{"title":"Chosen-Key Secure Even-Mansour Cipher from a Single Permutation","authors":"Shanjie Xu, Qi Da, Chun Guo","doi":"10.46586/tosc.v2023.i1.244-287","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i1.244-287","url":null,"abstract":"At EUROCRYPT 2015, Cogliati and Seurin proved that the 4-round Iterated Even-Mansour (IEM) cipher with Independent random Permutations and no key schedule EMIP4(k, u) = k⊕p4 ( k⊕p3 ( k⊕p2 (k⊕p1 (k⊕u)))) is sequentially indifferentiable from an ideal cipher, which implies chosen-key security in the sense of correlation intractability. In practice, however, blockciphers such as the AES typically employ the same permutation at each round. To bridge the gap, we prove that the 4-round IEM cipher EMSP[φ]p4 (k, u) = k4⊕p (k3⊕p (k2⊕p(k1⊕p(k0⊕u)))), whose round keys ki = φi(k) are derived using an affine permutation φ : {0, 1}n → {0, 1}n with certain properties, is sequentially indifferentiable from an ideal cipher. The function φ can be a linear orthomorphism, or φ(k) := k≫a for some fixed integer a using cyclic shift. To our knowledge, this is the first indifferentiability-type result for blockciphers using identical round functions.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"293 1","pages":"244-287"},"PeriodicalIF":3.5,"publicationDate":"2023-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76483374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Finding Collisions for Round-Reduced Romulus-H","authors":"Marcel Nageler, Felix Pallua, Maria Eichlseder","doi":"10.46586/tosc.v2023.i1.67-88","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i1.67-88","url":null,"abstract":"The hash function Romulus-H is a finalist in the NIST Lightweight Cryptography competition. It is based on the Hirose double block-length (DBL) construction which is provably secure when used with an ideal block cipher. However, in practice, ideal block ciphers can only be approximated. Therefore, the security of concrete instantiations must be cryptanalyzed carefully; the security margin may be higher or lower than in the secret-key setting. So far, the Hirose DBL construction has been studied with only a few other block ciphers, like IDEA and AES. However, Romulus-H uses Hirose DBL with the SKINNY block cipher where only very little analysis has been published so far. In this work, we present the first practical analysis of Romulus-H. We propose a new framework for finding collisions in hash functions based on the Hirose DBL construction. This is in contrast to previous work that only focused on free-start collisions. Our framework is based on the idea of joint differential characteristics which capture the relationship between the two block cipher calls in the Hirose DBL construction. To identify good joint differential characteristics, we propose a combination of MILP and CP models. Then, we use these characteristics in another CP model to find collisions. Finally, we apply this framework to Romulus-H and find practical collisions of the hash function for 10 out of 40 rounds and practical semi-free-start collisions for up to 14 rounds.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"8 1","pages":"67-88"},"PeriodicalIF":3.5,"publicationDate":"2023-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80162076","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"SoK: Modeling for Large S-boxes Oriented to Differential Probabilities and Linear Correlations (Long Paper)","authors":"Ling Sun, Meiqin Wang","doi":"10.46586/tosc.v2023.i1.111-151","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i1.111-151","url":null,"abstract":"Automatic methods for differential and linear characteristic search are well-established at the moment. Typically, the designers of novel ciphers also give preliminary analytical findings for analysing the differential and linear properties using automatic techniques. However, neither MILP-based nor SAT/SMT-based approaches have fully resolved the problem of searching for actual differential and linear characteristics of ciphers with large S-boxes. To tackle the issue, we present three strategies for developing SAT models for 8-bit S-boxes that are geared toward differential probabilities and linear correlations. While these approaches cannot guarantee a minimum model size, the time needed to obtain models is drastically reduced. The newly proposed SAT model for large S-boxes enables us to establish that the upper bound on the differential probability for 14 rounds of SKINNY-128 is 2−131, thereby completing the unsuccessful work of Abdelkhalek et al. We also analyse the seven AES-based constructions C1 - C7 designed by Jean and Nikolić and compute the minimum number of active S-boxes necessary to cause an internal collision using the SAT method. For two constructions C3 and C5, the current lower bound on the number of active S-boxes is increased, resulting in a more precise security analysis for these two structures.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"3 1","pages":"111-151"},"PeriodicalIF":3.5,"publicationDate":"2023-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86159159","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Francesco Berti, Chun Guo, Thomas Peters, Yaobin Shen, François-Xavier Standaert
