Improved cryptanalysis of skein

The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the rst third-party analysis of Skein, with an extensive study of its main component: the block cipher Three sh. We notably investigate near collisions, distinguishers, impossible di erentials, key recovery using related-key di erential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible di erential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 3

A New Related-Key Boomerang Distinguishing Attack of Reduced-Round Threefish-256

On Nov 2007, NIST announced the SHA-3 competition to select a new hash standard as a replacement of SHA-2. On Dec 2010, five submissions have been selected as the final round candidates, including Skein, which have components based on ARX. In this paper, a new related-key boomerang distinguishing attack is proposed on 31-round Threefish-256 with a time complexity of about $2^{234}$. Our improved attack is based on the efficient algorithms for calculating differentials of modular addition

Analysis of ARX Functions: Pseudo-linear Methods for Approximation, Differentials, and Evaluating Diffusion

This paper explores the approximation of addition mod $2^n$ by addition mod $2^w$, where $1 \le w \le n$, in ARX functions that use large words (e.g., 32-bit words or 64-bit words). Three main areas are explored. First, \emph{pseudo-linear approximations} aim to approximate the bits of a $w$-bit window of the state after some rounds. Second, the methods used in these approximations are also used to construct truncated differentials. Third, branch number metrics for diffusion are examined for ARX functions with large words, and variants of the differential and linear branch number characteristics based on pseudo-linear methods are introduced. These variants are called \emph{effective differential branch number} and \emph{effective linear branch number}, respectively. Applications of these approximation, differential, and diffusion evaluation techniques are demonstrated on Threefish-256 and Threefish-512

Bicliques for permutations: collision and preimage attacks in stronger settings

We extend and improve biclique attacks, which were recently introduced for the cryptanalysis of block ciphers and hash functions. While previous attacks required a primitive to have a key or a message schedule, we show how to mount attacks on the primitives with these parameters fixed, i.e. on permutations. We introduce the concept of sliced bicliques, which is a translation of regular bicliques to the framework with permutations. The new framework allows to convert preimage attacks into collision attacks and derive the first collision attacks on the reduced SHA-3 finalist Skein in the hash function setting up to 11 rounds. We also demonstrate new preimage attacks on the reduced Skein and the output transformation of the reduced Grøstl. Finally, the sophisticated technique of message compensation gets a simple explanation with bicliques

Pholkos -- Efficient Large-state Tweakable Block Ciphers from the AES Round Function

With the dawn of quantum computers, higher security than $128$ bits has become desirable for primitives and modes. During the past decade, highly secure hash functions, MACs, and encryption schemes have been built primarily on top of keyless permutations, which simplified their analyses and implementation due to the absence of a key schedule. However, the security of these modes is most often limited to the birthday bound of the state size, and their analysis may require a different security model than the easier-to-handle secret-permutation setting. Yet, larger state and key sizes are desirable not only for permutations but also for other primitives such as block ciphers. Using the additional public input of tweakable block ciphers for domain separation allows for exceptionally high security or performance as recently proposed modes have shown. Therefore, it appears natural to ask for such designs. While security is fundamental for cryptographic primitives, performance is of similar relevance. Since 2009, processor-integrated instructions have allowed high throughput for the AES round function, which already motivated various constructions based on it. Moreover, the four-fold vectorization of the AES instruction sets in Intel\u27s Ice Lake architecture is yet another leap in terms of performance and gives rise to exploit the AES round function for even more efficient designs. This work tries to combine all aspects above into a primitive and to build upon years of existing analysis on its components. We propose Pholkos, a family of (1) highly efficient, (2) highly secure, and (3) tweakable block ciphers. Pholkos is no novel round-function design, but utilizes the AES round function, following design ideas of Haraka and AESQ to profit from earlier analysis results. It extends them to build a family of primitives with state and key sizes of $256$ and $512$ bits for flexible applications, providing high security at high performance. Moreover, we propose its usage with a $128$-bit tweak to instantiate high-security encryption and authentication schemes such as SCT, ThetaCB3, or ZAE. We study its resistance against the common attack vectors, including differential, linear, and integral distinguishers using a MILP-based approach and show an isomorphism from the AES to Pholkos-$512$ for bounding impossible-differential, or exchange distinguishers from the AES. Our proposals encrypt at around $1$--$2$ cycles per byte on Skylake processors, while supporting a much more general application range and considerably higher security guarantees than comparable primitives and modes such as PAEQ/AESQ, AEGIS, Tiaoxin346, or Simpira

