Showing papers on "Differential cryptanalysis published in 2020"

Finding Hash Collisions with Quantum Computers by Using Differential Trails with Smaller Probability than Birthday Bound

Abstract: In this paper we spot light on dedicated quantum collision attacks on concrete hash functions, which has not received much attention so far. In the classical setting, the generic complexity to find collisions of an n-bit hash function is \(O(2^{n/2})\), thus classical collision attacks based on differential cryptanalysis such as rebound attacks build differential trails with probability higher than \(2^{-n/2}\). By the same analogy, generic quantum algorithms such as the BHT algorithm find collisions with complexity \(O(2^{n/3})\). With quantum algorithms, a pair of messages satisfying a differential trail with probability p can be generated with complexity \(p^{-1/2}\). Hence, in the quantum setting, some differential trails with probability up to \(2^{-2n/3}\) that cannot be exploited in the classical setting may be exploited to mount a collision attack in the quantum setting. In particular, the number of attacked rounds may increase. In this paper, we attack two international hash function standards: AES-MMO and Whirlpool. For AES-MMO, we present a 7-round differential trail with probability \(2^{-80}\) and use it to find collisions with a quantum version of the rebound attack, while only 6 rounds can be attacked in the classical setting. For Whirlpool, we mount a collision attack based on a 6-round differential trail from a classical rebound distinguisher with a complexity higher than the birthday bound. This improves the best classical attack on 5 rounds by 1. We also show that those trails are optimal in our approach. Our results have two important implications. First, there seems to exist a common belief that classically secure hash functions will remain secure against quantum adversaries. Indeed, several second-round candidates in the NIST post-quantum competition use existing hash functions, say SHA-3, as quantum secure ones. Our results disprove this common belief. Second, our observation suggests that differential trail search should not stop with probability \(2^{-n/2}\) but should consider up to \(2^{-2n/3}\). Hence it deserves to revisit the previous differential trail search activities.

SLIM: A Lightweight Block Cipher for Internet of Health Things

Abstract: Nowadays, there is a strong demand for increasing the protection of resource-constrained devices such as Radio frequency identification (RFID) systems. Current cryptographic algorithms are sufficient for high-resource desktop computers. RFID systems are commonly used in high-security applications such as access control systems, transaction banking systems, and payment systems. The attacker attempts to mislead RFIDs for unauthorized access to services without payment or to circumvent security mechanisms by detecting a secret password. The biggest challenge in RFID systems is how to ensure successful protection against such infringements. Lightweight cryptography can provide security assurance for protecting RFID systems. This article presents a new ultra-lightweight cryptography algorithm for RFID systems called SLIM. SLIM is a 32-bit block cipher based on the Feistel structure since block ciphers are the most used cryptographic and provide very tight protection for IoT devices. The key challenge in designing a lightweight block cipher is to cope with performance, cost, and security. SLIM, like all symmetric block cipher, uses the same key for encryption and decryption. The proposed algorithm has an excellent performance in both hardware and software environments, with a limited implementation area, an acceptable cost/security for RFID systems, and an energy-efficient behaviour. SLIM has demonstrated high immunity against the most effective linear and differential cryptanalysis attacks and has a sufficient margin of defence against these attacks.

Designing secure substitution boxes based on permutation of symmetric group

Abstract: The strength of cryptosystems heavily relies on the substitution boxes. Cryptosystems with weak substitution boxes cannot resist algebraic attacks, linear and differential cryptanalysis. In this paper, first, we propose a strong algebraic structure for the construction of substitution boxes. The proposed substitution boxes have good algebraic properties and are able to resist against algebraic attacks. Second, we propose a new method for creating multiple substitution boxes with the same algebraic properties using permutation of symmetric group on a set of size 8 and bitwise XOR operation. Third, the proposed substitution boxes with the same algebraic properties are then applied to images and it is observed that the statistical properties of substituted images are different from each other. The simulation results and statistical and security analysis for the proposed substitution boxes are very competitive. Also, it is shown in this work that the proposed substitution boxes can resist differential and linear cryptanalysis and sustain algebraic attacks.