{"title":"Secure Message Authentication in the Presence of Leakage and Faults","authors":"Francesco Berti, Chun Guo, Thomas Peters, Yaobin Shen, François-Xavier Standaert","doi":"10.46586/tosc.v2023.i1.288-315","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i1.288-315","url":null,"abstract":"Security against side-channels and faults is a must for the deployment of embedded cryptography. A wide body of research has investigated solutions to secure implementations against these attacks at different abstraction levels. Yet, to a large extent, current solutions focus on one or the other threat. In this paper, we initiate a mode-level study of cryptographic primitives that can ensure security in a (new and practically-motivated) adversarial model combining leakage and faults. Our goal is to identify constructions that do not require a uniform protection of all their operations against both attack vectors. For this purpose, we first introduce a versatile and intuitive model to capture leakage and faults. We then show that a MAC from Asiacrypt 2021 natively enables a leveled implementation for fault resilience where only its underlying tweakable block cipher must be protected, if only the tag verification can be faulted. We finally describe two approaches to amplify security for fault resilience when also the tag generation can be faulted. One is based on iteration and requires the adversary to inject increasingly large faults to succeed. The other is based on randomness and allows provable security against differential faults.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"44 1","pages":"288-315"},"PeriodicalIF":3.5,"publicationDate":"2023-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84583534","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Subverting Telegram's End-to-End Encryption","authors":"Benoît Cogliati, J. Ethan, Ashwin Jha","doi":"10.46586/tosc.v2023.i1.5-40","DOIUrl":"https://doi.org/10.46586/tosc.v2023.i1.5-40","url":null,"abstract":"Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2EE protocol is susceptible to fairly efficient algorithm substitution attacks. While official Telegram clients should be protected against this type of attack due their open-source nature and reproducible builds, this could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients. We provide an efficient algorithm substitution attack against MTProto2.0 — the underlying authenticated encryption scheme — that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency. This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either through a targeted attack or a compromised third-party app. Our attack exploits MTProto2.0’s degree of freedom in choosing the random padding length and padding value. Accordingly, we strongly recommend that Telegram should revise MTProto2.0’s padding methodology. In particular, we show that a minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios. As a side-effect, we generalize the underlying mode of operation in MTProto2.0, as MTProto-G, and show that this generalization is a multi-user secure deterministic authenticated encryption scheme.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"158 1","pages":"5-40"},"PeriodicalIF":3.5,"publicationDate":"2023-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80019507","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Senpeng Wang, D. Feng, Bin Hu, Jie Guan, Tairong Shi
{"title":"Practical Attacks on Full-round FRIET","authors":"Senpeng Wang, D. Feng, Bin Hu, Jie Guan, Tairong Shi","doi":"10.46586/tosc.v2022.i4.105-119","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.105-119","url":null,"abstract":"FRIET is a duplex-based authenticated encryption scheme proposed at EUROCRYPT 2020. It follows a novel design approach for built-in countermeasures against fault attacks. By a judicious choice of components, the designers propose the permutation FRIET-PC that can be used to build an authenticated encryption cipher denoted as FRIET-AE. And FRIET-AE provides a 128-bit security claim for integrity and confidentiality. In this paper, we research the propagation of pairs of differences and liner masks through the round function of FRIET-PC. For the full-round FRIET-PC, we can construct a differential distinguisher whose probability is 1 and a linear distinguisher whose absolute value of correlation is 1. Moreover, we use the differential distinguisher with probability 1 to construct a set consisting of valid tags and ciphertexts which are not created by legal users. This breaks FRIET-AE’s security claim for integrity and confidentiality. As far as we know, this is the first practical attack that threatens the security of FRIET-AE.