165 research outputs found
Comparison of cube attacks over different vector spaces
We generalise the cube attack of Dinur and Shamir (and the similar AIDA attack of Vielhaber) to a more general higher order differentiation attack, by summing over an arbitrary subspace of the space of initialisation vectors. The Moebius transform can be used for efficiently examining all the subspaces of a big space, similar to the method used by Fouque and Vannet for the usual cube attack.
Secondly we propose replacing the Generalised Linearity Test proposed by Dinur and Shamir with a test based on higher order differentiation/Moebius transform. We show that the proposed test provides all the information provided by the Generalised Linearity Test, at the same computational cost. In addition, for functions that do not pass the linearity test it also provides, at no extra cost, an estimate of the degree of the function. This is useful for guiding the heuristics for the cube/AIDA attacks
Key differentiation attacks on stream ciphers
In this paper the applicability of differential cryptanalytic tool to stream
ciphers is elaborated using the algebraic representation similar to
early Shannon\u27s postulates regarding the concept of confusion. In
2007, Biham and Dunkelman \cite{BihDunk}
have formally introduced the concept of differential
cryptanalysis in stream ciphers by addressing the three different
scenarios of interest. Here we mainly consider the first scenario
where the key difference and/or IV difference influence the internal
state of the cipher .
We then show that under certain circumstances a chosen IV attack may
be transformed in the key chosen attack. That is,
whenever at some stage of the key/IV setup algorithm (KSA) we may
identify linear relations between some subset of key and IV bits,
and these key variables only appear through these linear relations, then
using the differentiation of internal state variables (through chosen
IV scenario of attack) we are able to
eliminate the presence of corresponding key variables. The method
leads to an attack whose complexity is beyond the exhaustive
search, whenever the cipher admits exact algebraic description of
internal state variables and the keystream computation is not
complex. A successful application is especially noted in the
context of stream ciphers whose keystream bits evolve relatively slow
as a function of secret state bits. A modification of the attack
can be applied to the TRIVIUM stream cipher \cite{Trivium}, in this case
12 linear relations could be identified but at the same time the same
12 key variables appear in another part of state register. Still, a
significant decrease in the degree and complexity of state bit
expressions after the KSA is achieved. Computer simulations,
currently in progress,
will answer the question for what number of
initialization rounds the attack is faster than exhaustive search
On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations
The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reduced-round KATAN32 and LBlock. In both cases, we present a practical attack which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE’12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows to discover linear equations that are not found by ElimLin
Key-dependent side-channel cube attack on CRAFT
CRAFT is a tweakable block cipher introduced in 2019 that aims to provide strong
protection against differential fault analysis. In this paper, we show that CRAFT is vulnerable to side-channel cube attacks. We apply side-channel cube attacks to CRAFT with the Hamming weight leakage assumption. We found that the first half of the secret key can be recovered from the Hamming weight leakage after the first round. Next, using the recovered key bits, we continue our attack to recover the second half of the secret key. We show that the set of equations that are solvable varies depending on the value of the key bits. Our result shows that 99.90% of the key space
can be fully recovered within a practical time
Ten years of cube attacks
In 2009, Dinur and Shamir proposed the cube attack, an algebraic cryptanalysis technique that only requires black box access to a target cipher. Since then, this attack has received both many criticisms and endorsements from crypto community; this work aims at revising and collecting the many attacks that have been proposed starting from it.