S-box Construction Based on Linear Fractional Transformation and Permutation Function

Abstract: Substitution boxes (S-box) with strong and secure cryptographic properties are widely used for providing the key property of nonlinearity in block ciphers. This is critical to be resistant to a standard attack including linear and differential cryptanalysis. The ability to create a cryptographically strong S-box depends on its construction technique. This work aims to design and develop a cryptographically strong 8 × 8 S-box for block ciphers. In this work, the construction of the S-box is based on the linear fractional transformation and permutation function. Three steps involved in producing the S-box. In step one, an irreducible polynomial of degree eight is chosen, and all roots of the primitive irreducible polynomial are calculated. In step two, algebraic properties of linear fractional transformation are applied in Galois Field GF (28). Finally, the produced matrix is permuted to add randomness to the S-box. The strength of the S-box is measured by calculating its potency to create confusion. To analyze the security properties of the S-box, some well-known and commonly used algebraic attacks are used. The proposed S-box is analyzed by nonlinearity test, algebraic degree, differential uniformity, and strict avalanche criterion which are the avalanche effect test, completeness test, and strong S-box test. S-box analysis is done before and after the application of the permutation function and the analysis result shows that the S-box with permutation function has reached the optimal properties as a secure S-box.

On the boomerang uniformity of some permutation polynomials

Abstract: The boomerang attack, introduced by Wagner in 1999, is a cryptanalysis technique against block ciphers based on differential cryptanalysis. In particular it takes into consideration two differentials, one for the upper part of the cipher and one for the lower part, and it exploits the dependency of these two differentials. At Eurocrypt’18, Cid et al. introduced a new tool, called the Boomerang Connectivity Table (BCT), that permits to simplify this analysis. Next, Boura and Canteaut introduced an important parameter for cryptographic S-boxes called boomerang uniformity, that is the maximum value in the BCT. Very recently, the boomerang uniformity of some classes of permutations (in particular quadratic functions) have been studied by Li, Qu, Sun and Li, and by Mesnager, Tang and Xiong. In this paper we further study the boomerang uniformity of some non-quadratic differentially 4-uniform functions. In particular, we consider the case of the Bracken-Leander cubic function and three classes of 4-uniform functions constructed by Li, Wang and Yu, obtained from modifying the inverse functions.

Some classes of power functions with low c-differential uniformity over finite fields

Abstract: Functions with low c-differential uniformity have optimal resistance to some types of differential cryptanalysis. In this paper, we investigate the c-differential uniformity of power functions over finite fields. Based on some known almost perfect nonlinear functions, we present several classes of power functions $f(x)=x^d$ with $_{c}\Delta_f\leq3$. Especially, two new classes of perfect c-nonlinear power functions are proposed.

Alzette: A 64-Bit ARX-box - (Feat. CRAX and TRAX).

Abstract: S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ones (e.g., 32 bits). In this context, an S-box is then defined as a subfunction whose cryptographic properties can be estimated precisely.

Evaluation of Quantum Cryptanalysis on SPECK

Abstract: In this work, all the versions of SPECK are evaluated against quantum adversary in terms of Grovers algorithm. We extensively study the resource requirements for quantum key search under the model of known plaintext attack and show that our estimation provides better result than the existing efforts. Further, for the first time, we explore differential cryptanalysis on SPECK in quantum framework that provides encouraging results. For both the cases, the quantum resources are evaluated in terms of several parameters, i.e., the T-depth of the circuits and the number of qubits required for the attacks. Experiments are performed in IBM-Q environment to support our claims.

µ 2 : A Lightweight Block Cipher

Abstract: This paper presents a 64-bit lightweight block cipher, µ2 with a key size of 80-bit. µ2 is designed based on well-established design paradigms, achieving comparable performance and security when compared against existing state-of-the-art lightweight block ciphers. µ2 is based on the Type-II generalized Feistel structure with a round function, F that is a 16-bit ultra-lightweight block cipher based on the substitution-permutation network. Security evaluation indicates that µ2 offers a large security margin against known attacks such as differential cryptanalysis, linear cryptanalysis, algebraic attack and others.

