Showing papers on "Differential cryptanalysis published in 2022"
TL;DR: In this paper , Li et al. improved the time complexity of ChaCha by reducing it to 2.5 rounds, which is the first-ever improvement over Beierle et al.'s algorithm.
Abstract: In this paper, we provide several improvements over the existing differential-linear attacks on ChaCha. ChaCha is a stream cipher which has 20 rounds. At CRYPTO 2020, Beierle et al. observed a differential in the 3.5-th round if the right pairs are chosen. They produced an improved attack using this, but showed that to achieve a right pair, we need $$2^5$$ iterations on average. In this direction, we provide a technique to find the right pairs with the help of listing. Also, we provide a strategical improvement in PNB construction, modification of complexity calculation and an alternative attack method using two input-output pairs. Using these, we improve the time complexity, reducing it to $$2^{221.95}$$ from $$2^{230.86}$$ reported by Beierle et al. for 256 bit version of ChaCha. Also, after a decade, we improve existing complexity (Shi et al. ICISC 2012) for a 6-round of 128 bit version of ChaCha by more than 11 million times and produce the first-ever attack on 6.5-round ChaCha128 with time complexity $$2^{123.04}.$$
7 citations
TL;DR: In this article , the inverse, the Gold, and the Bracken-Leander functions are studied for building S-boxes of block ciphers with good cryptographic properties in symmetric cryptography.
Abstract: The inverse, the Gold, and the Bracken-Leander functions are crucial for building S-boxes of block ciphers with good cryptographic properties in symmetric cryptography. These functions have been intensively studied, and various properties related to standard attacks have been investigated. Thanks to novel advances in symmetric cryptography and, more precisely, those pertaining to boomerang cryptanalysis, this article continues to follow this momentum and further examine these functions. More specifically, we revisit and bring new results about their Difference Distribution Table (DDT), their Boomerang Connectivity Table (BCT), their Feistel Boomerang Connectivity Table (FBCT), and their Feistel Boomerang Difference Table (FBDT). For each table, we give explicit values of all entries by solving specific systems of equations over the finite field $$\mathbb {F}_{2^n}$$ of cardinality $$2^n$$ and compute the cardinalities of their corresponding sets of such values. The explicit values of the entries of these tables and their cardinalities are crucial tools to test the resistance of block ciphers based on variants of the inverse, the Gold, and the Bracken-Leander functions against cryptanalytic attacks such as differential and boomerang attacks. The computation of these entries and the cardinalities in each table aimed to facilitate the analysis of differential and boomerang cryptanalysis of S-boxes when studying distinguishers and trails.
6 citations
TL;DR: In this paper , the authors presented the first bit-vector differential model for the n-bit modular addition by a constant input, which contains O(log 2 n) basic bitvector constraints and describes the binary logarithm of the differential probability.
Abstract: ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool ArxPy to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works.
6 citations
TL;DR: In this article , the authors proposed a SAT/SMT model for searching compatible RX-characteristics in Simon-like ciphers, i.e., that there are at least one right pair of messages/keys to satisfy the RK-Characteristics.
Abstract: Rotational-XOR (RX) cryptanalysis is a cryptanalytic method aimed at finding distinguishable statistical properties in ARX-C ciphers, i.e., ciphers that can be described only by using modular addition, cyclic rotation, XOR, and the injection of constants. In this paper we extend RX-cryptanalysis to AND-RX ciphers, a similar design paradigm where the modular addition is replaced by vectorial bitwise AND; such ciphers include the block cipher families Simon and Simeck. We analyze the propagation of RX-differences through AND-RX rounds and develop a closed form formula for their expected probability. Inspired by the MILP verification model proposed by Sadeghi et al., we develop a SAT/SMT model for searching compatible RX-characteristics in Simon-like ciphers, i.e., that there are at least one right pair of messages/keys to satisfy the RK-characteristics. To the best of our knowledge, this is the first model that takes the RX-difference transitions and value transitions simultaneously into account in Simon-like ciphers. Meanwhile, we investigate how the choice of the round constants affects the resistance of Simon-like ciphers against RX-cryptanalysis. Finally, we show how to use an RXdistinguisher for a key recovery attack. Evaluating our model we find compatible RX-characteristics of up to 20, 27, and 34 rounds with respective probabilities of 2−26, 2−44, and 2−56 for versions of Simeck with block sizes of 32, 48, and 64 bits, respectively, for large classes of weak keys in the related-key model. In most cases, these are the longest published distinguishers for the respective variants of Simeck. In the case of Simon, we present compatible RX-characteristics for round-reduced versions of all ten instances. We observe that for equal block and key sizes, the RX-distinguishers cover fewer rounds in Simon than in Simeck. Concluding the paper, we present a key recovery attack on Simeck 64 reduced to 28 rounds using a 23-round RX-characteristic.
