Solane El Hirch, S. Mella, Alireza Mehrdad, J. Daemen
{"title":"Improved Differential and Linear Trail Bounds for ASCON","authors":"Solane El Hirch, S. Mella, Alireza Mehrdad, J. Daemen","doi":"10.46586/tosc.v2022.i4.145-178","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.145-178","url":null,"abstract":"Ascon is a family of cryptographic primitives for authenticated encryption and hashing introduced in 2015. It is selected as one of the ten finalists in the NIST Lightweight Cryptography competition. Since its introduction, Ascon has been extensively cryptanalyzed, and the results of these analyses can indicate the good resistance of this family of cryptographic primitives against known attacks, like differential and linear cryptanalysis.Proving upper bounds for the differential probability of differential trails and for the squared correlation of linear trails is a standard requirement to evaluate the security of cryptographic primitives. It can be done analytically for some primitives like AES. For other primitives, computer assistance is required to prove strong upper bounds for differential and linear trails. Computer-aided tools can be classified into two categories: tools based on general-purpose solvers and dedicated tools. General-purpose solvers such as SAT and MILP are widely used to prove these bounds, however they seem to have lower capabilities and thus yield less powerful bounds compared to dedicated tools.In this work, we present a dedicated tool for trail search in Ascon. We arrange 2-round trails in a tree and traverse this tree in an efficient way using a number of new techniques we introduce. Then we extend these trails to more rounds, where we also use the tree traversal technique to do it efficiently. This allows us to scan much larger spaces of trails faster than the previous methods using general-purpose solvers. As a result, we prove tight bounds for 3-rounds linear trails, and for both differential and linear trails, we improve the existing upper bounds for other number of rounds. In particular, for the first time, we prove bounds beyond 2−128 for 6 rounds and beyond 2−256 for 12 rounds of both differential and linear trails.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"12 1","pages":"145-178"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86266995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christof Beierle, P. Felke, G. Leander, Sondre Rønjom
{"title":"Decomposing Linear Layers","authors":"Christof Beierle, P. Felke, G. Leander, Sondre Rønjom","doi":"10.46586/tosc.v2022.i4.243-265","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.243-265","url":null,"abstract":"There are many recent results on reverse-engineering (potentially hidden) structure in cryptographic S-boxes. The problem of recovering structure in the other main building block of symmetric cryptographic primitives, namely, the linear layer, has not been paid that much attention so far. To fill this gap, in this work, we develop a systematic approach to decomposing structure in the linear layer of a substitutionpermutation network (SPN), covering the case in which the specification of the linear layer is obfuscated by applying secret linear transformations to the S-boxes. We first present algorithms to decide whether an ms x ms matrix with entries in a prime field Fp can be represented as an m x m matrix over the extension field Fps . We then study the case of recovering structure in MDS matrices by investigating whether a given MDS matrix follows a Cauchy construction. As an application, for the first time, we show that the 8 x 8 MDS matrix over F28 used in the hash function Streebog is a Cauchy matrix.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"8 1","pages":"243-265"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84178843","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Practical Cube Attack against Nonce-Misused Ascon","authors":"Jules Baudrin, A. Canteaut, Léo Perrin","doi":"10.46586/tosc.v2022.i4.120-144","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.120-144","url":null,"abstract":"Ascon is a sponge-based Authenticated Encryption with Associated Data that was selected as both one of the winners of the CAESAR competition and one of the finalists of the NIST lightweight cryptography standardization effort. As this competition comes to an end, we analyse the security of this algorithm against cube attacks. We present a practical cube attack against the full 6-round encryption in Ascon in the nonce-misuse setting. We note right away that this attack does not violate the security claims made by the designers of Ascon, due to this setting.Our cryptanalysis is a conditional cube attack that is capable of recovering the full capacity in practical time; but for Ascon-128, its extension to a key recovery or a forgery is still an open question. First, a careful analysis of the maximum-degree terms in the algebraic normal form of the Ascon permutation allows us to derive linear equations in half of the capacity bits given enough cube sums of dimension 32. Then, depending on the results of this first phase, we identify smaller-degree cubes that allow us to recover the remaining half of the capacity. Overall, our cryptanalysis has a complexity of about 240 adaptatively chosen plaintexts, and about 240 calls to the permutation. We have implemented the full attack and our experiments confirm our claims.Our results are built on a theoretical framework which allows us to easily identify monomials whose cube-sums provide linear equations in the capacity bits. The coefficients of these monomials have a more general form than those used in the previous attacks against Ascon, and our method enables us to re-frame previous results in a simpler form. Overall, it enables to gain a deeper understanding of the properties of the permutation, and in particular of its S-box, that make such state-recoveries possible.