Security Analysis of Lightweight IoT Cipher: Chaskey

Abstract: This paper presents the differential cryptanalysis of ARX based cipher Chaskey using tree search based heuristic approach. ARX algorithms are suitable for resource-constrained devices such as IoT and very resistant to standard cryptanalysis such as linear or differential. To make a differential attack, it is important to make differential characteristics of the cipher. Finding differential characteristics in ARX is the most challenging task nowadays. Due to the bigger block size, it is infeasible to calculate lookup tables for non-linear components. Transition through the non-linear layer of cipher faces a huge state space problem. The problem of huge state space is a serious research topic in artificial intelligence (AI). The proposed heuristic tool use such methods inspired by Nested Tree-based sampling to find differential paths in ARX cipher and successfully applied to get a state of art results for differential cryptanalysis with a very fast and simpler framework. The algorithm can also be applied in different research areas in cryptanalysis where such huge state space is a problem.

The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers

Abstract: Inserting backdoors in encryption algorithms has long seemed like a very interesting, yet difficult problem. Most attempts have been unsuccessful for symmetric-key primitives so far and it remains an open problem how to build such ciphers.

A Novel Hybrid Secure Image Encryption Based on the Shuffle Algorithm and the Hidden Attractor Chaos System

Abstract: Aiming at the problems of small key space, low security of encryption structure, and easy to crack existing image encryption algorithms combining chaotic system and DNA sequence, this paper proposes an image encryption algorithm based on a hidden attractor chaotic system and shuffling algorithm. Firstly, the chaotic sequence generated by the hidden attractor chaotic system is used to encrypt the image. The shuffling algorithm is used to scramble the image, and finally, the DNA sequence operation is used to diffuse the pixel value of the image. Experimental results show that the key space of the scheme reaches 2327 and is very sensitive to keys. The histogram of encrypted images is evenly distributed. The correlation coefficient of adjacent pixels is close to 0. The entropy values of encrypted images are all close to eight and the unified average change intensity (UACI) value and number of pixel changing rate (NPCR) value are close to ideal values. All-white and all-black image experiments meet the requirements. Experimental results show that the encryption scheme in this paper can effectively resist exhaustive attacks, statistical attacks, differential cryptanalysis, known plaintext and selected plaintext attacks, and noise attacks. The above research results show that the system has better encryption performance, and the proposed scheme is useful and practical in communication and can be applied to the field of image encryption.

Investigations on c-(almost) perfect nonlinear functions

Abstract: In a prior paper [14], along with P. Ellingsen, P. Felke and A. Tkachenko, we defined a new (output) multiplicative differential, and the corresponding c-differential uniformity, which has the potential of extending differential cryptanalysis. Here, we continue the work, by looking at some APN functions through the mentioned concept and show that their c-differential uniformity increases significantly, in some cases.

MILP-Based Differential Cryptanalysis on Round-Reduced Midori64

Abstract: Mixed integer linear programming (MILP) model was presented by Sun et al. at Asiacrypt 2014 to search for differential characteristics of block ciphers. Based on this model, it is easy to assess block ciphers against differential attack. In this paper, the MILP model is improved to search for differential trails of Midori64 which is a family of lightweight block ciphers provided by Banik et al. at Asiacrypt 2015. We find the best 5-round differential characteristics of Midori64 with MILP-based model, and the probabilities are $2^{-52}$ and $2^{-58}$ respectively. Based on these distinguishers, we give key recovery attacks on the 11-round reduced Midori64 with data complexities of $2^{55.6}$ and $2^{61.2}$ , and time complexities of $2^{109.35}$ and $2^{100.26}$ .

A Bit-Vector Differential Model for the Modular Addition by a Constant

Abstract: ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods.

Optimal differential trails in lightweight block ciphers ANU and PICO

Abstract: ANU and PICO are two lightweight block ciphers published by Bansod et al. in 2016. For cryptanalysis, we apply a branch-and-bound based search algorithm to find the least number of active Substitut...

True-chaotic substitution box based on Boolean functions

Abstract: With the exponential increase in communication sector, the risk of information management also increases. Although there is enormous input from the cybersecurity perspective, still a lot must be done. The substitution box is the most vital component in symmetric encryption algorithms, and various proposals have been presented using chaos. Unfortunately, the full potential of chaos in constructing substitution boxes has not been exploited before. In this paper, we have constructed strong and robust substitution boxes based on Boolean functions incorporating chaos. First, we have developed a new algebraic structure based on the Boolean functions. Second, we have incorporated logistic chaotic map with the proposed algebraic structure to construct strong and robust true-chaotic S-Boxes. Third, the constructed S-Boxes are tested against statistical and security analysis including linear and differential cryptanalysis to demonstrate their strength and robustness. The simulation results and analysis demonstrated that the constructed substitution boxes can resist well-known attacks. Finally, we have done the comparative analysis for statistical, security and cryptanalysis with other well-known works to demonstrate the superiority of our work.

