IACR Transactions on Symmetric Cryptology最新文献

Revisiting Yoyo Tricks on AES 重温 AES 上的悠悠球技巧

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.28-57

Sandip Kumar Mondal, Mostafizar Rahman, Santanu Sarkar, Avishek Adhikari

{"title":"Revisiting Yoyo Tricks on AES","authors":"Sandip Kumar Mondal, Mostafizar Rahman, Santanu Sarkar, Avishek Adhikari","doi":"10.46586/tosc.v2023.i4.28-57","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.28-57","url":null,"abstract":"At Asiacrypt 2017, Rønjom et al. presented key-independent distinguishers for different numbers of rounds of AES, ranging from 3 to 6 rounds, in their work titled “Yoyo Tricks with AES”. The reported data complexities for these distinguishers were 3, 4, 225.8, and 2122.83, respectively. In this work, we revisit those key-independent distinguishers and analyze their success probabilities.We show that the distinguishing algorithms provided for 5 and 6 rounds of AES in the paper of Rønjom et al. are ineffective with the proposed data complexities. Our thorough theoretical analysis has revealed that the success probability of these distinguishers for both 5-round and 6-round AES is approximately 0.5, with the corresponding data complexities mentioned earlier.We investigate the reasons behind this seemingly random behavior of those reported distinguishers. Based on our theoretical findings, we have revised the distinguishing algorithm for 5-round AES. Our revised algorithm demonstrates success probabilities of approximately 0.55 and 0.81 for 5-round AES, with data complexities of 229.95 and 230.65, respectively. We have also conducted experimental tests to validate our theoretical findings, which further support our findings.Additionally, we have theoretically demonstrated that improving the success probability of the distinguisher for 6-round AES from 0.50000 to 0.50004 would require a data complexity of 2129.15. This finding invalidates the reported distinguisher by Rønjom et al. for 6-round AES.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"353 ","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011019","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Related-Key Differential Analysis of the AES AES 的相关密钥差异分析

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.215-243

Christina Boura, Patrick Derbez, Margot Funk

{"title":"Related-Key Differential Analysis of the AES","authors":"Christina Boura, Patrick Derbez, Margot Funk","doi":"10.46586/tosc.v2023.i4.215-243","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.215-243","url":null,"abstract":"The Advanced Encryption Standard (AES) is considered to be the most important and widely deployed symmetric primitive. While the cipher was designed to be immune against differential and other classical attacks, this immunity does not hold in the related-key setting, and various related-key attacks have appeared over time. This work presents tools and algorithms to search for related-key distinguishers and attacks of differential nature against the AES. First, we propose two entirely different approaches to find optimal truncated differential characteristics and bounds on the minimum number of active S-boxes for all variants of the AES. In the first approach, we propose a simple MILP model that handles better linear inconsistencies with respect to the AES system of equations and that compares particularly well to previous tool-based approaches to solve this problem. The main advantage of this tool is that it can easily be used as the core algorithm to search for any attack on AES exploiting related-key differentials. Then, we design a fast and low-memory algorithm based on dynamic programming that has a very simple to understand complexity analysis and does not depend on any generic solver. This second algorithm provides us useful insight on the related-key differential search problem for AES and shows that the search space is not as big as one would expect. Finally, we build on the top of our MILP model a fully automated tool to search for the best differential MITM attacks against the AES. We apply our tool on AES-256 and find an attack on 13 rounds with only two related keys. This attack can be seen as the best known cryptanalysis against this variant if only 2 related keys are permitted.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"77 4","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Key Committing Security of AEZ and More AEZ 的关键安全承诺及其他

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.452-488

Yu Long Chen, Antonio Flórez-Gutiérrez, Akiko Inoue, Ryoma Ito, Tetsu Iwata, Kazuhiko Minematsu, Nicky Mouha, Yusuke Naito, Ferdinand Sibleyras, Yosuke Todo