6 citations
TL;DR: In this article , a key-recovery attack on WARP was proposed based on differential cryptanalysis in single and related-key settings, with the first 19 rounds having optimal differential probabilities.
Abstract: WARP is an energy-efficient lightweight block cipher that is currently the smallest 128-bit block cipher in terms of hardware. It was proposed by Banik et al. in SAC 2020 as a lightweight replacement for AES-128 without changing the mode of operation. This paper proposes key-recovery attacks on WARP based on differential cryptanalysis in single and related-key settings. We searched for differential trails for up to 20 rounds of WARP, with the first 19 having optimal differential probabilities. We also found that the cipher has a strong differential effect, whereby 16 to 20-round differentials have substantially higher probabilities than their corresponding individual trails. A 23-round key-recovery attack was then realized using an 18-round differential distinguisher. Next, we formulated an automatic boomerang search using SMT that relies on the Feistel Boomerang Connectivity Table to identify valid switches. We designed the search as an add-on to the CryptoSMT tool, making it applicable to other Feistel-like ciphers such as TWINE and LBlock-s. For WARP, we found a 21-round boomerang distinguisher which was used in a 24-round rectangle attack. In the related-key setting, we describe a family of 2-round iterative differential trails, which we used in a practical related-key attack on the full 41-round WARP.
6 citations
TL;DR: Wang et al. as mentioned in this paper investigated the differential fault attack on the key schedule of KLEIN-96, which has 96 bits key length, by deeply developing the inner-relationship of input-output differentials for its S-box and reducing the complexity of exhaustive searching from the original 296 to an acceptable boundary by injecting a certain number of byte-faults.
Abstract: KLEIN is a new family of lightweight block ciphers designed for resource-constrained devices. Compared to other schemes, it also has great advantages in both software and hardware performances. In recent works, many researchers have studied its security against differential fault analysis (DFA). Note that all the works only focused on the scheme KLEIN-64, which only has 64 bits key length. In fact, the 64-bit's security is obviously not enough for the current ciphers. In this paper, we investigate the differential fault attack on the key schedule of KLEIN-96, which has 96 bits key length. More specifically, by deeply developing the inner-relationship of input-output differentials for its S-box, we reduce the complexity of exhaustive searching from the original 296 to an acceptable boundary by injecting a certain number of byte-faults. Finally, we also demonstrate the efficiency of our proposed attack by simulations, which show that our method has great advantages over other cryptanalysis on KLEIN cipher.
5 citations
TL;DR: In this article, a 64-bit block cipher with 80-bit keys is proposed, and the round function of the block cipher consists of 8 4 × 4 S-boxes in parallel and a 32 × 32 binary matrix.
Abstract: In this paper, we propose a new lightweight block cipher called SCENERY. The main purpose of SCENERY design applies to hardware and software platforms. SCENERY is a 64-bit block cipher supporting 80-bit keys, and its data processing consists of 28 rounds. The round function of SCENERY consists of 8 4 × 4 S-boxes in parallel and a 32 × 32 binary matrix, and we can implement SCENERY with some basic logic instructions. The hardware implementation of SCENERY only requires 1438 GE based on 0.18 um CMOS technology, and the software implementation of encrypting or decrypting a block takes approximately 1516 clock cycles on 8-bit microcontrollers and 364 clock cycles on 64-bit processors. Compared with other encryption algorithms, the performance of SCENERY is well balanced for both hardware and software. By the security analyses, SCENERY can achieve enough security margin against known attacks, such as differential cryptanalysis, linear cryptanalysis, impossible differential cryptanalysis and related-key attacks.
5 citations
TL;DR: In this article , a differential cryptanalysis of a cryptosystem based on a 3D logistic map and 3D Cat map is presented, where the original ciphers are recovered by means of a chosen-plaintext attack.
