Diving Deep into the Weak Keys of Round Reduced Ascon

At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.

Deciding EA-equivalence via invariants

We define a family of efficiently computable invariants for (n,m)-functions under EA-equivalence, and observe that, unlike the known invariants such as the differential spectrum, algebraic degree, and extended Walsh spectrum, in the case of quadratic APN functions over $\mathbb {F}_{2^n}$ F 2 n with n even, these invariants take on many different values for functions belonging to distinct equivalence classes. We show how the values of these invariants can be used constructively to implement a test for EA-equivalence of functions from $\mathbb {F}_{2}^{n}$ F 2 n to $\mathbb {F}_{2}^{m}$ F 2 m ; to the best of our knowledge, this is the first algorithm for deciding EA-equivalence without resorting to testing the equivalence of associated linear codes.

Algebraic degree in spatial matricial numerical ranges of linear operators

We study the maximal algebraic degree of principal ortho-compressions of linear operators that constitute spatial matricial numerical ranges of higher order. We demonstrate (amongst other things) that for a (possibly unbounded) operator L L on a Hilbert space, every principal m m -dimensional ortho-compression of L L has algebraic degree less than m m if and only if r a n k ( L − λ I ) ≤ m − 2 rank(L-\lambda I)\le m-2 for some λ ∈ C \lambda \in \mathbb {C} .

A new Modulo Addition with enhanced scalable security against algebraic attack

In recent years, Algebraic Attack has emerged to be an important cryptanalysis method in evaluating encryption algorithms. The attack exploits algebraic equations between the inputs and outputs of a cipher to solve for the targeted information. The complexity of the attack depends on the algebraic degree of the equations, the number of equations, and the probabilistic conditions employed. Addition Modulo 2n had been suggested over logic XOR as a mixing element to better defend against Algebraic Attack. However, it has been discovered that the complexity of the traditional Modulo Addition can be greatly reduced with the right equations and probabilistic conditions. The presented work introduces a new Modulo Addition structure that includes an Input Expansion, Modulo Addition, and Output Compaction. The security of the new structure is scalable and user-defined as the new structure increases the algebraic degree and thwarts the probabilistic conditions.

A new Modulo Addition with enhanced scalable security against algebraic attack

In recent years, Algebraic Attack has emerged to be an important cryptanalysis method in evaluating encryption algorithms. The attack exploits algebraic equations between the inputs and outputs of a cipher to solve for the targeted information. The complexity of the attack depends on the algebraic degree of the equations, the number of equations, and the probabilistic conditions employed. Addition Modulo 2n had been suggested over logic XOR as a mixing element to better defend against Algebraic Attack. However, it has been discovered that the complexity of the traditional Modulo Addition can be greatly reduced with the right equations and probabilistic conditions. The presented work introduces a new Modulo Addition structure that includes an Input Expansion, Modulo Addition, and Output Compaction. The security of the new structure is scalable and user-defined as the new structure increases the algebraic degree and thwarts the probabilistic conditions.

On the Relationships between Different Methods for Degree Evaluation

In this paper, we compare several non-tight degree evaluation methods i.e., Boura and Canteaut’s formula, Carlet’s formula as well as Liu’s numeric mapping and division property proposed by Todo, and hope to find the best one from these methodsfor practical applications. Specifically, for the substitution-permutation-network (SPN) ciphers, we first deeply explore the relationships between division property of an Sbox and its algebraic properties (e.g., the algebraic degree of its inverse). Based on these findings, we can prove theoretically that division property is never worse than Boura and Canteaut’s and Carlet’s formulas, and we also experimentally verified that the division property can indeed give a better bound than the latter two methods. In addition, for the nonlinear feedback shift registers (NFSR) based ciphers, according to the propagation of division property and the core idea of numeric mapping, we give a strict proof that the estimated degree using division property is never greater than that of numeric mapping. Moreover, our experimental results on Trivium and Kreyvium indicate the division property actually derives a much better bound than the numeric mapping. To the best of our knowledge, this is the first time to give a formal discussion on the relationships between division property and other degree evaluation methods, and we present the first theoretical proof and give the experimental verification to illustrate that division property is the optimal one among these methods in terms of the accuracy of the upper bounds on algebraic degree.

An equidistribution theorem for certain birational maps of ℙk

We prove an equidistribution theorem of positive closed currents for a certain class of birational maps [Formula: see text] of algebraic degree [Formula: see text] satisfying [Formula: see text], where [Formula: see text] is the inverse of [Formula: see text] and [Formula: see text] are the sets of indeterminacy for [Formula: see text], respectively.

Đề xuất S-hộp có tính chất mật mã tốt cho hoán vị của hàm băm Keccak

Tóm tắt—Keccak là hàm băm giành được chiến thắng trong cuộc thi SHA-3 của Viện Tiêu chuẩn và Công nghệ Mỹ (NIST) tổ chức. Có nhiều tấn công thám mã khai thác bậc đại số thấp trong hoán vị của hàm băm này. Chính những kết quả này mà nhóm tác giả thiết kế Keccak đã tăng số vòng từ 18 lên 24 trong hoán vị của nó. Trên cơ sở đó, bài báo tập trung phân tích tính chất đại số của hoán vị Keccak-f trong hàm băm này, sau đó đề xuất một thành phần S-hộp mới có tính chất mật mã tốt để sử dụng trong hoán vị của hàm băm Keccak.Abstract—Keccak is the winner of the SHA-3 competition of National Institute of Standards and Technology (NIST). There are many cryptographic attacks that exploit the low algebraic degree in permutation of this hash function. Due to these results, the Keccak design team increased the number of rounds from 18 to 24 in its permutation. On that basis, the paper focuses on analyzing the algebraic properties of the Keccak-f permutation in this hash function, then proposes a new S-box with good cryptographic properties used in Keccak’s permutation.