SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition

2017 ◽  
Author(s):  
Ashutosh Dhar Dwivedi ◽  
Miloš Klouček ◽  
Paweł Morawiecki ◽  
Ivica Nikolić ◽  
Josef Pieprzyk ◽  
...  
Keyword(s):  
Caesar Competition

Improved Meet-in-the-Middle Attacks on Reduced-Round Deoxys-BC-256

2020 ◽  
Vol 63 (12) ◽  
pp. 1859-1870
Author(s):  
Ya Liu ◽  
Bing Shi ◽  
Dawu Gu ◽  
Fengyu Zhao ◽  
Wei Li ◽  
...  
Keyword(s):  
Block Cipher ◽  
Encryption Scheme ◽  
The Third ◽  
Caesar Competition ◽  
Internal Block ◽  
Truncated Differential

Abstract In ASIACRYPT 2014, Jean et al. proposed the authentication encryption scheme Deoxys, which is one of the third-round candidates in CAESAR competition. Its internal block cipher is called Deoxys-BC that adopts the tweakey frame. Deoxys-BC has two versions of the tweakey size that are 256 bits and 384 bits, denoted by Deoxys-BC-256 and Deoxys-BC-384, respectively. In this paper, we revaluate the security of Deoxys-BC-256 against the meet-in-the-middle attack to obtain some new results. First, we append one round at the top and two rounds at the bottom of a 6-round distinguisher to form a 9-round truncated differential path with the probability of $2^{-144}$. Based on it, the adversary can attack 9-round Deoxys-BC-256 with $2^{108}$ chosen plaintext-tweaks, $2^{113.6}$ encryptions and $2^{102}$ blocks. Second, we construct a new 6.5-round distinguisher to form 10-round attacking path with the probability of $2^{-152}$. On the basis of it, the adversary could attack 10-round Deoxys-BC-256 with $2^{115}$ chosen plaintext-tweaks, $2^{171}$ encryptions and $2^{152}$ blocks. These two attacks improve the previous cryptanalytic results on reduced-round Deoxys-BC-256 against the meet-in-the-middle attack.

Analyzing the Linear Keystream Biases in AEGIS

2020 ◽  
pp. 348-368
Author(s):  
Maria Eichlseder ◽  
Marcel Nageler ◽  
Robert Primas
Keyword(s):  
Family Member ◽  
Upper Bounds ◽  
Software Performance ◽  
Authenticated Encryption ◽  
Boolean Operations ◽  
Large State ◽  
Round Function ◽  
Linear Characteristic ◽  
Caesar Competition ◽  
Generic Attacks

AEGIS is one of the authenticated encryption designs selected for the final portfolio of the CAESAR competition. It combines the AES round function and simple Boolean operations to update its large state and extract a keystream to achieve an excellent software performance. In 2014, Minaud discovered slight biases in the keystream based on linear characteristics. For family member AEGIS-256, these could be exploited to undermine the confidentiality faster than generic attacks, but this still requires very large amounts of data. For final portfolio member AEGIS-128, these attacks are currently less efficient than generic attacks. We propose improved keystream approximations for the AEGIS family, but also prove upper bounds below 2−128 for the squared correlation contribution of any single suitable linear characteristic.

scholarly journals Understanding RUP Integrity of COLM

2017 ◽  
pp. 143-161
Author(s):  
Nilanjan Datta ◽  
Atul Luykx ◽  
Bart Mennink ◽  
Mridul Nandi
Keyword(s):  
Time Complexity ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Caesar Competition ◽  
Mixing Functions

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

scholarly journals Algebraic Degree Estimation of ACORN v3 Using Numeric Mapping

2019 ◽  
Vol 2019 ◽  
pp. 1-5
Author(s):  
Lin Ding ◽  
Lei Wang ◽  
Dawu Gu ◽  
Chenhui Jin ◽  
Jie Guan
Keyword(s):  
Efficient Algorithm ◽  
Algebraic Degree ◽  
Experimental Results ◽  
Authenticated Encryption ◽  
Resource Constrained ◽  
Constrained Environments ◽  
Caesar Competition

ACORN v3 is a lightweight authenticated encryption cipher, which was selected as one of the seven finalists of CAESAR competition in March 2018. It is intended for lightweight applications (resource-constrained environments). By using the technique numeric mapping proposed at CRYPTO 2017, an efficient algorithm for algebraic degree estimation of ACORN v3 is proposed. As a result, new distinguishing attacks on 647, 649, 670, 704, and 721 initialization rounds of ACORN v3 are obtained, respectively. So far, as we know, all of our distinguishing attacks on ACORN v3 are the best. The effectiveness and accuracy of our algorithm is confirmed by the experimental results.

scholarly journals The State of the Authenticated Encryption

2016 ◽  
Vol 67 (1) ◽  
pp. 167-190
Author(s):  
Damian Vizár
Keyword(s):  
The State ◽  
Authenticated Encryption ◽  
Research Activity ◽  
Cryptographic Primitive ◽  
Encryption Schemes ◽  
Caesar Competition ◽  
Symmetric Key

