Exploring Differential-Based Distinguishers and Forgeries for ASCON

2021 ◽  
pp. 102-136
Author(s):  
David Gerault ◽  
Thomas Peyrin ◽  
Quan Quan Tan
Keyword(s):  
Black Box ◽  
Authenticated Encryption ◽  
Cryptographic Primitives ◽  
Search Heuristics ◽  
First Choice ◽  
Differential Characteristic ◽  
Symmetric Key ◽  
Performance Profiles ◽  
Automated Methods ◽  
Recent Attack

Automated methods have become crucial components when searching for distinguishers against symmetric-key cryptographic primitives. While MILP and SAT solvers are among the most popular tools to model ciphers and perform cryptanalysis, other methods with different performance profiles are appearing. In this article, we explore the use of Constraint Programming (CP) for differential cryptanalysis on the Ascon authenticated encryption family (first choice of the CAESAR lightweight applications portfolio and current finalist of the NIST LWC competition) and its internal permutation. We first present a search methodology for finding differential characteristics for Ascon with CP, which can easily find the best differential characteristics already reported by the Ascon designers. This shows the capability of CP in generating easily good differential results compared to dedicated search heuristics. Based on our tool, we also parametrize the search strategies in CP to generate other differential characteristics with the goal of forming limited-birthday distinguishers for 4, 5, 6 and 7 rounds and rectangle attacks for 4 and 5 rounds of the Ascon internal permutation. We propose a categorization of the distinguishers into black-box and non-black-box to better differentiate them as they are often useful in different contexts. We also obtained limited-birthday distinguishers which represent currently the best known distinguishers for 4, 5 and 6 rounds under the category of non-black-box distinguishers. Leveraging again our tool, we have generated forgery attacks against both reduced-rounds Ascon-128 and Ascon-128a, improving over the best reported results at the time of writing. Finally, using the best differential characteristic we have found for 2 rounds, we could also improve a recent attack on round-reduced Ascon-Hash.

scholarly journals On the optimality of non-linear computations for symmetric key primitives

2018 ◽  
Vol 12 (4) ◽  
pp. 241-259
Author(s):  
Avik Chakraborti ◽  
Nilanjan Datta ◽  
Mridul Nandi
Keyword(s):  
Block Cipher ◽  
Linear Mapping ◽  
Authenticated Encryption ◽  
Non Linear ◽  
Minimum Number ◽  
Symmetric Key ◽  
Linear Block

Abstract A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with {\ell} block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate {\ell^{\prime}} block outputs and show that at least {(\ell+\ell^{\prime}-1)} block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to {\ell^{\prime}} blocks only. If {\ell=\ell^{\prime}} , in order to achieve SPRP security, the mode requires at least {2\ell} many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least {2r-1} many and overall at least {2r\ell-1} many block-functions for {\ell} many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least {2r} non-linear block-functions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least {\ell} many block-function invocations to process an {\ell} block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than {\ell} or (ii) the number of extra non-linear block-functions required to generate the tag depends on {\ell} .

scholarly journals Efficient and high speed key-independent AES-based authenticated encryption architecture using FPGAs

2017 ◽  
Vol 7 (1.5) ◽  
pp. 230
Author(s):  
A. Murali ◽  
K Hari Kishore
Keyword(s):  
High Speed ◽  
Hash Functions ◽  
Data Integrity ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Time Data ◽  
Cryptographic Primitives ◽  
Security Services ◽  
High Security ◽  
Security Levels

Data manipulations are made with the use of communication and networking systems. But at the same time, data integrity is also a needed and important property that must be maintained in every data communicating systems. For this, the security levels are provided with cryptographic primitives like hash functions and block ciphers which are deployed into the systems. For efficient architectures, FPGA-based systems like AES-GCM and AEGIS-128 plays in the best part of the re-configurability, which supports the security services of such communication and networking systems. We possibly focus on the performance of the systems with the high security of the FPGA bit streams. GF (2128) multiplier is implemented for authentication tasks for high-speed targets. And also, the implementations were evaluated by using vertex 4.5 FPGA’s

Introducing Elitist Black-Box Models: When Does Elitist Behavior Weaken the Performance of Evolutionary Algorithms?

2017 ◽  
Vol 25 (4) ◽  
pp. 587-606 ◽  
Author(s):  
Carola Doerr ◽  
Johannes Lengler
Keyword(s):  
Monte Carlo ◽  
Evolutionary Algorithms ◽  
Function Class ◽  
Black Box ◽  
Fixed Number ◽  
Exponential Factor ◽  
Expected Time ◽  
Box Models ◽  
Search Heuristics ◽  
Black Box Models

Black-box complexity theory provides lower bounds for the runtime of black-box optimizers like evolutionary algorithms and other search heuristics and serves as an inspiration for the design of new genetic algorithms. Several black-box models covering different classes of algorithms exist, each highlighting a different aspect of the algorithms under considerations. In this work we add to the existing black-box notions a new elitist black-box model, in which algorithms are required to base all decisions solely on (the relative performance of) a fixed number of the best search points sampled so far. Our elitist model thus combines features of the ranking-based and the memory-restricted black-box models with an enforced usage of truncation selection. We provide several examples for which the elitist black-box complexity is exponentially larger than that of the respective complexities in all previous black-box models, thus showing that the elitist black-box complexity can be much closer to the runtime of typical evolutionary algorithms. We also introduce the concept of p-Monte Carlo black-box complexity, which measures the time it takes to optimize a problem with failure probability at most p. Even for small  p, the p-Monte Carlo black-box complexity of a function class [Formula: see text] can be smaller by an exponential factor than its typically regarded Las Vegas complexity (which measures the expected time it takes to optimize [Formula: see text]).

