Showing papers on "Round function published in 2020"

\( \mathsf {FPL} \): White-Box Secure Block Cipher Using Parallel Table Look-Ups

Abstract: In this work, we propose a new table-based block cipher structure, dubbed \( \mathsf {FPL} \), that can be used to build white-box secure block ciphers. Our construction is a balanced Feistel cipher, where the input to each round function determines multiple indices for the underlying table via a probe function, and the sum of the values from the table becomes the output of the round function. We identify the properties of the probe function that make the resulting block cipher white-box secure in terms of weak and strong space hardness against known-space and non-adaptive chosen-space attacks. Our construction, enjoying rigorous provable security without relying on any ideal primitive, provides flexibility to the block size and the table size, and permits parallel table look-ups.

µ 2 : A Lightweight Block Cipher

Abstract: This paper presents a 64-bit lightweight block cipher, µ2 with a key size of 80-bit. µ2 is designed based on well-established design paradigms, achieving comparable performance and security when compared against existing state-of-the-art lightweight block ciphers. µ2 is based on the Type-II generalized Feistel structure with a round function, F that is a 16-bit ultra-lightweight block cipher based on the substitution-permutation network. Security evaluation indicates that µ2 offers a large security margin against known attacks such as differential cryptanalysis, linear cryptanalysis, algebraic attack and others.

On Quantum Distinguishers for Type-3 Generalized Feistel Network Based on Separability

Abstract: In this work, we derive a method for constructing quantum distinguishers for GFNs (Generalized Feistel-like schemes with invertible inner functions and XORs), where for simplicity 4 branches are considered. The construction technique is demonstrated on Type-3 GFN, where some other cyclically inequivalent GFNs are considered as examples. Introducing the property of separability, we observe that finding a suitable partition of input blocks implies that some branches can be represented as a sum of functions with almost disjoint variables, which simplifies the application of Simon’s algorithm. However, higher number of rounds in most of the cases have branches which do not satisfy the previous property, and in order to derive a quantum distinguisher for these branches, we employ Simon’s and Grover’s algorithm in combination with a suitable system of equations given in terms of input blocks and inner functions involved in the round function. As a result, we are able to construct a 5-round quantum distinguisher for Type-3 GFNs using only a quantum encryption oracle with query complexity \(2^{N/4}\cdot \mathcal {O}(N/4)\), where N size of the input block.

Quantum Cryptanalysis on Contracting Feistel Structures and Observation on Related-Key Settings.

Abstract: In this paper we show several quantum chosen-plaintext attacks (qCPAs) on contracting Feistel structures. In the classical setting, a d-branch r-round contracting Feistel structure can be shown to be PRP-secure when d is even and \(r \ge 2d-1\), meaning it is secure against polynomial-time chosen-plaintext attacks. We propose a polynomial-time qCPA distinguisher on the d-branch \((2d-1)\)-round contracting Feistel structure, which solves an open problem by Dong et al. In addition, we show a polynomial-time qCPA that recovers the keys of the d-branch r-round contracting Feistel structure when each round function \(F^{(i)}_{k_i}\) has the form \(F^{(i)}_{k_i}(x) = F_i(x \oplus k_i)\) for a public random function \(F_i\). This is applicable to the Chinese block cipher standard SM4, which is a special case where \(d=4\). Finally, in addition to quantum attacks under single-key setting, we also show related-key quantum attacks on balanced Feistel structures in the model that adversaries can only control part of the key difference in quantum superposition. Our related-key attacks on balanced Feistel structures can easily be extended to ones on contracting Feistel structures.

Pholkos - Efficient Large-state Tweakable Block Ciphers from the AES Round Function.