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"48 1","pages":"120-144"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85763145","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Cryptanalysis of Draco","authors":"S. Banik","doi":"10.46586/tosc.v2022.i4.92-104","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.92-104","url":null,"abstract":"Draco is a lightweight stream cipher designed by Hamann et al. in IACR ToSC 2022. It has a Grain-like structure with two state registers of size 95 and 33 bits. In addition, the cipher uses a 128-bit secret key and a 96-bit IV. The first 32 bits of the key and the IV forms a non-volatile internal state that does not change during the time that the cipher produces keystream bits.The authors claim that the cipher is provably secure against Time-Memory-Data (TMD) Tradeoff attacks. However in this paper, we first present two TMD tradeoff attacks against Draco. Both attacks leverage the fact that for certain judiciously chosen IVs the state update function of the cipher depend on only a small fraction of the non-volatile internal state. This makes the state update function in Draco essentially a one way function over a much smaller domain and range. The first attack requires around 2114.2 Draco iterations and requires that the adversary has access to 232 chosen IVs. The second attack is such that the attack parameters can be tuned as per the requirements of the attacker. If the attacker prioritizes that the number of different chosen IVs is limited to 220 say, then the attack can be done in around time proportional to 2126 Draco rounds. However if the total attack complexity is to be optimized, then the attack can be performed in 2107 time using around 240 chosen IVs.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"34 1","pages":"92-104"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74268027","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Exploring Integrity of AEADs with Faults: Definitions and Constructions","authors":"Sayandeep Saha, Mustafa Khairallah, Thomas Peyrin","doi":"10.46586/tosc.v2022.i4.291-324","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.291-324","url":null,"abstract":"Implementation-based attacks are major concerns for modern cryptography. For symmetric-key cryptography, a significant amount of exploration has taken place in this regard for primitives such as block ciphers. Concerning symmetric-key operating modes, such as Authenticated Encryption with Associated Data (AEAD), the stateof-the-art mainly addresses the passive Side-Channel Attacks (SCA) in the form of leakage resilient cryptography. So far, only a handful of work address Fault Attacks (FA) in the context of AEADs concerning the fundamental properties – integrity and confidentiality. In this paper, we address this gap by exploring mode-level issues arising due to FAs. We emphasize that FAs can be fatal even in cases where the adversary does not aim to extract the long-term secret, but rather tries to violate the basic security requirements (integrity and confidentiality). Notably, we show novel integrity attack examples on state-of-the-art AEAD constructions and even on a prior fault-resilient AEAD construction called SIV$. On the constructive side, we first present new security notions of fault-resilience, for PRF (frPRF), MAC (frMAC) and AEAD (frAE), the latter can be seen as an improved version of the notion introduced by Fischlin and Gunther at CT-RSA’20. Then, we propose new constructions to turn a frPRF into a fault-resilient MAC frMAC (hash-then-frPRF) and into a fault-resilient AEAD frAE (MAC-then-Encrypt-then-MAC or MEM).","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"13 1","pages":"291-324"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85695284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Venkateswarlu, Abhishek Kesarwani, Sumanta Sarkar
{"title":"On the Lower Bound of Cost of MDS Matrices","authors":"A. Venkateswarlu, Abhishek Kesarwani, Sumanta Sarkar","doi":"10.46586/tosc.v2022.i4.266-290","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i4.266-290","url":null,"abstract":"Ever since lightweight cryptography emerged as one of the trending topics in symmetric key cryptography, optimizing the implementation cost of MDS matrices has been in the center of attention. In this direction, various metrics like d-XOR, s-XOR and g-XOR have been proposed to mimic the hardware cost. Consequently, efforts also have been made to search for the optimal MDS matrices for dimensions relevant to cryptographic applications according to these metrics. However, finding the optimal MDS matrix in terms of hardware cost still remains an unsolved problem. In this paper, we settle the question of the optimal 4 x 4 MDS matrices over GL(n, F2) under the recently proposed metric sequential XOR count based on words (sw-XOR). We prove that the sw-XOR of such matrices is at least 8n + 3, and the bound is tight as matrices with sw-XOR cost 35 and 67 for the values of n = 4 and 8, respectively, were already known. Moreover, the lower bound for these values of n matches with the known lower bounds according to s-XOR and g-XOR metrics.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"1 1","pages":"266-290"},"PeriodicalIF":3.5,"publicationDate":"2022-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89592113","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Senyang Huang, Orna Agmon Ben-Yehuda, O. Dunkelman, A. Maximov
