Improved Impossible Differentials and Zero-Correlation Linear Hulls of New Structure III

Impossible differential cryptanalysis and zero-correlation linear cryptanalysis are two kinds of most effective tools for evaluating the security of block ciphers. In those attacks, the core step is to construct a distinguisher as long as possible. In this paper, we focus on the security of New Structure III, which is a kind of block cipher structure with excellent resistance against differential and linear attacks. While the best previous result can only exploit one-round linear layer P to construct impossible differential and zero-correlation linear distinguishers, we try to exploit more rounds to find longer distinguishers. Combining the Miss-in-the-Middle strategy and the characteristic matrix method proposed at EUROCRYPT 2016, we could construct 23-round impossible differentials and zero-correlation linear hulls when the linear layer P satisfies some restricted conditions. To our knowledge, both of them are 1 round longer than the best previous works concerning the two cryptanalytical methods. Furthermore, to show the effectiveness of our distinguishers, the linear layer of the round function is specified to the permutation matrix of block cipher SKINNY which was proposed at CRYPTO 2016. Our results indicate that New Structure III has weaker resistance against impossible differential and zero-correlation linear attacks, though it possesses good differential and linear properties.

Rocca: An Efficient AES-based Encryption Scheme for Beyond 5G

In this paper, we present an AES-based authenticated-encryption with associated-data scheme called Rocca, with the purpose to reach the requirements on the speed and security in 6G systems. To achieve ultra-fast software implementations, the basic design strategy is to take full advantage of the AES-NI and SIMD instructions as that of the AEGIS family and Tiaoxin-346. Although Jean and Nikolić have generalized the way to construct efficient round functions using only one round of AES (aesenc) and 128-bit XOR operation and have found several efficient candidates, there still seems to exist potential to further improve it regarding speed and state size. In order to minimize the critical path of one round, we remove the case of applying both aesenc and XOR in a cascade way for one round. By introducing a cost-free block permutation in the round function, we are able to search for candidates in a larger space without sacrificing the performance. Consequently, we obtain more efficient constructions with a smaller state size than candidates by Jean and Nikolić. Based on the newly-discovered round function, we carefully design the corresponding AEAD scheme with 256-bit security by taking several reported attacks on the AEGIS family and Tiaxion-346 into account. Our AEAD scheme can reach 138Gbps which is 4 times faster than the AEAD scheme of SNOW-V. Rocca is also much faster than other efficient schemes with 256-bit key length, e.g. AEGIS-256 and AES-256-GCM. As far as we know, Rocca is the first dedicated cryptographic algorithm targeting 6 systems, i.e., 256-bit key length and the speed of more than 100 Gbps.

Security analysis of Subterranean 2.0

Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON’s round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but support the designers’ claim that there is no linear bias measurable from at most $$2^{96}$$ 2 96 data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

Revisiting Impossible Differential Distinguishers of Two Generalized Feistel Structures

Impossible differential attack is one of the most effective cryptanalytic methods for block ciphers. Its key step is to construct impossible differential distinguishers as long as possible. In this paper, we mainly focus on constructing longer impossible differential distinguishers for two kinds of generalized Feistel structures which are m -dataline CAST256-like and MARS-like structures. When their round function takes Substitution Permutation SP and Substitution Permutation Substitution SPS types, they are called CAST 256 SP / CAST 256 SPS and MARS SP / MARS SPS , respectively. For CAST 256 SP / CAST 256 SPS , the best known result for the length of the impossible differential distinguisher was m 2 + m / m 2 + m − 1 rounds, respectively. With the help of the linear layer P , we can construct m 2 + m + Λ 0 / m 2 + m + Λ 1 -round impossible differential distinguishers, where Λ 0 and Λ 1 are non-negative numbers if P satisfies some restricted conditions. For MARS SPS , the best known result for the length of the impossible differential distinguisher was 3 m − 1 rounds. We can construct 3 m -round impossible differential distinguishers which are 1 round longer than before. To our knowledge, the results in this paper are the best for the two kinds of generalized Feistel structures.

Complexity analysis and hardware implementation of extensible modulo addition for lightweight block cipher in Internet of Things (IOT)

This project presents complexity analysis and hardware implementation of extensible modulo addition [15] encryption algorithm on a 32-bit lightweight FPGA based block cipher called INFLEX, which is designed for the internet of things (IoT) environment, supporting 64-bits key. It is designed for constrained hardware resources yet providing a highly secure scalable configuration for the variety of applications. This characteristic is obtained by the use of generalized Feistel structure combined with an improved block inflation feature. INFLEX follows a typical ARX (Add, Rotate, XOR) round function with a distinguished feature of block expansion and collapse as per user selected control string, which makes INFLEX act as a tweakable Cipher. We have shown comparison of INFLEX algorithm robustness and immunity against linear and differential attacks and demonstrated that it outperforms one of the benchmark block Ciphers Speck32/64 proposed by national security agency (NSA).