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"85 1","pages":"105-119"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74742266","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Generalized Feistel Structures Based on Tweakable Block Ciphers","authors":"Kazuki Nakaya, Tetsu Iwata","doi":"10.46586/tosc.v2022.i4.24-91","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.24-91","url":null,"abstract":"A generalized Feistel structure (GFS) is a classical approach to construct a block cipher from pseudorandom functions (PRFs). Coron et al. at TCC 2010 instantiated a Feistel structure with a tweakable block cipher (TBC), and presented its provable security treatment. GFSs can naturally be instantiated with TBCs, and among several types of GFSs, the provable security result of TBC-based unbalanced GFSs was presented. TBC-based counterparts of the most basic types of GFSs , namely, type-1, type-2, and type-3 GFSs, can naturally be formalized, and the provable security result of these structures is open. In this paper, we present such formalization and show their provable security treatment. We use a TBC of n-bit blocks and n-bit tweaks, and we identify the number of rounds needed to achieve birthday-bound security and beyond-birthday-bound security (with respect to n). The n-bit security can be achieved with a finite number of rounds, in contrast to the case of classical PRF-based GFSs. Our proofs use Patarin’s coefficient-H technique, and it turns out deriving a collision probability of various internal variables is nontrivial. In order to complete the proof, we introduce an approach to first compute a collision probability of one specific plaintext difference (or a ciphertext difference), and then prove that the case gives the maximum collision probability. We fully verify the correctness of our security bounds for a class of parameters by experimentally deriving upper bounds on the collision probability of internal variables. We also analyse the optimality of our results with respect to the number of rounds and the attack complexity.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"107 1","pages":"24-91"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89307659","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"SCB Mode: Semantically Secure Length-Preserving Encryption","authors":"Fabio Banfi","doi":"10.46586/tosc.v2022.i4.1-23","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.1-23","url":null,"abstract":"To achieve semantic security, symmetric encryption schemes classically require ciphertext expansion. In this paper we provide a means to achieve semantic security while preserving the length of messages at the cost of mildly sacrificing correctness. Concretely, we propose a new scheme that can be interpreted as a secure alternative to (or wrapper around) plain Electronic Codebook (ECB) mode of encryption, and for this reason we name it Secure Codebook (SCB). Our scheme is the first length-preserving encryption scheme to effectively achieve semantic security.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"3 1","pages":"1-23"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79480303","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Qianqian Yang, Ling Song, Siwei Sun, Danping Shi, Lei Hu
{"title":"New Properties of the Double Boomerang Connectivity Table","authors":"Qianqian Yang, Ling Song, Siwei Sun, Danping Shi, Lei Hu","doi":"10.46586/tosc.v2022.i4.208-242","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.208-242","url":null,"abstract":"The double boomerang connectivity table (DBCT) is a new table proposed recently to capture the behavior of two consecutive S-boxes in boomerang attacks. In this paper, we observe an interesting property of DBCT of S-box that the ladder switch and the S-box switch happen in most cases for two continuous S-boxes, and for some S-boxes only S-box switch and ladder switch are possible. This property implies an additional criterion for S-boxes to resist the boomerang attacks and provides as well a new evaluation direction for an S-box. Using an extension of the DBCT, we verify that some boomerang distinguishers of TweAES and Deoxys are flawed. On the other hand, inspired by the property, we put forward a formula for estimating boomerang cluster probabilities. Furthermore, we introduce the first model to search for boomerang distinguishers with good cluster probabilities. Applying the model to CRAFT, we obtain 9-round and 10-round boomerang distinguishers with a higher probability than that of previous works.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"28 1","pages":"208-242"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85543774","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