Abstract: With the dawn of quantum computers, higher security than 128 bits has become desirable for primitives and modes. During the past decade, highly secure hash functions, MACs, and encryption schemes have been built primarily on top of keyless permutations, which simplified their analyses and implementation due to the absence of a key schedule. However, the security of these modes is most often limited to the birthday bound of the state size, and their analysis may require a different security model than the easier-to-handle secret-permutation setting. Yet, larger state and key sizes are desirable not only for permutations but also for other primitives such as block ciphers. Using the additional public input of tweakable block ciphers for domain separation allows for exceptionally high security or performance as recently proposed modes have shown. Therefore, it appears natural to ask for such designs. While security is fundamental for cryptographic primitives, performance is of similar relevance. Since 2009, processor-integrated instructions have allowed high throughput for the AES round function, which already motivated various constructions based on it. Moreover, the four-fold vectorization of the AES instruction sets in Intel’s Ice Lake architecture is yet another leap in terms of performance and gives rise to exploit the AES round function for even more efficient designs. This work tries to combine all aspects above into a primitive and to build upon years of existing analysis on its components. We propose Pholkos, a family of (1) highly efficient, (2) highly secure, and (3) tweakable block ciphers. Pholkos is no novel round-function design, but utilizes the AES round function, following design ideas of Haraka and AESQ to profit from earlier analysis results. It extends them to build a family of primitives with state and key sizes of 256 and 512 bits for flexible applications, providing high security at high performance. Moreover, we propose its usage with a 128-bit tweak to instantiate high-security encryption and authentication schemes such as SCT, ΘCB3, or ZAE. We study its resistance against the common attack vectors, including differential, linear, and integral distinguishers using a MILP-based approach and show an isomorphism from the AES to Pholkos512 for bounding impossible-differential, or exchange distinguishers from the AES. Our proposals encrypt at around 1–2 cycles per byte on Skylake processors, while supporting a much more general application range and considerably higher security guarantees than comparable primitives and modes such as PAEQ/AESQ, AEGIS, Tiaoxin346, or Simpira.

Rotational-XOR Rectangle Cryptanalysis on Round-Reduced Simon

Abstract: Recently, Ashur and Liu introduced the Rotational-XOR-difference approach which is a modification of rotational cryptanalysis, for an ARX cipher Speck (Ashur and Liu, 2016). In this paper, we apply the Rotational-XOR-difference (RXD) approach to a non-ARX cipher Simon and evaluate its security. First, we studied how to calculate the probability of an RXD for bitwise AND operation that the round function of Simon is based on unlike Speck is on modular addition. Next, we prove that two RXD trails can be connected such that it becomes possible to construct a boomerang/rectangle distinguisher similar to the case using differential characteristics. Finally, we construct related-key rectangle distinguishers for round-reduced versions of Simon with block lengths of 32, 48, and 64, and we suggest a five- or six-round key recovery attack. To our knowledge, it is the first attempt to apply the notion of rotational cryptanalysis for a non-ARX cipher. Although our attack does not show the best results for Simon thus far, the attempt here to define and apply a new cryptanalytic characteristic is meaningful, and we expect further improvements and applications to other ciphers to be made in subsequent studies.

Tweaking Key-Alternating Feistel Block Ciphers

Abstract: Tweakable block cipher as a cryptographic primitive has found wide applications in disk encryption, authenticated encryption mode and message authentication code, etc. One popular approach of designing tweakable block ciphers is to tweak the generic constructions of classic block ciphers. This paper focuses on how to build a secure tweakable block cipher from the Key-Alternating Feistel (KAF) structure, a dedicated Feistel structure with round functions of the form \(F_i(k_i\oplus x_i)\), where \(k_i\) is the secret round key and \(F_i\) is a public random function in the i-th round. We start from the simplest KAF structures that have been published so far, and then incorporate the tweaks to the round key XOR operations by (almost) universal hash functions. Moreover, we limit the number of rounds with the tweak injections for the efficiency concerns of changing the tweak value. Our results are two-fold, depending on the provable security bound: For the birthday-bound security, we present a 4-round minimal construction with two independent round keys, a single round function and two universal hash functions; For the beyond-birthday-bound security, we present a 10-round construction secure up to \(O(\min \{ 2^{2n/3}, \root 4 \of {2^{2n}\epsilon ^{-1}} \})\) adversarial queries, where n is the output size of the round function and \(\epsilon \) is the upper bound of the collision probability of the universal hash functions. Our security proofs exploit the hybrid argument combined with the H-coefficient technique.