4 citations
TL;DR: New techniques for the analysis of difference propagation for big-circle chi are presented, and a dedicated program to perform differential trail search in Subterranean is implemented, confirming the maximum DP of 3-round trails, and improving the upper bounds for the DP of trails over 5, 6, 7 and 8 rounds.
Abstract: Proving upper bounds for the expected differential probability (DP) of differential trails is a standard requirement when proposing a new symmetric primitive. In the case of cryptographic primitives with a bit-oriented round function, such as Keccak, Xoodoo and Subterranean, computer assistance is required in order to prove strong upper bounds on the probability of differential trails. The techniques described in the literature make use of the fact that the non-linear step of the round function is an S-box layer. In the case of Keccak and Xoodoo, the S-boxes are instances of the chi mapping operating on l-bit circles with l equal to 5 and 3 respectively. In that case the differential propagation properties of the non-linear layer can be evaluated efficiently by the use of pre-computed difference distribution tables.Subterranean 2.0 is a recently proposed cipher suite that has exceptionally good energy-efficiency when implemented in hardware (ASIC and FPGA). The non-linear step of its round function is also based on the chi mapping, but operating on an l = 257-bit circle, comprising all the state bits. This making the brute-force approach proposed and used for Keccak and Xoodoo infeasible to apply. Difference propagation through the chi mapping from input to output can be treated using linear algebra thanks to the fact that chi has algebraic degree 2. However, difference propagation from output to input is problematic for big-circle chi. In this paper, we tackle this problem, and present new techniques for the analysis of difference propagation for big-circle chi.We implemented these techniques in a dedicated program to perform differential trail search in Subterranean. Thanks to this, we confirm the maximum DP of 3-round trails found by the designers, we determine the maximum DP of 4-round trails and we improve the upper bounds for the DP of trails over 5, 6, 7 and 8 rounds.
4 citations
TL;DR: From the security analyses and performance tests, it is proven that LAO-3D can provide sufficient security at low costs in mobile encryption applications.
Abstract: Data transmissions between smartphone users require security solutions to protect communications. Hence, encryption is an important tool that must be associated with smartphones to keep the user’s data safe. One proven solution to enhance the security of encryption algorithms is by using 3D designs on symmetric block ciphers. Although a 3D cipher design could improve the algorithms, the existing methods enlarge the block sizes that will also expand the key sizes and encryption rounds, thus decreasing their efficiency. Therefore, we propose the LAO-3D block cipher using a 3D permutation that offers security by providing confusion and diffusion characteristics. Five security analyses were conducted to assess the strengths of LAO-3D. The findings suggest that LAO-3D achieves better results compared to other existing lightweight block ciphers, with 98.2% non-linearity, 50% bit error rates for both plaintext and key modifications, surpasses 100% of the randomness test, and is immune to differential and linear cryptanalysis attacks. Moreover, the block cipher obtains competitive performance results in software applications. From the security analyses and performance tests, it is proven that LAO-3D can provide sufficient security at low costs in mobile encryption applications.
4 citations
TL;DR: In this paper , a new method for obtaining an S-box, which is one of the nonlinear transformations used in modern block-symmetric cipher systems, is proposed.
Abstract: Abstract This paper considers a new method for obtaining an S-box, which is one of the nonlinear transformations used in modern block-symmetric cipher systems. This method is based on modular arithmetic, that is, exponentiation modulo polynomial in extended Galois fields . The indicators and criteria of efficiency of the obtained S-box (balance, Hamming distance, distribution criteria, autocorrelation, algebraic immunity, cyclic structure of the S-box) are analyzed. The cryptographic characteristics are presented in comparison with the substitution boxes of known modern block ciphers. In addition, the resulting S-box was investigated by the methods of linear and differential cryptanalysis. In the future, the proposed S-box will be used in the developed encryption algorithm designed for the pre-encryption of confidential information.
TL;DR: The optimization of SA via various parameters was able to significantly reduce the computational complexity of substitution generation with SA, and the probability of generating the target S-boxes with a nonlinearity score of 104 was significantly increased.