Improved (Related-key) Differential Cryptanalysis on GIFT

Abstract: In this paper, we reevaluate the security of GIFT against differential cryptanalysis under both single-key scenario and related-key scenario. Firstly, we apply Matsui’s algorithm to search related-key differential trails of GIFT. We add three constraints to limit the search space and search the optimal related-key differential trails on the limited search space. We obtain related-key differential trails of GIFT-64/128 for up to 15/14 rounds, which are the best results on related-key differential trails of GIFT so far. Secondly, we propose an automatic algorithm to increase the probability of the related-key boomerang distinguisher of GIFT by searching the clustering of the related-key differential trails utilized in the boomerang distinguisher. We find a 20-round related-key boomerang distinguisher of GIFT-64 with probability \( 2^{-58.557} \). The 25-round related-key rectangle attack on GIFT-64 is constructed based on it. This is the longest attack on GIFT-64. We also find a 19-round related-key boomerang distinguisher of GIFT-128 with probability \( 2^{-109.626} \). We propose a 23-round related-key rectangle attack on GIFT-128 utilizing the 19-round distinguisher, which is the longest related-key attack on GIFT-128. The 24-round related-key rectangle attack on GIFT-64 and 22-round related-key boomerang attack on GIFT-128 are also presented. Thirdly, we search the clustering of the single-key differential trails. We increase the probability of a 20-round single-key differential distinguisher of GIFT-128 from \( 2^{-121.415} \) to \( 2^{-120.245} \). The time complexity of the 26-round single-key differential attack on GIFT-128 is improved from \( 2^{124.415} \) to \( 2^{123.245} \).

Boomerang uniformity of normalized permutation polynomials of low degree

Abstract: Differential uniformity of permutation polynomials has been studied intensively in recent years due to the differential cryptanalysis of S-boxes. The boomerang attack is a variant of differential cryptanalysis which combines two differentials for the upper part and the lower part of the block cipher. The boomerang uniformity measures the resistance of block ciphers to the boomerang attack. In this paper, by using the resultant elimination method, we study the boomerang uniformity of normalized permutation polynomials of the low degree over finite fields. As a result, we determine the boomerang uniformity of all normalized permutation polynomials of degree up to six over the finite field $${\mathbb {F}}_{q}$$.

SEPAR: A New Lightweight Hybrid Encryption Algorithm with a Novel Design Approach for IoT

Abstract: This paper presents a new hybrid encryption algorithm with 16-bit block size and a 128-bit initialization vector, referred to as SEPAR, and it is suitable for IoT devices. The design idea of this algorithm combines pseudorandom permutation and pseudorandom generator functions. This smart integration causes resistance improvement against common cryptographic attacks meanwhile leads to cipher speed increment. Investigation of security analysis on the algorithm and results of the NIST statistical test suit proves its resistance against common cryptographic attacks as linear and differential cryptanalysis. Furthermore, efficient software implementation of SEPAR is presented on 8, 16 and 32-bit platforms. Compared to BORON cipher, SEPAR provides 42.22% throughput improvement on 32-bit ARM CPU. Also, for 8-bit and 16-bit microcontroller, SEPAR provides 87.91% and 98.01% performance improvements compared to present, respectively.

A Practical Forgery Attack on Lilliput-AE

Abstract: Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note, we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about $$2^{36}$$ bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related-tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is reused in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked.

