Showing papers on "Round function published in 2018"

On Recovering Affine Encodings in White-Box Implementations

Abstract: Ever since the first candidate white-box implementations by Chow et al. in 2002, producing a secure white-box implementation of AES has remained an enduring challenge. Following the footsteps of the original proposal by Chow et al., other constructions were later built around the same framework. In this framework, the round function of the cipher is “encoded” by composing it with non-linear and affine layers known as encodings. However, all such attempts were broken by a series of increasingly efficient attacks that are able to peel off these encodings, eventually uncovering the underlying round function, and with it the secret key.These attacks, however, were generally ad-hoc and did not enjoy a wide applicability. As our main contribution, we propose a generic and efficient algorithm to recover affine encodings, for any Substitution-Permutation-Network (SPN) cipher, such as AES, and any form of affine encoding. For AES parameters, namely 128-bit blocks split into 16 parallel 8-bit S-boxes, affine encodings are recovered with a time complexity estimated at 232 basic operations, independently of how the encodings are built. This algorithm is directly applicable to a large class of schemes. We illustrate this on a recent proposal due to Baek, Cheon and Hong, which was not previously analyzed. While Baek et al. evaluate the security of their scheme to 110 bits, a direct application of our generic algorithm is able to break the scheme with an estimated time complexity of only 235 basic operations.As a second contribution, we show a different approach to cryptanalyzing the Baek et al. scheme, which reduces the analysis to a standalone combinatorial problem, ultimately achieving key recovery in time complexity 231. We also provide an implementation of the attack, which is able to recover the secret key in about 12 seconds on a standard desktop computer.

Key-Recovery Attacks on Full Kravatte

Abstract: This paper presents a cryptanalysis of full Kravatte, an instantiation of the Farfalle construction of a pseudorandom function (PRF) with variable input and output length. This new construction, proposed by Bertoni et al., introduces an efficiently parallelizable and extremely versatile building block for the design of symmetric mechanisms, e.g. message authentication codes or stream ciphers. It relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer. The key is expanded and used to mask the inputs and outputs of the construction. Kravatte instantiates Farfalle using linear rolling functions and permutations obtained by iterating the Keccak round function. We develop in this paper several attacks against this PRF, based on three different attack strategies that bypass part of the construction and target a reduced number of permutation rounds. A higher order differential distinguisher exploits the possibility to build an affine space of values in the cipher state after the compression layer. An algebraic meet-in-the-middle attack can be mounted on the second step of the expansion layer. Finally, due to the linearity of the rolling function and the low algebraic degree of the Keccak round function, a linear recurrence distinguisher can be found on intermediate states of the second step of the expansion layer. All the attacks rely on the ability to invert a small number of the final rounds of the construction. In particular, the last two rounds of the construction together with the final masking by the key can be algebraically inverted, which allows to recover the key. The complexities of the devised attacks, applied to the Kravatte specifications published on the IACR ePrint in July 2017, or the strengthened version of Kravatte recently presented at ECC 2017, are far below the security claimed.

Data-Independent Memory Hard Functions: New Attacks and Stronger Constructions.