{"title":"Finding Collisions against 4-round SHA3-384 in Practical Time","authors":"Senyang Huang, Orna Agmon Ben-Yehuda, O. Dunkelman, A. Maximov","doi":"10.46586/tosc.v2022.i3.239-270","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i3.239-270","url":null,"abstract":"The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis of SHA-3 has attracted a lot of attention. Currently, the most powerful collision attack on SHA-3 is Jian Guo et al.’s linearisation technique. However, this technique is infeasible for variants with asmaller input space, such as SHA-3-384.In this work we improve upon previous results by utilising three ideas which were not used in previous works on collision attacks against SHA-3. First, we use 2-block messages instead of 1-block messages, to reduce constraints and increase flexibility in our solutions. Second, we reduce the connectivity problem into a satisfiability (SAT) problem, instead of applying the linearisation technique. Finally, we propose an efficient deduce-and-sieve algorithm on the basis of two new non-random propertiesof the Keccak non-linear layer.The resulting collision-finding algorithm on 4-round SHA-3-384 has a practical time complexity of 259.64 (and a memory complexity of 245.94). This greatly improves upon the best known collision attack so far: Dinur et al. achieved an impractical 2147 time complexity. Our attack does not threaten the security margin of the SHA-3 hash function. However, the tools developed in this paper could be used to analyse other cryptographic primitives as well as to develop new and faster SAT solvers.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"25 1","pages":"239-270"},"PeriodicalIF":3.5,"publicationDate":"2022-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77046014","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Marcus Dansarie, Patrick Derbez, Gregor Leander, Lukas Stennes
{"title":"Breaking HALFLOOP-24","authors":"Marcus Dansarie, Patrick Derbez, Gregor Leander, Lukas Stennes","doi":"10.46586/tosc.v2022.i3.217-238","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i3.217-238","url":null,"abstract":"HALFLOOP-24 is a tweakable block cipher that is used to protect automatic link establishment messages in high frequency radio, a technology commonly used by government agencies and industries that need highly robust long-distance communications. We present the first public cryptanalysis of HALFLOOP-24 and show that HALFLOOP-24, despite its key size of 128 bits, is far from providing 128 bit security. More precisely, we give attacks for ciphertext-only, known-plaintext, chosen-plaintext and chosen-ciphertext scenarios. In terms of their complexities, most of them can be considered practical. However, in the real world, the amount of available data is too low for our attacks to work. Our strongest attack, a boomerang key-recovery, finds the first round key with less than 210 encryption and decryption queries. In conclusion, we strongly advise against using HALFLOOP-24.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"129 1","pages":"217-238"},"PeriodicalIF":3.5,"publicationDate":"2022-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79572730","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Low-Latency Boolean Functions and Bijective S-boxes","authors":"Shahram Rasoolzadeh","doi":"10.46586/tosc.v2022.i3.403-447","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i3.403-447","url":null,"abstract":"In this paper, we study the gate depth complexity of (vectorial) Boolean functions in the basis of {NAND, NOR, INV} as a new metric, called latency complexity, to mathematically measure the latency of Boolean functions. We present efficient algorithms to find all Boolean functions with low-latency complexity, or to determine the latency complexity of the (vectorial) Boolean functions, and to find all the circuits with the minimum latency complexity for a given Boolean function. Then, we present another algorithm to build bijective S-boxes with low-latency complexity which with respect to the computation cost, this algorithm overcomes the previous methods of building S-boxes.As a result, for latency complexity 3, we present n-bit S-boxes of 3 ≤ n ≤ 8 with linearity 2n−1 and uniformity 2n−2 (except for 5-bit S-boxes for whose the minimum achievable uniformity is 6). Besides, for latency complexity 4, we present several n-bit S-boxes of 5 ≤ n < 8 with linearity 2n−2 and uniformity 2n−4.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"13 1","pages":"403-447"},"PeriodicalIF":3.5,"publicationDate":"2022-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73602261","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Hybrid Code Lifting on Space-Hard Block Ciphers Application to Yoroi and SPNbox","authors":"Yosuke Todo, Takanori Isobe","doi":"10.46586/tosc.v2022.i3.368-402","DOIUrl":"https://doi.org/10.46586/tosc.v2022.i3.368-402","url":null,"abstract":"There is a high demand for whitebox cryptography from the practical use of encryption in untrusted environments. It has been actively discussed for two decades since Chow et al. presented the whitebox implementation of DES and AES. The goal is to resist the key extraction from the encryption program and mitigate the code lifting of the program. At CCS2015, Bogdanov and Isobe proposed space-hard block ciphers as a dedicated design of whitebox block ciphers. It ensures that the key extraction is as difficult as the key recovery in the standard blackbox model. Moreover, to mitigate code lifting, they introduce space hardness, a kind of leakage-resilient security with the incompressibility of a huge program. For space-hard ciphers, code lifting (a partial leakage of the entire program) is useless to copy the functionality.In this paper, we consider a new attack model of space-hard block ciphers called hybrid code lifting. Space-hard block ciphers are intended to ensure security under a size-bounded leakage. However, they do not consider attackers (in the standard blackbox model) receiving the leakage by code lifting. If such attackers can recover the encryption program of a space-hard block cipher, such a cipher does not always satisfy the intention. We analyze Yoroi proposed in TCHES 2021. We introduce the canonical representation of Yoroi. Using the representation enables the recovery of the programs of Yoroi-16 and Yoroi-32 with 233 and 265.6 complexities, respectively, in spite of slight leakage. The canonical representation causes another attack against Yoroi. It breaks an authors’ security claim about the “longevity”. We additionally analyzed SPNbox proposed in Asiacrypt 2016. As a result, considering security on the hybrid code lifting, the original number of rounds is insufficient to achieve 128-bit security under quarter-size leakage.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"10 1","pages":"368-402"},"PeriodicalIF":3.5,"publicationDate":"2022-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89581502","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