Cryptanalysis of FlexAEAD

Abstract: This paper analyzes the internal keyed permutation of FlexAEAD which is a round-1 candidate of the NIST LightWeight Cryptography Competition. In our analysis, we report an iterated truncated differential leveraging on a particular property of the AES S-box that becomes useful due to the particular nature of the diffusion layer of the round function. The differential holds with a low probability of \(2^{-7}\) for one round which allows it to penetrate the same number of rounds as claimed by the designers, but with a much lower complexity. Moreover, it can be easily extended to a key-recovery attack at a little extra cost. We further report a Super-Sbox construction in the internal permutation, which is exploited using the Yoyo game to devise a 6-round deterministic distinguisher and a 7-round key recovery attack for the 128-bit internal permutation. Similar attacks can be mounted for the 64-bit and 256-bit variants. All these attacks outperform the existing results of the designers as well as other third-party results. The iterated truncated differentials can be tweaked to mount forgery attacks similar to the ones given by Eichlseder \(et\) \(al.\) Success probabilities of all the reported distinguishing attacks are shown to be high. All practical attacks have been experimentally verified. To the best of our knowledge, this work reports the first key-recovery attack on the internal keyed permutation of FlexAEAD.

Performance Analysis on Enhanced Round Function of SIMECK Block Cipher

Abstract: There are various Lightweight Block Ciphers (LBC) nowadays that exist to meet the demand on security requirements of the current trend in computing world, the application in the resource-constrained devices, and the Internet of Things (IoT) technologies. One way to evaluate these LBCs is to conduct a performance analysis. Performance evaluation parameters seek appropriate value such as encryption time, security level, scalability, and flexibility. Like SIMECK block cipher whose algorithm design was anchored with the SIMON and SPECK block ciphers were efficient in security and performance, there is a need to revisit its design. This paper aims to present a comparative study on the performance analysis of the enhanced round function of the SIMECK Family block cipher. The enhanced ARX structure of the round function on the three variants shows an efficient performance over the original algorithm in different simulations using the following methods of measurement; avalanche effect, runtime performance, and brute-force attack. Its recommended that the enhanced round function of the SIMECK family be evaluated by different security measurements and attacks.

On Lightweight 4x4 MDS Matrices over Binary Field Extensions

Abstract: Maximum Distance Separable (MDS) matrices are used as the main part of diffusion layers in block ciphers and hash functions. MDS matrices derived from MDS codes have the maximum differential and linear branch number, which provide resistance against some well-known attacks like differential and linear cryptanalysis together with the use of a nonlinear layer (e.g. S-boxes) in a round function of a block cipher. In this paper, we introduce generic methods to generate lightweight $k \times k$ involutory/non-involutory MDS matrices over $\F_{2^m}$ and present the lightest involutory/non-involutory $4 \times 4$ MDS matrices over $\F_{2^4}$ (to the best of our knowledge) by considering XOR count metric, which is defined to estimate hardware implementation cost. Also, the results are obtained by using a global optimization technique, namely Boyar-Peralta algorithm.

Security Analysis of Subterranean 2.0.