scholarly journals Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

2017 ◽  
pp. 203-227
Author(s):  
Anne Canteaut ◽  
Eran Lambooij ◽  
Samuel Neves ◽  
Shahram Rasoolzadeh ◽  
Yu Sasaki ◽  
...  
Keyword(s):  
Block Cipher ◽  
Current Paper ◽  
Inner Function ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Binary Matrix ◽  
Exact Probability ◽  
The Core ◽  
Differential Characteristic ◽  
Lightweight Block Cipher

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, pind, and exact probability, pexact. It turns out that pexact is larger than pind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, pind of 2−48 is improved to pexact of 2−43. For the 80-bit key version, pind of 2−68 is improved to pexact of 2−62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: pind of 2−128 is improved to pexact of 2−96, which allows to extend the attack by two rounds.

scholarly journals Measuring Performances of a White-Box Approach in the IoT Context

Symmetry ◽  
2019 ◽  
Vol 11 (8) ◽  
pp. 1000
Author(s):  
Daniele Giacomo Vittorio Albricci ◽  
Michela Ceria ◽  
Federico Cioschi ◽  
Nicolò Fornari ◽  
Arvin Shakiba ◽  
...  
Keyword(s):  
Black Box ◽  
The Internet ◽  
Computational Power ◽  
Smart Objects ◽  
Server Side ◽  
Share Data ◽  
Symmetric Ciphers ◽  
Symmetric Key ◽  
Key Length ◽  
The Internet Of Things

The internet of things (IoT) refers to all the smart objects that are connected to other objects, devices or servers and that are able to collect and share data, in order to “learn” and improve their functionalities. Smart objects suffer from lack of memory and computational power, since they are usually lightweight. Moreover, their security is weakened by the fact that smart objects can be placed in unprotected environments, where adversaries are able to play with the symmetric-key algorithm used and the device on which the cryptographic operations are executed. In this paper, we focus on a family of white-box symmetric ciphers substitution–permutation network (SPN)box, extending and improving our previous paper on the topic presented at WIDECOM2019. We highlight the importance of white-box cryptography in the IoT context, but also the need to have a fast black-box implementation (server-side) of the cipher. We show that, modifying an internal layer of SPNbox, we are able to increase the key length and to improve the performance of the implementation. We measure these improvements (a) on 32/64-bit architectures and (b) in the IoT context by encrypting/decrypting 10,000 payloads of lightweight messaging protocol Message Queuing Telemetry Transport (MQTT).

scholarly journals Minimizing Key Materials: The Even–Mansour Cipher Revisited and Its Application to Lightweight Authenticated Encryption

2020 ◽  
Vol 2020 ◽  
pp. 1-6
Author(s):  
Ping Zhang ◽  
Qian Yuan
Keyword(s):  
Open Problem ◽  
Provable Security ◽  
Simple Structure ◽  
Block Ciphers ◽  
Authenticated Encryption ◽  
Maximal Multiplicity ◽  
Symmetric Key ◽  
Security Bound

The Even–Mansour cipher has been widely used in block ciphers and lightweight symmetric-key ciphers because of its simple structure and strict provable security. Its research has been a hot topic in cryptography. This paper focuses on the problem to minimize the key material of the Even–Mansour cipher while its security bound remains essentially the same. We introduce four structures of the Even–Mansour cipher with a short key and derive their security by Patarin’s H-coefficients technique. These four structures are proven secure up to O˜2k/μ adversarial queries, where k is the bit length of the key material and μ is the maximal multiplicity. Then, we apply them to lightweight authenticated encryption modes and prove their security up to about minb/2,c,k−log μ-bit adversarial queries, where b is the size of the permutation and c is the capacity of the permutation. Finally, we leave it as an open problem to settle the security of the t-round iterated Even–Mansour cipher with short keys.

scholarly journals The State of the Authenticated Encryption

2016 ◽  
Vol 67 (1) ◽  
pp. 167-190
Author(s):  
Damian Vizár
Keyword(s):  
The State ◽  
Authenticated Encryption ◽  
Research Activity ◽  
Cryptographic Primitive ◽  
Encryption Schemes ◽  
Caesar Competition ◽  
Symmetric Key

Abstract Ensuring confidentiality and integrity of communication remains among the most important goals of cryptography. The notion of authenticated encryption marries these two security goals in a single symmetric-key, cryptographic primitive. A lot of effort has been invested in authenticated encryption during the fifteen years of its existence. The recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) has boosted the research activity in this area even more. As a result, the area of authenticated encryption boasts numerous results, both theoretically and practically oriented, and perhaps even greater number of constructions of authenticated encryption schemes. We explore the current landscape of results on authenticated encryption. We review the CEASAR competition and its candidates, the most popular construction principles, and various design goals for authenticated encryption, many of which appeared during the CAESAR competition. We also take a closer look at the candidate Offset Merkle-Damgård (OMD).

Identity-based Encryption from the Diffie-Hellman Assumption

2021 ◽  
Vol 68 (3) ◽  
pp. 1-46
Author(s):  
Nico Döttling ◽  
Sanjam Garg
Keyword(s):  
Black Box ◽  
Cryptographic Primitives ◽  
Impossibility Results ◽  
Identity Based Encryption ◽  
Diffie Hellman ◽  
Garbled Circuits ◽  
Standard Notion ◽  
Identity Based

We provide the first constructions of identity-based encryption and hierarchical identity-based encryption based on the hardness of the (Computational) Diffie-Hellman Problem (without use of groups with pairings) or Factoring. Our construction achieves the standard notion of identity-based encryption as considered by Boneh and Franklin [CRYPTO 2001]. We bypass known impossibility results using garbled circuits that make a non-black-box use of the underlying cryptographic primitives.

Sign in / Sign up

Export Citation Format

Share Document