Abstract Ensuring confidentiality and integrity of communication remains among the most important goals of cryptography. The notion of authenticated encryption marries these two security goals in a single symmetric-key, cryptographic primitive. A lot of effort has been invested in authenticated encryption during the fifteen years of its existence. The recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) has boosted the research activity in this area even more. As a result, the area of authenticated encryption boasts numerous results, both theoretically and practically oriented, and perhaps even greater number of constructions of authenticated encryption schemes. We explore the current landscape of results on authenticated encryption. We review the CEASAR competition and its candidates, the most popular construction principles, and various design goals for authenticated encryption, many of which appeared during the CAESAR competition. We also take a closer look at the candidate Offset Merkle-Damgård (OMD).

scholarly journals High-Performance Data Compression-Based Design for Dynamic IoT Security Systems

Electronics ◽  
2021 ◽  
Vol 10 (16) ◽  
pp. 1989
Author(s):  
Maha Aboelmaged ◽  
Ali Shisha ◽  
Mohamed A. Abd El Ghany
Keyword(s):  
High Performance ◽  
State Of The Art ◽  
Power Saving ◽  
Security Systems ◽  
Dynamic Partial Reconfiguration ◽  
Iot Security ◽  
Security Breaches ◽  
Adaptive Technique ◽  
Power Adaptive ◽  
Caesar Competition

IoT technology is evolving at a quick pace and is becoming an important part of everyday life. Consequently, IoT systems hold large amounts of data related to the user of the system that is vulnerable to security breaches. Thus, data collected by IoT systems need to be secured efficiently without affecting the IoT systems’ performance and without compromising security as well. In this paper, a high-performance dynamic security system is introduced. The system makes use of the ZedBoard’s dynamic partial reconfiguration capability to shift between three distinct cipher algorithms: AEGIS, ASCON, and DEOXYS-II. The switching between the three algorithms is performed using two different techniques: the algorithm hopping technique or the power adaptive technique. The choice of which technique to be used is dependent on whether the system needs to be focused on performance or power saving. The ciphers used are the CAESAR competition finalists that achieved the greatest results in each of the three competition categories, where each cipher algorithm has its own set of significant characteristics. The proposed design seeks to reduce the FPGA reconfiguration time by the application of LZ4 (Lempel-Ziv4) compression and decompression techniques on the ciphers’ bitstream files. The reconfiguration time decreased by a minimum of 38% in comparison to the state-of-the-art design, while the resource utilization increased by approximately 2%.

scholarly journals Weak Keys in Reduced AEGIS and Tiaoxin

2021 ◽  
pp. 104-139
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier ◽  
Kosei Sakamoto
Keyword(s):  
Time Complexity ◽  
High Performance ◽  
Stream Cipher ◽  
Third Party ◽  
Key Recovery ◽  
Weak Keys ◽  
Internal States ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

scholarly journals Improvement on Bit Diffusion Analysis of π-Cipher

2017 ◽  
Vol 70 (1) ◽  
pp. 139-149
Author(s):  
Fatih Sulak ◽  
Beyza Bozdemir ◽  
Betül A. Özdemir ◽  
Neşe Koçak ◽  
Onur Koçak
Keyword(s):  
Diffusion Analysis ◽  
Strict Avalanche Criterion ◽  
Caesar Competition

Abstract π-Cipher, designed by Gligoroski et al., is a second round candidate of the CAESAR competition. The designers analyzed the bit diffusion of the cipher by examining the * operation and 1 round π-function. We improve this analysis by applying Strict Avalanche Criterion (SAC) test to * operation and reduced round versions of π-function for π 16-Cipher. We found out that * operation fails SAC test whereas all versions of π-function for π 16-Cipher pass the test.

scholarly journals Cryptanalysis of NORX v2.0

2017 ◽  
pp. 156-174 ◽  
Author(s):  
Colin Chaigneau ◽  
Thomas Fuhr ◽  
Henri Gilbert ◽  
Jérémy Jean ◽  
Jean-René Reinhard
Keyword(s):  
Authenticated Encryption ◽  
Forgery Attack ◽  
Key Recovery ◽  
Design Decisions ◽  
The Third ◽  
Caesar Competition ◽  
Internal Operations ◽  
Key Recovery Attack ◽  
Associated Data ◽  
Main Change

NORX is an authenticated encryption scheme with associated data being publicly scrutinized as part of the ongoing CAESAR competition, where 14 other primitives are also competing. It is based on the sponge construction and relies on a simple permutation that allows efficient and versatile implementations. Thanks to research on the security of the sponge construction, the design of NORX, whose permutation is inspired from the permutations used in BLAKE and ChaCha, has evolved throughout three main versions (v1.0, v2.0 and v3.0). In this paper, we investigate the security of the full NORX v2.0 primitive that has been accepted as third-round candidate in the CAESAR competition. We show that some non-conservative design decisions probably motivated by implementation efficiency considerations result in at least one strong structural distinguisher of the underlying sponge permutation that can be turned into an attack on the full primitive. This attack yields a ciphertext-only forgery with time and data complexity 266 (resp. 2130) for the variant of NORX v2.0 using 128-bit (resp. 256-bit) keys and breaks the designers’ claim of a 128-bit, resp. 256-bit security. Furthermore, we show that this forgery attack can be extended to a key-recovery attack on the full NORX v2.0 with the same time and data complexities. We have implemented and experimentally verified the correctness of the attacks on a toy version of NORX. We emphasize that the scheme has recently been tweaked to NORX v3.0 at the beginning of the third round of the CAESAR competition: the main change introduces some key-dependent internal operations, which make NORX v3.0 immune to our attacks. However, the structural distinguisher of the permutation persists.

Sign in / Sign up

Export Citation Format

Share Document