Abstract: Memory-hard functions (MHFs) are a key cryptographic primitive underlying the design of moderately expensive password hashing algorithms and egalitarian proofs of work. Over the past few years several increasingly stringent goals for an MHF have been proposed including the requirement that the MHF have high sequential space-time (ST) complexity, parallel space-time complexity, amortized area-time (aAT) complexity and sustained space complexity. Data-Independent Memory Hard Functions (iMHFs) are of special interest in the context of password hashing as they naturally resist side-channel attacks. iMHFs can be specified using a directed acyclic graph (DAG) G with \(N=2^n\) nodes and low indegree and the complexity of the iMHF can be analyzed using a pebbling game. Recently, Alwen et al. [ABH17] constructed a DAG called DRSample that has aAT complexity at least \(\varOmega \!\left( N^2/{\text {log}} N\right) \). Asymptotically DRSample outperformed all prior iMHF constructions including Argon2i, winner of the password hashing competition (aAT cost \({\mathcal {O}} \!\left( N^{1.767}\right) \)), though the constants in these bounds are poorly understood. We show that the greedy pebbling strategy of Boneh et al. [BCS16] is particularly effective against DRSample e.g., the aAT cost is \({\mathcal {O}} (N^2/{\text {log}} N)\). In fact, our empirical analysis reverses the prior conclusion of Alwen et al. that DRSample provides stronger resistance to known pebbling attacks for practical values of \(N \le 2^{24}\). We construct a new iMHF candidate (DRSample+BRG) by using the bit-reversal graph to extend DRSample. We then prove that the construction is asymptotically optimal under every MHF criteria, and we empirically demonstrate that our iMHF provides the best resistance to known pebbling attacks. For example, we show that any parallel pebbling attack either has aAT cost \(\omega (N^2)\) or requires at least \(\varOmega (N)\) steps with \(\varOmega (N/{\text {log}} N)\) pebbles on the DAG. This makes our construction the first practical iMHF with a strong sustained space-complexity guarantee and immediately implies that any parallel pebbling has aAT complexity \(\varOmega (N^2/{\text {log}} N)\). We also prove that any sequential pebbling (including the greedy pebbling attack) has aAT cost \(\varOmega \!\left( N^2\right) \) and, if a plausible conjecture holds, any parallel pebbling has aAT cost \(\varOmega (N^2 \log \log N/{\text {log}} N)\)—the best possible bound for an iMHF. We implement our new iMHF and demonstrate that it is just as fast as Argon2. Along the way we propose a simple modification to the Argon2 round function that increases an attacker’s aAT cost by nearly an order of magnitude without increasing running time on a CPU. Finally, we give a pebbling reduction that proves that in the parallel random oracle model (PROM) the cost of evaluating an iMHF like Argon2i or DRSample+BRG is given by the pebbling cost of the underlying DAG. Prior pebbling reductions assumed that the iMHF round function concatenates input labels before hashing and did not apply to practical iMHFs such as Argon2i, DRSample or DRSample+BRG where input labels are instead XORed together.

Compact Hardware Implementations of MISTY1 Block Cipher

Abstract: This paper proposes compact hardware implementations of 64-bit NESSIE proposed MISTY1 block cipher for area constrained and low power ASIC applications. The architectures comprise only one round MISTY1 block cipher algorithm having optimized FO/FI function by re-utilizing S9/S7 substitution functions. A focus is also made on efficient logic implementations of S9 and S7 substitution functions using common sub-expression elimination (CSE) and parallel AND/XOR gates hierarchy. The proposed architecture 1 generates extended key with independent FI function and is suitable for MISTY1 8-rounds implementation. On the other hand, the proposed architecture 2 uses a single FO/FI function for both MISTY1 round function as well as extended key generation and can be employed for MISTY1 n>8 rounds. To analyze the performance and covered area for ASICs, Synopsys Design Complier, SMIC 0.18μm @ 1.8V is used. The hardware constituted 3041 and 2331 NAND gates achieving throughput of 171 and 166 Mbps for 8 rounds implementat...

Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains

Abstract: Feistel Networks (FN) are now being used massively to encrypt credit card numbers through format-preserving encryption. In our work, we focus on FN with two branches, entirely unknown round functions, modular additions (or other group operations), and when the domain size of a branch (called Open image in new window ) is small. We investigate round-function-recovery attacks.

Related-Key Boomerang Attacks on Full ANU Lightweight Block Cipher

Abstract: This paper presents related-key attacks against lightweight block cipher ANU that requires only 1015 gate equivalents for a 128-bit key, which is less than all existing lightweight ciphers. The design of ANU appears to be a mixture of other decent lightweight ciphers such as Simon, PRESENT, Piccolo, TWINE etc., however, the security arguments especially against related-key attacks are not theoretically supported. In this paper, we observe that the mixture of a Simon-like round function and a PRESENT-like key schedule function causes a very sparse differential trail that avoids non-linear update in the key schedule function. By exploiting it, a distinguishing attack against full-round ANU works only with \(2^{19}\) queries in the related-key setting, in which the attack is verified by our machine experiment. This also leads to a key recovery attack for a 128-bit key with \(2^{112}\) computations.