Abstract: Cryptographic algorithms are used to ensure confidentiality, integrity and authenticity of data in information systems. One of the important areas of modern cryptography is that of symmetric key ciphers. They convert the input plaintext into ciphertext, representing it as a random sequence of characters. S-boxes are designed to complicate the input–output relationship of the cipher. In other words, S-boxes introduce nonlinearity into the encryption process, complicating the use of different methods of cryptanalysis (linear, differential, statistical, correlation, etc.). In addition, S-boxes must be random. This property means that nonlinear substitution cannot be represented as simple algebraic constructions. Random S-boxes are designed to protect against algebraic methods of cryptanalysis. Thus, generation of random S-boxes is an important area of research directly related to the design of modern cryptographically strong symmetric ciphers. This problem has been solved in many related works, including some using the simulated annealing (SA) algorithm. Some works managed to generate 8-bit bijective S-boxes with a nonlinearity index of 104. However, this required enormous computational resources. This paper presents the results of our optimization of SA via various parameters. We were able to significantly reduce the computational complexity of substitution generation with SA. In addition, we also significantly increased the probability of generating the target S-boxes with a nonlinearity score of 104.
TL;DR: In this paper , a deep learning-based output prediction attack was proposed for SPN block ciphers with small internal structures with a block size of 16 bits, which can construct deep learning models by employing the maximum number of plaintext/ciphertext pairs and precisely calculate the rounds in which full diffusion occurs.
Abstract: In this paper, we propose deep learning-based output prediction attacks in a blackbox setting. As preliminary experiments, we first focus on two toy SPN block ciphers (small PRESENT-[4] and small AES-[4]) and one toy Feistel block cipher (small TWINE-[4]). Due to its small internal structures with a block size of 16 bits, we can construct deep learning models by employing the maximum number of plaintext/ciphertext pairs, and we can precisely calculate the rounds in which full diffusion occurs. Next, based on the preliminary experiments, we explore whether the evaluation results obtained by our attacks against three toy block ciphers can be applied to block ciphers with large block sizes, e.g., 32 and 64 bits. As a result, we demonstrate the following results, specifically for the SPN block ciphers: (1) our attacks work against a similar number of rounds that the linear/differential attacks can be successful, (2) our attacks realize output predictions (precisely ciphertext prediction and plaintext recovery) that are much stronger than distinguishing attacks, and (3) swapping or replacing the internal components of the target block ciphers affects the average success probabilities of the proposed attacks. It is particularly worth noting that this is a deep learning specific characteristic because swapping/replacing does not affect the average success probabilities of the linear/differential attacks. We also confirm whether the proposed attacks work on the Feistel block cipher. We expect that our results will be an important stepping stone in the design of deep learning-resistant symmetric-key ciphers.
TL;DR: In this paper , the authors presented the first third-party cryptanalysis of SPEEDY-r-192, where r is the number of rounds and 192 is the block size in bits.
Abstract: SPEEDY is a family of ultra low latency block ciphers proposed by Leander, Moos, Moradi and Rasoolzadeh at TCHES 2021. Although the designers gave some differential/linear distinguishers for reduced rounds, a concrete cryptanalysis considering key recovery attacks on SPEEDY was completely missing. The latter is crucial to understand the security margin of designs like SPEEDY which typically use low number of rounds to have low latency. In this work, we present the first third-party cryptanalysis of SPEEDY-r-192, where $$r \in \{5, 6, 7\}$$ is the number of rounds and 192 is block and key size in bits. We identify cube distinguishers for 2 rounds with data complexities $$2^{14}$$ and $$2^{13}$$ , while the differential/linear distinguishers provided by designers has a complexity of $$2^{39}$$ . Notably, we show that there are several such cube distinguishers, and thus, we then provide a generic description of them. We also investigate the structural properties of 13-dimensional cubes and give experimental evidence that the partial algebraic normal form of certain state bits after two rounds is always the same. Next, we utilize the 2 rounds distinguishers to mount a key recovery attack on 3 rounds SPEEDY. Our attack require $$2^{17.6}$$ data, $$2^{25.5}$$ bits of memory and $$2^{52.5}$$ time. Our results show that the practical variant of SPEEDY, i.e., SPEEDY-5-192 has a security margin of only 2 rounds. We believe our work will bring new insights in understanding the security of SPEEDY.
TL;DR: In this article , the SPEEDY family of block ciphers was analyzed against differential cryptanalysis and showed how to optimize many of the steps of the key recovery procedure for this type of attacks.