{"title":"Key Committing Security of AEZ and More","authors":"Yu Long Chen, Antonio Flórez-Gutiérrez, Akiko Inoue, Ryoma Ito, Tetsu Iwata, Kazuhiko Minematsu, Nicky Mouha, Yusuke Naito, Ferdinand Sibleyras, Yosuke Todo","doi":"10.46586/tosc.v2023.i4.452-488","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.452-488","url":null,"abstract":"For an Authenticated Encryption with Associated Data (AEAD) scheme, the key committing security refers to the security notion of whether the adversary can produce a pair of distinct input tuples, including the key, that result in the same output. While the key committing security of various nonce-based AEAD schemes is known, the security analysis of Robust AE (RAE) is largely unexplored. In particular, we are interested in the key committing security of AEAD schemes built on the Encode-then-Encipher (EtE) approach from a wide block cipher. We first consider AEZ v5, the classical and the first dedicated RAE that employs the EtE approach. We focus our analysis on the core part of AEZ to show our best attacks depending on the length of the ciphertext expansion. In the general case where the Tweakable Block Cipher (TBC) is assumed to be ideal, we show a birthday attack and a matching provable security result. AEZ adopts a simpler key schedule and the prove-then-prune approach in the full specification, and we show a practical attack against it by exploiting the simplicity of the key schedule. The complexity is 227, and we experimentally verify the correctness with a concrete example. We also cover two AEAD schemes based on EtE. One is built on Adiantum, and the other one is built on HCTR2, which are two wide block ciphers that are used in real applications. We present key committing attacks against these schemes when used in EtE and matching proofs for particular cases.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"235 ","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011034","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Commutative Cryptanalysis Made Practical 换元密码分析实用化

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.299-329

Jules Baudrin, P. Felke, Gregor Leander, P. Neumann, Léo Perrin, Lukas Stennes

{"title":"Commutative Cryptanalysis Made Practical","authors":"Jules Baudrin, P. Felke, Gregor Leander, P. Neumann, Léo Perrin, Lukas Stennes","doi":"10.46586/tosc.v2023.i4.299-329","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.299-329","url":null,"abstract":"About 20 years ago, Wagner showed that most of the (then) known techniques used in the cryptanalysis of block ciphers were particular cases of what he called commutative diagram cryptanalysis. However, to the best of our knowledge, this general framework has not yet been leveraged to find concrete attacks.In this paper, we focus on a particular case of this framework and develop commutative cryptanalysis, whereby an attacker targeting a primitive E constructs affine permutations A and B such that E ○ A = B ○ E with a high probability, possibly for some weak keys. We develop the tools needed for the practical use of this technique: first, we generalize differential uniformity into “A-uniformity” and differential trails into “commutative trails”, and second we investigate the commutative behaviour of S-box layers, matrix multiplications, and key additions.Equipped with these new techniques, we find probability-one distinguishers using only two chosen plaintexts for large classes of weak keys in both a modified Midori and in Scream. For the same weak keys, we deduce high probability truncated differentials that can cover an arbitrary number of rounds, but which do not correspond to any high probability differential trails. Similarly, we show the existence of a trade-off in our variant of Midori whereby the probability of the commutative trail can be decreased in order to increase the weak key density. We also show some statistical patterns in the AES super S-box that have a much higher probability than the best differentials, and which hold for a class of weak keys of density about 2−4.5.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"257 4","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011390","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES 具有单项式 Sboxes 的原语中子空间的传播：AES 的救援和变体应用

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.270-298

Aurélien Boeuf, A. Canteaut, Léo Perrin

{"title":"Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES","authors":"Aurélien Boeuf, A. Canteaut, Léo Perrin","doi":"10.46586/tosc.v2023.i4.270-298","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.270-298","url":null,"abstract":"Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x ↦ x3 as an S-box.In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen.As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet.Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"533 ","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011098","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing 关于带有线性调整和密钥混合的可调整偶数曼苏尔中的大调整

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.330-364

Benoît Cogliati, J. Ethan, Ashwin Jha, Soumya Kanti Saha

{"title":"On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing","authors":"Benoît Cogliati, J. Ethan, Ashwin Jha, Soumya Kanti Saha","doi":"10.46586/tosc.v2023.i4.330-364","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.330-364","url":null,"abstract":"In this paper, we provide the first analysis of the Iterated Tweakable Even-Mansour cipher with linear tweak and key (or tweakey) mixing, henceforth referred as TEML, for an arbitrary tweak(ey) size kn for all k ≥ 1, and arbitrary number of rounds r ≥ 2. Note that TEML captures the high-level design paradigm of most of the existing tweakable block ciphers (TBCs), including SKINNY, Deoxys, TweGIFT, TweAES etc. from a provable security point of view. At ASIACRYPT 2015, Cogliati and Seurin initiated the study of TEML by showing that 4-round TEML with a 2n-bit uniform at random key, and n-bit tweak is secure up to 22n/3 queries. In this work, we extend this line of research in two directions. First, we propose a necessary and sufficient class of linear tweakey schedules to absorb mn-bit tweak(ey) material in a minimal number of rounds, for all m ≥ 1. Second, we give a rigorous provable security treatment for r-round TEML, for all r ≥ 2. In particular, we first show that the 2r-round TEML with a (2r + 1)n-bit key, αn-bit tweak, and a special class of tweakey schedule is IND-CCA secure up to O(2r−α/r n) queries. Our proof crucially relies on the use of the coupling technique to upper-bound the statistical distance of the outputs of TEML cipher from the uniform distribution. Our main echnical contribution is a novel approach for computing the probability of failure in coupling, which could be of independent interest for deriving tighter bounds in coupling-based security proofs. Next, we shift our focus to the chosen-key setting, and show that (r + 3)-round TEML, with rn bits of tweakey material and a special class of tweakey schedule, offers some form of resistance to chosen-key attacks. We prove this by showing that r + 3 rounds of TEML are both necessary and sufficient for sequential indifferentiability. As a consequence of our results, we provide a sound provable security footing for the TWEAKEY framework, a high level design rationale of popular TBC.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"40 4","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139010819","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Revisiting Randomness Extraction and Key Derivation Using the CBC and Cascade Modes 重温使用 CBC 和级联模式提取随机性和推导密钥