Search for one-round differential characteristics of lighweight block cipher Cypress-256

Abstract: This paper presents three approaches to search for one-round differential characteristics with high probability for post quantum lightweight block cipher Cypress-256. The presented methods include the selection of appropriate input differences to the round function based on the properties of modulo addition operation. The proposed optimized method allowed to find differential characteristics for the round function of Cypress-256 with the probability 1/4.

Lightweight cryptographic algorithm HBcipher implementation method and device

Abstract: The invention provides a lightweight cryptographic algorithm HBcipher implementation method and device. In the method, a round function used in the encryption or decryption process is an F function adopting three groups of SPN structures, and a novel P2 substitution mode is proposed in the round function. By selecting a round constant count as a round operation control signal, two different operation modes are designed according to the parity of count; when the algorithm is implemented by Xilinx ISE Design Suite 13.2 hardware, the throughput rate of HBcipher-64 is 511.38 Mbps, the throughput rate of HBcipher-128 is 716.6848 Mbps, and compared with a current lightweight cryptographic algorithm, the algorithm has high encryption efficiency.

Integral Attacks on Round-Reduced Bel-T-256

Abstract: Bel-T is the national block cipher encryption standard of the Republic of Belarus. It has a 128-bit block size and a variable key length of 128, 192 or 256 bits. Bel-T combines a Feistel network with a Lai-Massey scheme to build a complex round function with 7 S-box layers per round then iterate this round function 8 times to construct the whole cipher. In this paper, we present integral attacks against Bel-T-256 using the propagation of the bit-based division property. Firstly, we propose two 2-round integral characteristics by employing a Mixed Integer Linear Programming (MILP) (Our open source code to generate the MILP model can be downloaded from https://github.com/mhgharieb/Bel-T-256) approach to propagate the division property through the round function. Then, we utilize these integral characteristics to attack 3\(\frac{2}{7}\) rounds (out of 8) Bel-T-256 with data and time complexities of \(2^{13}\) chosen plaintexts and \(2^{199.33}\) encryption operations, respectively. We also present an attack against 3\(\frac{6}{7}\) rounds with data and time complexities of \(2^{33}\) chosen plaintexts and \(2^{254.61}\) encryption operations, respectively. To the best of our knowledge, these attacks are the first published theoretical attacks against the cipher in the single-key model.

Improved integral attacks without full codebook

Abstract: The integral attack, exploits the balanced property of the output in the distinguisher. Usually, adversaries append some rounds after the distinguisher, guess the corresponding key bits and check whether the target bits are balanced. Few works add rounds before the distinguisher to make the key recovery attack. In the first full-round attack on MISTY1, Todo adds one FL layer (key-dependent linear function) before the distinguisher. In this study, the authors extend his method and give a general method, which they can use to extend some rounds (non-linear) before the distinguisher to attack more rounds with data complexity smaller than the whole space and little extra time consumption. The basic idea is that for different subkeys guessed in the forward rounds, they set different constant values for the input of the distinguisher. Finally, the selected data space is not full. For substitution permutation network (SPN) (Feistel with SPN round function) structures with 4 bit S-box and bit permutation, they estimate the data complexity when adding one round before the distinguishers for all 4 bit S-boxes. Using the method, they improve the integral attacks on PRESENT, RECTANGLE, TWINE and LBlock, and their results could cover one more round.

Generic attacks with standard deviation analysis on a-feistel schemes

Abstract: A usual way to construct block ciphers is to apply several rounds of a given structure. Many kinds of attacks are mounted against block ciphers. Among them, differential and linear attacks are widely used. Vaudenay showed that ciphers achieving perfect pairwise decorrelation are secure against linear and differential attacks. It is possible to obtain such schemes by introducing at least one random affine permutation as a round function in the design of the scheme. In this paper, we study attacks on schemes based on classical Feistel schemes where we introduce one or two affine permutations. Since these schemes resist against linear and differential attacks, we will study attacks based on specific equations on 4-tuples of plaintext/ciphertext messages. We show that these schemes are stronger than classical Feistel schemes.