Abstract: Differential attacks are among the most important families of cryptanalysis against symmetric primitives. Since their introduction in 1990, several improvements to the basic technique as well as many dedicated attacks against symmetric primitives have been proposed. Most of the proposed improvements concern the key-recovery part. However, when designing a new primitive, the security analysis regarding differential attacks is often limited to finding the best trails over a limited number of rounds with branch and bound techniques, and a poor heuristic is then applied to deduce the total number of rounds a differential attack could reach. In this work we analyze the security of the SPEEDY family of block ciphers against differential cryptanalysis and show how to optimize many of the steps of the key-recovery procedure for this type of attacks. For this, we implemented a search for finding optimal trails for this cipher and their associated multiple probabilities under some constraints and applied non-trivial techniques to obtain optimal data and key-sieving. This permitted us to fully break SPEEDY-7-192, the 7-round variant of SPEEDY supposed to provide 192-bit security. Our work demonstrates among others the need to better understand the subtleties of differential cryptanalysis in order to get meaningful estimates on the security offered by a cipher against these attacks.
01 Jan 2022
TL;DR: A PNB-focused differential attack on the reduced-round ChaCha is proposed by first comprehensively analyzing the PNB at all output differential bit positions and then searching for the input/output differential pair with the best differential bias based on the obtained PNB.
TL;DR: GIFT-64 is a 64-bit block cipher with a 128-bit key that is more lightweight than PRESENT and as discussed by the authors provides a detailed analysis of GIFT-64 against differential and linear attacks.
Abstract: GIFT-64 is a 64-bit block cipher with a 128-bit key that is more lightweight than PRESENT. This paper provides a detailed analysis of GIFT-64 against differential and linear attacks. Our work complements automatic search methods for the best differential and linear characteristics with a careful manual analysis. This hybrid approach leads to new insights. In the differential setting, we theoretically explain the existence of differential characteristics with two active S-boxes per round and derive some novel properties of these characteristics. Furthermore, we prove that all optimal differential characteristics of GIFT-64 covering more than seven rounds must activate two S-boxes per round. We can construct all optimal characteristics by hand. In parallel to the work in the differential setting, we conduct a similar analysis in the linear setting. However, unlike the clear view in differential setting, the optimal linear characteristics of GIFT-64 must have at least one round activating only one S-box. Moreover, with the assistance of automatic searching methods, we identify 24 GIFT-64 variants achieving better resistance against differential attack while maintaining a similar security level against a linear attack. Since the new variants strengthen GIFT-64 against statistical cryptanalysis, we claim that the number of rounds could be reduced from 28 to 26 for the variants. This observation enables us to create a cipher with lower energy consumption than GIFT-64. Similarly to the case in GIFT-64, we do not claim any related-key security for the round-reduced variant as this is not relevant for most applications.
TL;DR: In this paper , the authors revisited the use of differential cryptanalysis on BORON in the single-key model using an SAT/SMT approach, looking for differentials that consist of multiple differential characteristics with the same input and output differences.
Abstract: BORON is a 64-bit lightweight block cipher based on the substitution–permutation network that supports an 80-bit (BORON-80) and 128-bit (BORON-128) secret key. In this paper, we revisit the use of differential cryptanalysis on BORON in the single-key model. Using an SAT/SMT approach, we look for differentials that consist of multiple differential characteristics with the same input and output differences. Each characteristic that conforms to a given differential improves its overall probability. We also implemented the same search using Matsui’s algorithm for verification and performance comparison purposes. We identified high-probability differentials which were then used in key recovery attacks against BORON-80/128. We used 8-round differentials with a probability of 2−58.16 and 2−62.42 in key recovery attacks against 9 and 10 rounds of BORON-80 and BORON-128 with time/data/memory complexities of 259.18/259.16/224 and 2111.34/263.42/271 respectively. Our key recovery framework provides a more accurate estimate of the attack complexity as compared to previous work. The attacks proposed in this paper are the best differential attacks against BORON-80/128 in the single-key model to date.
TL;DR: A review of quantum cryptanalysis techniques of symmetric cryptography is presented in this paper , where the design theory of the quantum crypt analysis approach is explained and the improvements which can be achieved compared to the classical techniques are presented.
[...]
TL;DR: In this paper , a re-factored version of symmetric-key cryptography built not around the block ciphers but rather the deck function was investigated, a keyed function with arbitrary input and output length and incrementality properties.
