Rotational Cryptanalysis of MORUS

MORUS is one of the finalists of the CAESAR competition. This is an ARX construction that required investigation against rotational cryptanalysis. We investigated the power of rotational cryptanalysis against MORUS. We show that all the operations in the state update function of MORUS maintain the rotational pairs when the rotation distance is set to a multiple of the sub-word size. Our investigation also confirms that the rotational pairs can be used as distinguishers for the full version of MORUS if the constants used in MORUS are rotational-invariant. However, the actual constants used in MORUS are not rotational-invariant. The introduction of such constants in the state update function breaks the symmetry of the rotational pairs. Experimental results show that rotational pairs can be used as distinguishers for only one step of the initialization phase of MORUS. For more than one step, there are not enough known differences in the rotational pairs of MORUS to provide an effective distinguisher. This is due to the XOR-ing of the constants that are not rotational-invariant. Therefore, it is unlikely for an adversary to construct a distinguisher for the full version of MORUS by observing the rotational pairs.

A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB

OCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with standard Differential Power Analysis (DPA) against some block cipher calls in its execution (namely, initialization, processing of associated data or last incomplete block and decryption). These attacks imply that at least these parts must be strongly protected thanks to countermeasures like masking. We next show that if these block cipher calls of the mode are protected, practical attacks on the remaining block cipher calls remain possible. A first option is to mount a DPA with unknown inputs. A more efficient option is to mount a DPA that exploits horizontal relations between consecutive input whitening values. It allows trading a significantly reduced data complexity for a higher key guessing complexity and turns out to be the best attack vector in practical experiments performed against an implementation of OCB3 in an ARM Cortex-M0. Eventually, we consider an implementation where all the block cipher calls are protected. We first show that exploiting the leakage of the whitening values requires mounting a Simple Power Analysis (SPA) against linear operations. We then show that despite being more challenging than when applied to non-linear operations, such an SPA remains feasible against 8-bit implementations, leaving its generalization to larger implementations as an interesting open problem. We last describe how recovering the whitening values can lead to strong attacks against the confidentiality and integrity of OCB3. Thanks to this comprehensive analysis, we draw concrete requirements for side-channel resistant implementations of OCB3.

High-Performance Data Compression-Based Design for Dynamic IoT Security Systems

IoT technology is evolving at a quick pace and is becoming an important part of everyday life. Consequently, IoT systems hold large amounts of data related to the user of the system that is vulnerable to security breaches. Thus, data collected by IoT systems need to be secured efficiently without affecting the IoT systems’ performance and without compromising security as well. In this paper, a high-performance dynamic security system is introduced. The system makes use of the ZedBoard’s dynamic partial reconfiguration capability to shift between three distinct cipher algorithms: AEGIS, ASCON, and DEOXYS-II. The switching between the three algorithms is performed using two different techniques: the algorithm hopping technique or the power adaptive technique. The choice of which technique to be used is dependent on whether the system needs to be focused on performance or power saving. The ciphers used are the CAESAR competition finalists that achieved the greatest results in each of the three competition categories, where each cipher algorithm has its own set of significant characteristics. The proposed design seeks to reduce the FPGA reconfiguration time by the application of LZ4 (Lempel-Ziv4) compression and decompression techniques on the ciphers’ bitstream files. The reconfiguration time decreased by a minimum of 38% in comparison to the state-of-the-art design, while the resource utilization increased by approximately 2%.

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

Authenticated encryption satisfies the basic need for authenticity and confidentiality in our information infrastructure. In this paper, we provide the specification of Ascon-128 and Ascon-128a. Both authenticated encryption algorithms provide efficient authenticated encryption on resource-constrained devices and on high-end CPUs. Furthermore, they have been selected as the “primary choice” for lightweight authenticated encryption in the final portfolio of the CAESAR competition. In addition, we specify the hash function Ascon-Hash, and the extendable output function Ascon-Xof. Moreover, we complement the specification by providing a detailed overview of existing cryptanalysis and implementation results.

Weak Keys in Reduced AEGIS and Tiaoxin

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to 7 (out of 12) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 264 blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2d-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2123 7-round Ascon permutations and requires 264 data and 2101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.

Improved Meet-in-the-Middle Attacks on Reduced-Round Deoxys-BC-256

In ASIACRYPT 2014, Jean et al. proposed the authentication encryption scheme Deoxys, which is one of the third-round candidates in CAESAR competition. Its internal block cipher is called Deoxys-BC that adopts the tweakey frame. Deoxys-BC has two versions of the tweakey size that are 256 bits and 384 bits, denoted by Deoxys-BC-256 and Deoxys-BC-384, respectively. In this paper, we revaluate the security of Deoxys-BC-256 against the meet-in-the-middle attack to obtain some new results. First, we append one round at the top and two rounds at the bottom of a 6-round distinguisher to form a 9-round truncated differential path with the probability of $2^{-144}$. Based on it, the adversary can attack 9-round Deoxys-BC-256 with $2^{108}$ chosen plaintext-tweaks, $2^{113.6}$ encryptions and $2^{102}$ blocks. Second, we construct a new 6.5-round distinguisher to form 10-round attacking path with the probability of $2^{-152}$. On the basis of it, the adversary could attack 10-round Deoxys-BC-256 with $2^{115}$ chosen plaintext-tweaks, $2^{171}$ encryptions and $2^{152}$ blocks. These two attacks improve the previous cryptanalytic results on reduced-round Deoxys-BC-256 against the meet-in-the-middle attack.

Practical Key-Recovery Attacks On Round-Reduced Ketje Jr, Xoodoo-AE And Xoodyak

A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of Keccak keyed modes. In this paper, we find a new property of Li et al.’s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round Ketje Jr, 6-round Xoodoo-AE and Xoodyak, where Ketje Jr is among the third round CAESAR competition candidates and Xoodyak is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on Xoodyak represent the first third-party cryptanalysis for Xoodyak.

Analyzing the Linear Keystream Biases in AEGIS

AEGIS is one of the authenticated encryption designs selected for the final portfolio of the CAESAR competition. It combines the AES round function and simple Boolean operations to update its large state and extract a keystream to achieve an excellent software performance. In 2014, Minaud discovered slight biases in the keystream based on linear characteristics. For family member AEGIS-256, these could be exploited to undermine the confidentiality faster than generic attacks, but this still requires very large amounts of data. For final portfolio member AEGIS-128, these attacks are currently less efficient than generic attacks. We propose improved keystream approximations for the AEGIS family, but also prove upper bounds below 2−128 for the squared correlation contribution of any single suitable linear characteristic.

Algebraic Degree Estimation of ACORN v3 Using Numeric Mapping

ACORN v3 is a lightweight authenticated encryption cipher, which was selected as one of the seven finalists of CAESAR competition in March 2018. It is intended for lightweight applications (resource-constrained environments). By using the technique numeric mapping proposed at CRYPTO 2017, an efficient algorithm for algebraic degree estimation of ACORN v3 is proposed. As a result, new distinguishing attacks on 647, 649, 670, 704, and 721 initialization rounds of ACORN v3 are obtained, respectively. So far, as we know, all of our distinguishing attacks on ACORN v3 are the best. The effectiveness and accuracy of our algorithm is confirmed by the experimental results.