Preimage Attacks on Some Hashing Modes Instantiating Reduced-Round LBlock

Abstract: In this paper, we present preimage attacks on several hashing modes instantiating reduced-round LBlock. It is observed that the omission of the network twist in the last round and the diffusion of the permutation in round function are the key points for our successful attack. First, to guarantee the validity of our attack, we prove one proposition on the round function. Then, utilizing the property of LBlock and several meet-in-the-middle techniques, we present a preimage attack on Davies-Meyer hashing mode instantiating 13-round LBlock, of which the time complexity is about O(255.4) 13-round compression function computations, less than the ideal complexity O(264) and the memory complexity is about 212 32-bit memory. Furthermore, we extend our results to the Matyas-Meyer-Oseas mode and MP mode with some changes. Finally, we convert the preimage attack into preimage attack or second preimage attack on the corresponding hash functions with Merkle-Damgard structure.

Method and apparatus for implementing lightweight block cipher SCS

Abstract: The invention discloses a method and apparatus for implementing a lightweight block cipher SCS. A turn key and a control key are divided in keys, the round key participates in a round key adding operation, the control key controls the generation of each turn of S box to obtain a random S box, the update of the control key and the turn key is related to the operation result of the last turn, the Sbox used in each turn is random, the operation result of each turn is also random, so that the degree of confusion can be increased; in a round function, a high pseudo-random P permutation is generated by the Mason rotation algorithm in each round to achieve the diffusion, and after the end of the round function iteration, row shift and the column confusion transform are executed, so that the diffusion effect is enhanced by using the dual diffusion mode, and the security is improved. Compared with the situation that the difference between the resource consumption of fixed cipher structures isnot large, the internal structure of the device has the advantages of greatly improving the security of the scheme, and increasing the defense coefficients of linear attack, differential attack and the like to a certain extent.

Lightweight AE and HASH in a Single Round Function.

Abstract: To deal with message streams, which is required by many symmetric cryptographic functionalities (MAC, AE, HASH), we propose a lightweight round function called Thin Sponge. We give a framework to construct all these functionalities (MAC, AE, and HASH) using the same Thin Sponge round function. Besides the common security assumptions behind traditional symmetric algorithms, the security of our schemes depends on the hardness of problems to find collisions of some states. We give a class of constructions of Thin Sponge, which is improvement of the round function of Trivium and ACORN. We give simple criteria for determining parameters. According to these criteria, we give an example, which achieves all functionalities in a single round function and hence can be realized by the same hardware. Our algorithm is also efficient in software.

Five Important Attack in Round Function Using SIMECK Algorithm

Abstract: Block cipher-based hash function is a hash function that is constructed by applying a block cipher algorithm on a scheme to form a hash algorithm. So that the strength of the block cipher-based hash function depends on the strength of a block cipher algorithm which is used. In this research, fixed point attack is done to determine the application of SIMECK lightweight block cipher scheme PGV-5 hash function in accordance with the characteristics of the five important attack. SIMECK is a new lightweight block cipher design based on the combination of SIMON and SPECK block cipher. While the design allows a smaller and more efficient hardware implementation, its security margins are not well understood. Five important attack is applied to generate all possible 2^32 plaintext with 3 random IV. The result of this research, block cipher-based hash function with PGV-5 scheme using SIMECK algorithm, is not resistant against five important attack where the probabilities to obtain collision is 0.00000000139 in the three IV random samples which are used

Optimization and Security Implementation of ITUbee

Abstract: ITUbee is the lightweight encryption algorithm that was proposed by the second International Symposium on lightweight encryption security and privacy in 2013. It is based on the Feistel network. We optimized S-box, round function and round constant addition. The optimized round constant is the variable which is converted from the related round number i. There is no need to allocate area resource for it. The experimental results show that the throughput of the optimized ITUbee algorithm reaches 364.695 Mb/s. The area is reduced to 10650 Slices. We studied and implemented the masking ITUbee algorithm to resist power analysis attack. The implemented performance is also compared. The area of the masking ITUbee is increased by about 4%. The clock frequency is raised from 100.291 MHz to 102.396 MHz, throughput is increased from 364.695 Mb/s to 372.349 Mb/s.