Abstract: Currently, a vast majority of symmetric-key cryptographic schemes are built as block cipher modes. The block cipher is designed to be hard to distinguish from a random permutation and this is supported by cryptanalysis, while (good) modes can be proven secure if a random permutation takes the place of the block cipher. As such, block ciphers form an abstraction level that marks the border between cryptanalysis and security proofs. In this paper, we investigate a re-factored version of symmetric-key cryptography built not around the block ciphers but rather the deck function: a keyed function with arbitrary input and output length and incrementality properties. This allows for modes of use that are simpler to analyze and still very efficient thanks to the excellent performance of currently proposed deck functions. We focus on authenticated encryption (AE) modes with varying levels of robustness. Our modes have built-in support for sessions, but are also efficient without them. As a by-product, we define a new ideal model for AE dubbed the jammin cipher. Unlike the OAE2 security models, the jammin cipher is both a operational ideal scheme and a security reference, and addresses real-world use cases such as bi-directional communication and multi-key security.
TL;DR: The first key recovery attack against 21-round WARP using differential cryptanalysis was presented in this article , where the authors provided a lower bound on the number of active S-boxes, but they did not provide the differential characteristics against these bounds.
Abstract: WARP is a 128-bit lightweight block cipher presented by S. Banik et al. at SAC 2020. It is based on 32-nibble type-2 Generalised Feistel Network (GFN) structure and uses a permutation over nibbles to optimize the security and efficiency. The designers provided a lower bound on the number of active S-boxes but they did not provide the differential characteristics against these bounds. In this paper, we model the MILP problem for WARP and present the 18-round and 19-round differential characteristics with the probability of $$2^{-122}$$ and $$2^{-132}$$ respectively. We also present a key recovery attack on 21 rounds with the data complexity of $$2^{113}$$ chosen plaintexts. To the best of our knowledge, this is the first key recovery attack against 21-round WARP using differential cryptanalysis.
TL;DR: The investigation shows that 12 rounds are the minimum threshold for a 64-bit BOGIbased cipher to prevent efficient trails for DC/LC, whereas GIFT-64 requires 14 rounds and it is shown that GIFT can provide better resistance by only replacing the existing bit permutation.
Abstract: In this study, we accelerate Matsui’s search algorithm to search for the best differential and linear trails of AES-like ciphers. Our acceleration points are twofold. The first exploits the structure and branch number of an AES-like round function to apply strict pruning conditions to Matsui’s search algorithm. The second employs permutation characteristics in trail search to reduce the inputs that need to be analyzed. We demonstrate the optimization of the search algorithm by obtaining the best differential and linear trails of existing block ciphers: AES, LED, MIDORI-64, CRAFT, SKINNY, PRESENT, and GIFT. In particular, our search program finds the fullround best differential and linear trails of GIFT-64 (in approx. 1 s and 10 s) and GIFT-128 (in approx. 89 h and 452 h), respectively.For a more in-depth application, we leverage the acceleration to investigate the optimal DC/LC resistance that GIFT-variants, called BOGI-based ciphers, can achieve. To this end, we identify all the BOGI-based ciphers and reduce them into 41,472 representatives. Deriving 16-, 32-, 64-, and 128-bit BOGI-based ciphers from the representatives, we obtain their best trails until 15, 15, 13, and 11 rounds, respectively. The investigation shows that 12 rounds are the minimum threshold for a 64-bit BOGIbased cipher to prevent efficient trails for DC/LC, whereas GIFT-64 requires 14 rounds. Moreover, it is shown that GIFT can provide better resistance by only replacing the existing bit permutation. Specifically, the bit permutation variants of GIFT-64 and GIFT-128 require fewer rounds, one and two, respectively, to prevent efficient differential and linear trails.
01 Jan 2022
TL;DR: An improved variant of ANU-II is provided, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.
Abstract: Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 22 chosen plaintexts and 262.4 full-round encryptions. The result shows that the designers’ security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.
TL;DR: In this paper , a new method was introduced to search for S-boxes satisfying all the above criteria simultaneously by transforming the process of searching for Sboxes under certain constraints on cryptographic properties into a satisfiability (SAT) problem.