Abstract: Subterranean 2.0 is a cipher suite that can be used for hashing, authenticated encryption, MAC computation, etc. It was designed by Daemen, Massolino, Mehrdad, and Rotella, and has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Subterranean 2.0 is a duplex-based construction and utilizes a single-round permutation in the duplex. It is the simplicity of the round function that makes it an attractive target of cryptanalysis. In this paper, we examine the single-round permutation in various phases of Subterranean 2.0 and specify three related attack scenarios that deserve further investigation: keystream biases in the keyed squeezing phase, state collisions in the keyed absorbing phase, and one-round differential analysis in the nonce-misuse setting. To facilitate cryptanalysis in the first two scenarios, we novelly propose a set of size-reduced toy versions of Subterranean 2.0: Subterranean-m. Then we make an observation for the first time on the resemblance between the non-linear layer in the round function of Subterranean 2.0 and SIMON’s round function. Inspired by the existing work on SIMON, we propose explicit formulas for computing the exact correlation of linear trails of Subterranean 2.0 and other ciphers utilizing similar non-linear operations. We then construct our models for searching trails to be used in the keystream bias evaluation and state collision attacks. Our results show that most instances of Subterranean-m are secure in the first two attack scenarios but there exist instances that are not. Further, we find a flaw in the designers’ reasoning of Subterranean 2.0’s linear bias but support the designers’ claim that there is no linear bias measurable from at most $$2^{96}$$ data blocks. Due to the time-consuming search, the security of Subterranean 2.0 against the state collision attack in keyed modes still remains an open question. Finally, we observe that one-round differentials allow to recover state bits in the nonce-misuse setting. By proposing nested one-round differentials, we obtain a sufficient number of state bits, leading to a practical state recovery with only 20 repetitions of the nonce and 88 blocks of data. It is noted that our work does not threaten the security of Subterranean 2.0.

Designing a secure round function based on chaos

Abstract: A round function based on chaos is designed combining Feistel structure's pseudo-randomness, chaotic system's parameter sensitivity and image data characteristics. The round function composes of two parts—data transformation based on Feistel (abbreviated as FST) and sampling output based on chaos (abbreviated as SMP). FST bases on Feistel structure and several efficient operations including bitwise xor, permutation and circulating shift. SMP is a chaos based pseudo-random sampling algorithm. It is from theoretical analysis that the round function is a pseudo-random function. The upper bounds of the average maximum differential probability and average maximum linear probability are p2 and q2 respectively. Finally, the good pseudo-randomness of the round function is examined with the NIST random test. The design of this round function provides an important cryptographic component for the design of chaotic image encryption algorithm.

On Integral Distinguishers for Ciphers Based on the Feistel Network Generalizations

Abstract: Lightweight block ciphers are designed to ensure high-performance and security under resource constraint environments. They can be used to provide security for internet of things, cyber physical system and radio frequency identification. The Feistel network generalizations are often suited to the design of lightweight block ciphers. To evaluate the security of new cryptosystems they need to be tested with various cryptanalytical methods. In this paper, the PICARO and QTL block ciphers based on the Feistel network modifications are studied using integral technique which considers a propagation of multiset property during the encryption process in order to determine the type of cipher. The QTL cipher is proved to have 1.5-round integral distinguisher. Its round function is studied against integral attack. The propagation of some integral properties in the PICARO expansion layer is shown. Integral distinguishers for generalized Feistel networks of type 1, 2, 3 are proposed for some restricted component functions.

Lightweight cryptographic algorithm SCENERY implementation method and device and storage medium

Abstract: The invention discloses a lightweight cryptographic algorithm SCENERY implementation method, a lightweight cryptographic algorithm SCENERY implementation device and a storage medium. The method comprises the steps that a plaintext to be encrypted is acquired, IP1 initial replacement, a round function, key expansion and IP2 replacement are carried out in sequence, the round function comprises sequentially carrying out round key addition operation, S box replacement and M matrix replacement on data, and the key expansion comprises sequentially carrying out S box replacement, cyclic left shift, round constant addition operation and DP dynamic replacement on a key. An F function of an SPN structure is adopted as a round function, and a binary matrix M is constructed with the purpose of achieving high dependence when an F function linear layer is designed; a round constant and a key expansion intermediate result are selected as control signals for key expansion; DP dynamic replacement is carried out on a current round key expansion intermediate result to obtain a round key, which is a new key expansion mode, the relevance of single key iteration to front wheel input is reduced, the decoding difficulty is increased, the security is improved, and differential and linear attacks and algebraic attacks can be particularly and effectively resisted.