We categorise all of these attacks in five classes; for each class, we provide a brief summary description along with the state-of-the-art references and the most recent cryptanalysis results. Furthermore, we extend and refine the new notation we proposed in 2021 and we use it to provide a consistent definition for each attack family. Finally, in the appendix, we provide an in-depth description of the kite attack framework, a cipher independent tool we firstly proposed in 2018 that implements the kite attack on GPUs. To prove its effectiveness, we use Mickey2.0 as a use case, showing how to embed it in the framework
On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations
The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reduced-round KATAN, LBLOCK and SIMON. For each case, we present a practical attack on reduced round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ELIMLIN which was presented at FSE'12, and a new technique called proning. In the case of LBLOCK, we break 10 out of 32 rounds. In KATAN, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ELIMLIN is further enhanced by the new proning technique, which allows to discover linear equations that are not found by ELIMLIN
A Dynamic Cube Attack on round Grain v1
As far as the Differential Cryptanalysis of reduced round Grain v1 is concerned, the best results were those published by Knellwolf et al. in Asiacrypt . In an extended version of the paper, it was shown that it was possible to retrieve {\bf (i)} expressions in the Secret Key bits for a variant of Grain v1 that employs rounds (in place of ) in its Key Scheduling process using chosen IVs and {\bf (ii)} expression in Secret Key bits for a variant that employs rounds in its Key Scheduling using chosen IVs. However, the second attack on rounds, had a success probability of around \%, which is to say that the attack worked for only around one half of the Secret Keys.
In this paper we propose a dynamic cube attack on round Grain v1, that has a success probability of \%, and thus we report an improvement of rounds over the previous best attack on Grain v1 that attacks the entire Keyspace. We take the help of the tool {\sf Grain}, proposed by Banik at ACISP 2014, to track the differential trails induced in the internal state of Grain v1 by any difference in the IV bits, and we prove that a suitably introduced difference in the IV leads to a distinguisher for the output bit produced in the round. This, in turn, helps determine the values of expressions in the Secret Key bits
Lightweight symmetric cryptography
The Internet of Things is one of the principal trends in information
technology nowadays. The main idea behind this concept is that devices
communicate autonomously with each other over the Internet. Some of
these devices have extremely limited resources, such as power and energy,
available time for computations, amount of silicon to produce the chip,
computational power, etc. Classical cryptographic primitives are often
infeasible for such constrained devices. The goal of lightweight
cryptography is to introduce cryptographic solutions with reduced resource
consumption, but with a sufficient security level.
Although this research area was of great interest to academia during the
last years and a large number of proposals for lightweight cryptographic
primitives have been introduced, almost none of them are used in real-word.
Probably one of the reasons is that, for academia, lightweight usually
meant to design cryptographic primitives such that they require minimal
resources among all existing solutions. This exciting research problem
became an important driver which allowed the academic community to better
understand many cryptographic design concepts and to develop new attacks.
However, this criterion does not seem to be the most important one for
industry, where lightweight may be considered as "rightweight". In other
words, a given cryptographic solution just has to fit the constraints of
the specific use cases rather than to be the smallest. Unfortunately,
academic researchers tended to neglect vital properties of the particular
types of devices, into which they intended to apply their primitives. That
is, often solutions were proposed where the usage of some resources was
reduced to a minimum. However, this was achieved by introducing new costs
which were not appropriately taken into account or in such a way that the
reduction of costs also led to a decrease in the security level. Hence,
there is a clear gap between academia and industry in understanding what
lightweight cryptography is. In this work, we are trying to fill some of
these gaps. We carefully investigate a broad number of existing lightweight
cryptographic primitives proposed by academia including authentication
protocols, stream ciphers, and block ciphers and evaluate their
applicability for real-world scenarios. We then look at how individual
components of design of the primitives influence their cost and summarize
the steps to be taken into account when designing primitives for concrete
cost optimization, more precisely - for low energy consumption. Next, we
propose new implementation techniques for existing designs making them more
efficient or smaller in hardware without the necessity to pay any
additional costs. After that, we introduce a new stream cipher design
philosophy which enables secure stream ciphers with smaller area size than
ever before and, at the same time, considerably higher throughput compared
to any other encryption schemes of similar hardware cost. To demonstrate
the feasibility of our findings we propose two ciphers with the smallest
area size so far, namely Sprout and Plantlet, and the most energy
efficient encryption scheme called Trivium-2. Finally, this thesis solves
a concrete industrial problem. Based on standardized cryptographic
solutions, we design an end-to-end data-protection scheme for low power
networks. This scheme was deployed on the water distribution network in the
City of Antibes, France
- …