hong

Keyword(s):

Computational Complexity ◽

Fault Injection ◽

Security Analysis ◽

Hash Functions ◽

Main Idea ◽

Secret Key ◽

Key Recovery ◽

Injection Attacks ◽

Fault Injection Attacks ◽

Key Recovery Attacks

In Choukri and Tunstall (2005), the authors showed that if they decreased the number of rounds in AES by injecting faults, it is possible to recover the secret key. In this paper, we propose fault injection attacks on HMAC/NMAC by applying the main idea of their attack. These attacks are applicable to HMAC/NMAC based on the MD-family hash functions and can recover the secret key with the negligible computational complexity. Particularly, these results on HMAC/NMAC-SHA-2 are the first known key recovery attacks so far.

Download Full-text

Dismantling the AUT64 Automotive Cipher

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.46-69 ◽

2018 ◽

pp. 46-69

Author(s):

Christopher Hicks ◽

Flavio D. Garcia ◽

David Oswald

Keyword(s):

Block Cipher ◽

Authentication Protocol ◽

Secret Key ◽

Vehicle Manufacturer ◽

Key Recovery ◽

Worst Case ◽

Remote Keyless Entry ◽

First Time ◽

Key Recovery Attacks ◽

Complete Specification

AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

Download Full-text

Weak Keys in Reduced AEGIS and Tiaoxin

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i2.104-139 ◽

2021 ◽

pp. 104-139

Author(s):

Fukang Liu ◽

Takanori Isobe ◽

Willi Meier ◽

Kosei Sakamoto

Keyword(s):

Time Complexity ◽

High Performance ◽

Stream Cipher ◽

Third Party ◽

Key Recovery ◽

Weak Keys ◽

Internal States ◽

Caesar Competition ◽

Key Recovery Attack ◽

Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

Download Full-text

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i2.249-291 ◽

2021 ◽

pp. 249-291

Author(s):

Lingyue Qin ◽

Xiaoyang Dong ◽

Xiaoyun Wang ◽

Keting Jia ◽

Yunwen Liu

Keyword(s):

High Probability ◽

Block Cipher ◽

Secret Key ◽

Key Recovery ◽

Key Schedule ◽

Before And After ◽

Two Phases ◽

Key Recovery Attack ◽

Key Recovery Attacks ◽

Automated Search

Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Download Full-text

Some cryptanalytic results on Lizard

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i4.82-98 ◽

2017 ◽

pp. 82-98

Author(s):

Subhadeep Banik ◽

Takanori Isobe ◽

Tingting Cui ◽

Jian Guo

Keyword(s):

Stream Cipher ◽

Secret Key ◽

Key Recovery ◽

Key Recovery Attack ◽

Key Recovery Attacks

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.

Download Full-text

Subspace Trail Cryptanalysis and its Applications to AES

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i2.192-225 ◽

2017 ◽

pp. 192-225

Author(s):

Lorenzo Grassi ◽

Christian Rechberger ◽

Sondre Rønjom

Keyword(s):

Block Cipher ◽

Data Complexity ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Special Cases ◽

Impossible Differential ◽

The One ◽

Truncated Differential ◽

Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Download Full-text

Aggregation-Based Tag Deduplication for Cloud Storage with Resistance against Side Channel Attack

Security and Communication Networks ◽

10.1155/2021/6686281 ◽

2021 ◽

Vol 2021 ◽

pp. 1-15

Author(s):

Xin Tang ◽

Linna Zhou ◽

Bingwei Hu ◽

Haowen Wu

Keyword(s):

Cloud Storage ◽

Security Analysis ◽

Third Party ◽

Side Channel ◽

Secret Key ◽

Side Channel Attack ◽

Lagrangian Interpolation ◽

Public Auditability ◽

Cloud Users ◽

Public Verification

Tag deduplication is an emerging technique to eliminate redundancy in cloud storage, which works by signing integrity tags with a content-associated key instead of user-associated secret key. To achieve public auditability in this scenario, the linkage between cloud users and their integrity tags is firstly re-established in current solutions, which provides a potential side channel to malicious third-party auditor to steal the existence privacy of a certain target file. Such kind of attack, which is also possible among classic public auditing schemes, still cannot be well resisted and is now becoming a big obstacle in using this technique. In this paper, we propose a secure aggregation-based tag deduplication scheme (ATDS), which takes the lead to consider resistance against side channel attack during the process of public verification. To deal with this problem, we define a user-associated integrity tag based on the defined content-associated polynomial and devise a Lagrangian interpolation-based aggregation strategy to achieve tag deduplication. With the help of this technique, content-associated public key is able to be utilized instead of a user-associated one to achieve auditing. Once the verification is passed, the TPA is just only able to make sure that the verified data are correctly corresponding to at least a group of users in cloud storage, rather than determining specific owners. The security analysis and experiment results show that the proposed scheme is able to resist side channel attack and is more efficient compared with the state of the art.

Download Full-text