Abstract: The substitution box (S-box) is an important nonlinear component in most symmetric cryptosystems and thus should have good properties. Its difference distribution table (DDT) and linear approximation table (LAT) affect the security of the cipher against differential and linear cryptanalysis. In most previous work, differential uniformity and linearity of an S-box are two primary cryptographic properties to impact the resistance against differential and linear attacks. In some cases, the branch number and fixed point are also be considered. However, other important cryptographic properties such as the frequency of differential uniformity (resp. linearity) and the number of Bad Input and Bad Output (BIBO) patterns in DDT (resp. LAT) are often ignored. These properties substantially affect lightweight cryptography based on substitution bit permutation networks (SbPN) such as PRESENT, GIFT and RECTANGLE. This paper introduces a new method to search for S-boxes satisfying all above criteria simultaneously. In our strategy, we transform the process of searching for S-boxes under certain constraints on cryptographic properties into a satisfiability (SAT) problem. As applications, we use our new approach to search out 4-bit and 5-bit S-boxes with the same or better cryptographic properties compared with the S-boxes from well-known ciphers. Finally, we also utilize our method to verify a conjecture proposed by Boura et al. in the case of all 3-bit and 4-bit S-boxes. We propose a proposition and two corollaries to reduce the search space in this verification.
TL;DR: In this article , an optimized GPU-based branch-and-bound framework for differential search was proposed, which can achieve up to 90x speedup while saving up to 47% of the running cost as compared to a single CPU core.
Abstract: Block ciphers are prevalent in various security protocols used daily such as TLS, OpenPGP, and SSH. Their primary purpose is the protection of user data, both in transit and at rest. One of the de facto methods to evaluate block cipher security is differential cryptanalysis. Differential cryptanalysis observes the propagation of input patterns (input differences) through the cipher to produce output patterns (output differences). This probabilistic propagation is known as a differential; the identification of which is a measure of a block cipher’s security margins. This paper introduces an optimized GPU-based branch-and-bound framework for differential search. We optimize search efficiency by parallelizing all branch-and-bound operations, completing the entire search on the GPU without communicating with the CPU. The meet-in-the-middle (MITM) approach is also adopted for further performance gains. We analyze the financial and computational costs of the proposed framework using Google Cloud VM to showcase its practicality. When optimized for performance, we can attain up to 90x speedup while saving up to 47% of the running cost as compared to a single CPU core. When optimized for cost, the proposed framework can save up to 83% of financial costs while retaining a speedup of up to 40x. As a proof of concept, the proposed framework was then applied on 128-bit TRIFLE-BC, 64-bit PRESENT, and 64-bit GIFT. Notably, we identified the best differentials for PRESENT (16 rounds) and 64-bit GIFT (13 rounds) to date, with estimated probabilities of 2−61.7964 and 2−60.66 respectively. Although the differential results for TRIFLE-BC were incremental, the proposed framework was able to construct differentials for 43 rounds that consisted of approximately 5.8x more individual trails than previous work, making it one of the most efficient approaches for larger block ciphers.
TL;DR: In this paper , the authors present several improvements to the framework of differential linear attacks with a special focus on ARX ciphers and apply them to Chaskey and ChaCha.
Abstract: We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far.
TL;DR: Differential Fault Analysis (DFA) is a well-known cryptanalytic method that has been successfully applied to many block ciphers based on Substitution Permutation Network (SPN) as discussed by the authors .
Abstract: Differential Fault Analysis (DFA) is a well-known cryptanalytic method that has been successfully applied to many block ciphers based on Substitution Permutation Network (SPN). In this work we seek the answer: How exactly DFA works and how can we possibly build a cipher level protection against it. Our study shows that SBoxes play a crucial role for DFA to succeed. Interestingly, SBoxes that are better against DFA are proved to be worse against differential cryptanalysis, and vice versa.
TL;DR: In this article , a practical distinguishing attack on an IoT-friendly lightweight cipher ALLPC is presented, where it is found that there exists a fixed point in the differential of ALLPC's S-box, then a differential trail with a period of 14-round has been proposed.
Abstract: The issue of security and privacy plays an important role in the Internet of Things (IoT) and directly affects its wide applications. In order to meet the security requirements in the IoT environment, a series of lightweight encryption schemes have been proposed. Meanwhile, cryptanalysis against these schemes is critical to the security of IoT. In this paper, a practical distinguishing attack on an IoT-friendly lightweight cipher ALLPC is presented. Specifically, it is found that there exists a fixed point in the differential of ALLPC's S-box, then a differential trail with a period of 14-round has been proposed. By connecting to the periodic differential trail, a differential trail is constructed for the full-round ALLPC with a probability of 2−24. Applying such property, one can distinguish the full-round ALLPC block cipher from a random permutation in about 10 min on a laptop.