Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Designing cryptographic permutations and block ciphers using a substitutionpermutation network (SPN) approach where the nonlinear part does not cover the entire state has recently gained attention due to favorable implementation characteristics in various scenarios.For word-oriented partial SPN (P-SPN) schemes with a fixed linear layer, our goal is to better understand how the details of the linear layer affect the security of the construction. In this paper, we derive conditions that allow us to either set up or prevent attacks based on infinitely long truncated differentials with probability 1. Our analysis is rather broad compared to earlier independent work on this problem since we consider (1) both invariant and non-invariant/iterative trails, and (2) trails with and without active S-boxes.For these cases, we provide rigorous sufficient and necessary conditions for the matrix that defines the linear layer to prevent the analyzed attacks. On the practical side, we present a tool that can determine whether a given linear layer is vulnerable based on these results. Furthermore, we propose a sufficient condition for the linear layer that, if satisfied, ensures that no infinitely long truncated differential exists. This condition is related to the degree and the irreducibility of the minimal polynomial of the matrix that defines the linear layer. Besides P-SPN schemes, our observations may also have a crucial impact on the Hades design strategy, which mixes rounds with full S-box layers and rounds with partial S-box layers.

Different Types of Attacks on Block Ciphers

Cryptanalysis is a very important challenge that faces cryptographers. It has several types that should be well studied by cryptographers to be able to design cryptosystem more secure and able to resist any type of attacks. This paper introduces six types of attacks: Linear, Differential , Linear-Differential, Truncated differential Impossible differential attack and Algebraic attacks. In this paper, algebraic attack is used to formulate the substitution box(S-box) of a block cipher to system of nonlinear equations and solve this system by using a classical method called Grobner  Bases . By Solving these equations, we made algebraic attack on S-box.

Differential Attacks on CRAFT Exploiting the Involutory S-boxes and Tweak Additions

CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct “weak-tweakey” truncated differential distinguishers of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with 260.99 data, 268 memory, 294.59 time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability 2−43 (experimentally verified), a 16-round distinguisher with probability 2−55, and a 20-round weak-key distinguisher (2118 weak keys) with probability 2−63. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.

Extended Truncated-differential Distinguishers on Round-reduced AES

Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher.For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives.The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties.

Improved Meet-in-the-Middle Attacks on Reduced-Round Deoxys-BC-256

In ASIACRYPT 2014, Jean et al. proposed the authentication encryption scheme Deoxys, which is one of the third-round candidates in CAESAR competition. Its internal block cipher is called Deoxys-BC that adopts the tweakey frame. Deoxys-BC has two versions of the tweakey size that are 256 bits and 384 bits, denoted by Deoxys-BC-256 and Deoxys-BC-384, respectively. In this paper, we revaluate the security of Deoxys-BC-256 against the meet-in-the-middle attack to obtain some new results. First, we append one round at the top and two rounds at the bottom of a 6-round distinguisher to form a 9-round truncated differential path with the probability of $2^{-144}$. Based on it, the adversary can attack 9-round Deoxys-BC-256 with $2^{108}$ chosen plaintext-tweaks, $2^{113.6}$ encryptions and $2^{102}$ blocks. Second, we construct a new 6.5-round distinguisher to form 10-round attacking path with the probability of $2^{-152}$. On the basis of it, the adversary could attack 10-round Deoxys-BC-256 with $2^{115}$ chosen plaintext-tweaks, $2^{171}$ encryptions and $2^{152}$ blocks. These two attacks improve the previous cryptanalytic results on reduced-round Deoxys-BC-256 against the meet-in-the-middle attack.

New Automatic Search Method for Truncated-Differential Characteristics Application to Midori, SKINNY and CRAFT

In this paper, using Mixed-Integer Linear Programming, a new automatic search tool for truncated differential characteristic is presented. Our method models the problem of finding a maximal probability truncated differential characteristic, being able to distinguish the cipher from a pseudo-random permutation. Using this method, we analyze Midori64, SKINNY64/X and CRAFT block ciphers, for all of which the existing results are improved. In all cases, the truncated differential characteristic is much more efficient than the (upper bound of) bit-wise differential characteristic proven by the designers, for any number of rounds. More specifically, the highest possible rounds, for which an efficient differential characteristic can exist for Midori64, SKINNY64/X and CRAFT are 6, 7 and 10 rounds, respectively, for which differential characteristics with maximum probabilities of $2^{-60}$, $2^{-52}$ and $2^{-62.61}$ (may) exist. Using our new method, we introduce new truncated differential characteristics for these ciphers with respective probabilities $2^{-54}$, $2^{-4}$ and $2^{-24}$ at the same number of rounds. Moreover, the longest truncated differential characteristics found for SKINNY64/X and CRAFT have 10 and 12 rounds, respectively. This method can be used as a new tool for differential analysis of SPN block ciphers.

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

In this paper, a new method for evaluating the integral property, truncated and impossible differentials for substitution-permutation network (SPN) block ciphers is proposed. The main assumption is an explicit description/expression of the internal state words in terms of the plaintext (ciphertext) words. By counting the number of times these words occur in the internal state expression, we can evaluate the resistance of a given block cipher to integral and impossible/truncated differential attacks more accurately than previous methods. More precisely, we explore the cryptographic consequences of uneven frequency of occurrences of plaintext (ciphertext) words appearing in the algebraic expression of the internal state words. This approach gives a new family of distinguishers employing different concepts such as the integral property, impossible/truncated differentials and the so-called zero-sum property. We then provide algorithms to determine the maximum number of rounds of such new types of distinguishers for SPN block ciphers. The potential and efficiency of this relatively simple method is confirmed through applications. For instance, in the case of SKINNY block cipher, several 10-round integral distinguishers, all of the 11-round impossible differentials, and a 7-round truncated differential could be determined. For the last case, using a single pair of plaintexts differing in three words so that (a = b = c) ≠ (a’ = b’ = c’), we are able to distinguish 7-round SKINNY from random permutations. More importantly, exploiting our distinguishers, we give the first practical attack on 11-round SKINNY-128-128 in the single-key setting (a theoretical attack reaches 16 rounds). Finally, using the same ideas, we provide a concise explanation on the existing distinguishers for round-reduced AES.