The phantom of differential characteristics

Abstract: For differential cryptanalysis under the single-key model, the key schedules hardly need to be exploited in constructing the characteristics, which is based on the hypothesis of stochastic equivalence. In this paper, we study a profound effect of the key schedules on the validity of the differential characteristics. Noticing the sensitivity in the probability of the characteristics to specific keys, we label the keys where a characteristic has nonzero probability by effective keys. We propose the concept of singular characteristics which are characteristics with no effective keys, and exploit an algorithm to sieve them out by studying the key schedule. We show by a differential characteristic of PRINCE whose expected differential probability is much larger than that of a random permutation, i.e., $$2^{-35}$$ vs. $$2^{-64}$$ . Yet, it is indeed singular which could be mis-used to mount a differential attack. Singular characteristics are found for 3-round AES and 3-round Midori-128 as well. Furthermore, taking the possible mismatches of the effective keys in a number of differential characteristics into consideration, we present singular clusters which indicates an empty intersection of the corresponding effective keys, and this is evidenced by showing two differential characteristics of the 2-round AES. We also show that characteristics are tightly linked to the key schedule, as shown in the paper, a valid characteristic in the AES-128 can be singular for the AES-192. Our results indicate a gap over the perspectives of the designers and the attackers, which warns the latter to validate the theoretically-built distinguishers. Therefore, a closer look into the characteristics is inevitable before any attack is claimed.

New Biclique Cryptanalysis on Full-Round PRESENT-80 Block Cipher

Abstract: Biclique cryptanalysis is a recent technique developed for key retrieval of block ciphers. In this paper, biclique attack is carried out on full-round, PRESENT-80 block cipher. Here, the biclique is constructed using independent related key differential cryptanalysis. Matching with precomputation is used for the analysis for other rounds. The computational complexity for the successful implementation of the proposed attack is found less than that of attacks published so far. The data complexity and time complexity of the proposed attack are calculated as 223 and 279.63, respectively.

A novel encryption algorithm using multiple semifield S-boxes based on permutation of symmetric group.

Abstract: With the tremendous benefits of internet and advanced communications, there is a serious threat from the data security perspective. There is a need of secure and robust encryption algorithm that can be implemented on each and diverse software and hardware platforms. Also, in block symmetric encryption algorithms, substitution boxes are the most vital part. In this paper, we investigate semifield substitution boxes using permutation of symmetric group on a set of size 8 S_8 and establish an effective procedure for generating S_8 semifield substitution boxes having same algebraic properties. Further, the strength analysis of the generated substitution boxes is carried out using the well-known standards namely bijectivity, nonlinearity, strict avalanche criterion, bit independence criterion, XOR table and differential invariant. Based on the analysis results, it is shown that the cryptographic strength of generated substitution boxes is on par with the best known $8\times 8$ substitution boxes. As application, an encryption algorithm is proposed that can be employed to strengthen any kind of secure communication. The presented algorithm is mainly based on the Shannon idea of (S-P) network where the process of substitution is performed by the proposed S_8 semifield substitution boxes and permutation operation is performed by the binary cyclic shift of substitution box transformed data. In addition, the proposed encryption algorithm utilizes two different chaotic maps. In order to ensure the appropriate utilization of these chaotic maps, we carry out in-depth analyses of their behavior in the context of secure communication and apply the pseudo-random sequences of chaotic maps in the proposed image encryption algorithm accordingly. The statistical and simulation results imply that our encryption scheme is secure against different attacks and can resist linear and differential cryptanalysis.

Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

Abstract: In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES. The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), namely approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). For a success probability of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential attack.

Cryptanalysis of the Permutation Based Algorithm SpoC

Abstract: In this paper we present an analysis of the SpoC cipher, a second round candidate of the NIST Lightweight Crypto Standardization process. First we present a differential analysis on the sLiSCP-light permutation, a core element of SpoC. Then we propose a series of attacks on both versions of SpoC, namely round-reduced differential tag forgery and message recovery attacks in the related-key, related-nonce scenario, as well as a time-memory trade-off key-recovery attack on the full round version of Spoc-64. Finally, we present an observation regarding the constants used in the sLiSCP-light permutation.

On the Design of Bit Permutation Based Ciphers

Abstract: Bit permutation based block ciphers, like PRESENT and GIFT, are well-known for their extreme lightweightness in hardware implementation However, designing such ciphers comes with one major challenge – to ensure strong cryptographic properties simply depending on the combination of three components, namely S-box, a bit permutation and a key addition function Having a wrong combination of components could lead to weaknesses In this article, we studied the interaction between these components, improved the theoretical security bound of GIFT and highlighted the potential pitfalls associated with a bit permutation based primitive design We also conducted analysis on TRIFLE, a first-round candidate for the NIST lightweight cryptography competition, where our findings influenced the elimination of TRIFLE from second-round of the NIST competition In particular, we showed that internal state bits of TRIFLE can be partially decrypted for a few rounds even without any knowledge of the key