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.391-419

Niranjan Balachandran, Ashwin Jha, M. Nandi, Soumit Pal

引用次数: 0

Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode Ascon 的承诺安全性：原始密码分析和模式证明

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.420-451

Yusuke Naito, Yu Sasaki, Takeshi Sugawara

{"title":"Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode","authors":"Yusuke Naito, Yu Sasaki, Takeshi Sugawara","doi":"10.46586/tosc.v2023.i4.420-451","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.420-451","url":null,"abstract":"Context-committing security of authenticated encryption (AE) that prevents ciphertexts from being decrypted with distinct decryption contexts, (K,N,A) comprising a key K, a nonce N, and associate data A is an active research field motivated by several real-world attacks. In this paper, we study the context-committing security of Ascon, the lightweight permutation-based AE selected by the NIST LWC in 2023, for cryptanalysis on primitive and proof on mode. The attacker’s goal is to find a collision of a ciphertext and a tag with distinct decryption contexts in which an attacker can control all the parameters including the key. First, we propose new attacks with primitives that inject differences in N and A. The new attack on Ascon-128 improves the number of rounds from 2 to 3 and practically generates distinct decryption contexts. The new attack also works in a practical complexity on 3 rounds of Ascon-128a. Second, we prove the context-committing security of Ascon with zero padding, namely Ascon-zp, in the random permutation model. Ascon-zp achieves min {t+z/2 , n+t−k−ν/2 , c/2}-bit security with a t-bit tag, a z-bit padding, an n-bit state, a ν-bit nonce, and a c-bit inner part. This bound corresponds to min {64 + z/2 , 96} with Ascon-128 and Ascon-128a, and min {64 + z/2 , 80} with Ascon-80pq. The original Ascon (z = 0) achieves 64-bit security bounded by a generic birthday attack. By appending zeroes to the plaintext, the security can be enhanced up to 96 bits for Ascon-128 and Ascon-128a and 80 bits for Ascon-80pq.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"452 ","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011237","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Integral Cryptanalysis Using Algebraic Transition Matrices 利用代数转换矩阵进行积分密码分析

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.244-269

T. Beyne, Michiel Verbauwhede

{"title":"Integral Cryptanalysis Using Algebraic Transition Matrices","authors":"T. Beyne, Michiel Verbauwhede","doi":"10.46586/tosc.v2023.i4.244-269","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i4.244-269","url":null,"abstract":"In this work we introduce algebraic transition matrices as the basis for a new approach to integral cryptanalysis that unifies monomial trails (Hu et al., Asiacrypt 2020) and parity sets (Boura and Canteaut, Crypto 2016). Algebraic transition matrices allow for the computation of the algebraic normal form of a primitive based on the algebraic normal forms of its components by means of wellunderstood operations from linear algebra. The theory of algebraic transition matrices leads to better insight into the relation between integral properties of F and F−1. In addition, we show that the link between invariants and eigenvectors of correlation matrices (Beyne, Asiacrypt 2018) carries over to algebraic transition matrices. Finally, algebraic transition matrices suggest a generalized definition of integral properties that subsumes previous notions such as extended division properties (Lambin, Derbez and Fouque, DCC 2020). On the practical side, a new algorithm is described to search for these generalized properties and applied to Present, resulting in new properties. The algorithm can be instantiated with any existing automated search method for integral cryptanalysis.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"156 ","pages":""},"PeriodicalIF":3.5,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139011292","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Multidimensional Linear Cryptanalysis of Feistel Ciphers 费斯特尔密码的多维线性密码分析

IF 3.5

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI: 10.46586/tosc.v2023.i4.1-27

Betül Askin Özdemir, T. Beyne, Vincent Rijmen

引用次数: 0