Complexity analysis and hardware implementation of extensible modulo addition for lightweight block cipher in Internet of Things (IOT)

This project presents complexity analysis and hardware implementation of extensible modulo addition [15] encryption algorithm on a 32-bit lightweight FPGA based block cipher called INFLEX, which is designed for the internet of things (IoT) environment, supporting 64-bits key. It is designed for constrained hardware resources yet providing a highly secure scalable configuration for the variety of applications. This characteristic is obtained by the use of generalized Feistel structure combined with an improved block inflation feature. INFLEX follows a typical ARX (Add, Rotate, XOR) round function with a distinguished feature of block expansion and collapse as per user selected control string, which makes INFLEX act as a tweakable Cipher. We have shown comparison of INFLEX algorithm robustness and immunity against linear and differential attacks and demonstrated that it outperforms one of the benchmark block Ciphers Speck32/64 proposed by national security agency (NSA).

A Functionally Separate Autoencoder

According to kids’ learning process, an auto-encoder which can be split into two parts is designed. The two parts can work well separately. The top half is an abstract network which is trained by supervised learning and can be used to classify and regress. The bottom half is a concrete network which is accomplished by inverse function and trained by self-supervised learning. It can generate the input of abstract network from concept or label. The network can achieve its intended functionality through testing by mnist dataset and convolution neural network. Round function is added between the abstract network and concrete network in order to get the representative generation of class. The generation ability can be increased by adding jump connection and negative feedback. At last, the characteristics of the network is discussed. The input can be changed to any form by encoder and then change it back by decoder through inverse function. The concrete network can be seen as the memory stored by the parameters. Lethe is that when new knowledge input, the training process makes the parameters change. At last, the application of the network is discussed. The network can be used for logic generation through deep reinforcement learning. The network can also be used for language translation, zip and unzip, encryption and decryption, compile and decompile, modulation and demodulation.<br>

Orthros: A Low-Latency PRF

We present Orthros, a 128-bit block pseudorandom function. It is designed with primary focus on latency of fully unrolled circuits. For this purpose, we adopt a parallel structure comprising two keyed permutations. The round function of each permutation is similar to Midori, a low-energy block cipher, however we thoroughly revise it to reduce latency, and introduce different rounds to significantly improve cryptographic strength in a small number of rounds. We provide a comprehensive, dedicated security analysis. For hardware implementation, Orthros achieves the lowest latency among the state-of-the-art low-latency primitives. For example, using the STM 90nm library, Orthros achieves a minimum latency of around 2.4 ns, while other constructions like PRINCE, Midori-128 and QARMA9-128- σ0 achieve 2.56 ns, 4.10 ns, 4.38 ns respectively.

Algebraic Collision Attacks on Keccak

In this paper, we analyze the collision resistance of the two smallest versions of Keccak which have a width of 200 and 400 bits respectively. We show that algebraic and linearization techniques can serve collision cryptanalysis by using some interesting properties of the linear part of the round function of Keccak. We present an attack on the Keccak versions that could be used in lightweight cryptography reduced to two rounds. For Keccak[40, 160] (resp. Keccak[72, 128] and Keccak[144, 256]) our attack has a computational complexity of 273 (resp. 252.5 and 2101.5) Keccak calls.

Improved Single-Key Attacks on 2-GOST

GOST, known as GOST-28147-89, was standardized as the Russian encryption standard in 1989. It is a lightweight-friendly cipher and suitable for the resource-constrained environments. However, due to the simplicity of GOST’s key schedule, it encountered reflection attack and fixed point attack. In order to resist such attacks, the designers of GOST proposed a modification of GOST, namely, 2-GOST. This new version changes the order of subkeys in the key schedule and uses concrete S-boxes in round function. But regarding single-key attacks on full-round 2-GOST, Ashur et al. proposed a reflection attack with data of 2 32 on a weak-key class of size 2 224 , as well as the fixed point attack and impossible reflection attack with data of 2 64 for all possible keys. Note that the attacks applicable for all possible keys need the entire plaintext space. In other words, these are codebook attacks. In this paper, we propose single-key attacks on 2-GOST with only about 2 32 data instead of codebook. Firstly, we apply 2-dimensional meet-in-the-middle attack combined with splice-cut technique on full-round 2-GOST. This attack is applicable for all possible keys, and its data complexity reduces from previous 2 64 to 2 32 . Besides that, we apply splice-cut meet-in-the-middle attack on 31-round 2-GOST with only data of 2 32 . In this attack, we only need 8 bytes of memory, which is negligible.