A Salad of Block Ciphers

This book is a survey on the state of the art in block cipher design and analysis. It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months. However, it is also in a self-contained, useable, and relatively polished state, and for this reason I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much. At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people

Impossible-Differential and Boomerang Cryptanalysis of Round-Reduced Kiasu-BC

Kiasu-BC is a tweakable block cipher proposed by Jean et al. at ASIACRYPT 2014 alongside their TWEAKEY framework. The cipher is almost identical to the AES-128 except for the tweak, which renders it an attractive primitive for various modes of operation and applications requiring tweakable block ciphers. Therefore, studying how the additional tweak input affects security compared to that of the AES is highly valuable to gain trust in future instantiations. This work proposes impossible-differential and boomerang attacks on eight rounds of Kiasu-BC in the single-key model, using the core idea that the tweak input allows to construct local collisions. While our results do not threat the security of the full-round version, they help concretize the security of Kiasu-BC in the single-key model

Dynamic key scheduling algorithm for block ciphers using quasigroup string transformation

Cryptographic ciphers depend on how quickly the key affects the output of the ciphers (ciphertext). Keys are traditionally generated from small size input (seed) to a bigger size random key(s). Key scheduling algorithm (KSA) is the mechanism that generates and schedules all sub-keys for each round of encryption. Researches have suggested that sub-keys should be generated separately to avoid related-key attack. Similarly, the key space should be disproportionately large to resist any attack on the secret key. To archive that, some algorithms adopt the use of matrixes such as quasigroup, Hybrid cubes and substitution box (S-box) to generate the encryption keys. Quasigroup has other algebraic property called “Isotophism”, which literally means Different quasigroups that has the same order of elements but different arrangements can be generated from the existing one. This research proposed a Dynamic Key Scheduling Algorithm (KSA) using isotope of a quasigroup as the dynamic substitution table. A method of generating isotope from a non-associative quasigroup using one permutation with full inheritance is achieved. The generic quasigroup string transformation has been analyzed and it is found to be vulnerable to ciphertext only attack which eventually led to the proposal of a new quasigroup string transformation in this research to assess its strength as it has never been analyzed nor properly implemented before. Based on the dynamic shapeless quasigroup and the proposed new string transformation, a Dynamic Key Scheduling Algorithm (DKSA) is developed. To validate the findings, non-associativity of the generated isotopes has been tested and the generated isotopes appeared to be non-associative. Furthermore, the proposed KSA algorithm has been validated using the randomness test proposed and recommended by NIST, avalanche test and has achieved remarkable result of 94%, brute force and correlation assessment test with -0.000449 correlations. It was fully implemented in a modified Rijndael block cipher to validate it performance and it has produced a remarkable result of 3.35332 entropy

CLAASP: a Cryptographic Library for the Automated Analysis of Symmetric Primitives

This paper introduces CLAASP, a Cryptographic Library for the Automated Analysis of Symmetric Primitives. The library is designed to be modular, extendable, easy to use, generic, efficient and fully automated. It is an extensive toolbox gathering state-of-the-art techniques aimed at simplifying the manual tasks of symmetric primitive designers and analysts. CLAASP is built on top of Sagemath and is open-source under the GPLv3 license. The central input of CLAASP is the description of a cryptographic primitive as a list of connected components in the form of a directed acyclic graph. From this representation, the library can automatically: (1) generate the Python or C code of the primitive evaluation function, (2) execute a wide range of statistical and avalanche tests on the primitive, (3) generate SAT, SMT, CP and MILP models to search, for example, differential and linear trails, (4) measure algebraic properties of the primitive, (5) test neural-based distinguishers. In this work, we also present a comprehensive survey and comparison of other software libraries aiming at similar goals as CLAASP