Search CORE

10 research outputs found

Cryptanalysis of Simpira v1

Author: Christoph Dobraunig
Florian Mendel
Maria Eichlseder
Publication venue: International Association for Cryptologic Research (IACR)
Publication date: 25/08/2016
Field of study

Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers\u27 security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity

2^{82.62}

for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity

2^{110.16}

for 16 rounds and the full 512-bit hash value. These attacks violate the designers\u27 security claims that there are no structural distinguishers with complexity below

2^{128}

Nonlinear Approximations in Cryptanalysis Revisited

Author: Beierle Christof
Canteaut Anne
Leander Gregor
Publication venue
Publication date: 13/12/2018
Field of study

This work studies deterministic and non-deterministic nonlinear approximations for cryptanalysis of block ciphers and cryptographic permutations and embeds it into the well-understood framework of linear cryptanalysis. For a deterministic (i.e., with correlation ±1) nonlinear approximation we show that in many cases, such a nonlinear approximation implies the existence of a highly-biased linear approximation. For non-deterministic nonlinear approximations, by transforming the cipher under consideration by conjugating each keyed instance with a fixed permutation, we are able to transfer many methods from linear cryptanalysis to the nonlinear case. Using this framework we in particular show that there exist ciphers for which some transformed versions are significantly weaker with regard to linear cryptanalysis than their original counterparts

Nonlinear Approximations in Cryptanalysis Revisited

Author: Beierle Christof
Canteaut Anne
Leander Gregor
Publication venue: Ruhr Universität Bochum
Publication date: 01/12/2018
Field of study

International audienceThis work studies deterministic and non-deterministic nonlinear approximations for cryptanalysis of block ciphers and cryptographic permutations and embeds it into the well-understood framework of linear cryptanalysis. For a deterministic (i.e., with correlation ±1) nonlinear approximation we show that in many cases, such a nonlinear approximation implies the existence of a highly-biased linear approximation. For non-deterministic nonlinear approximations, by transforming the cipher under consideration by conjugating each keyed instance with a fixed permutation, we are able to transfer many methods from linear cryptanalysis to the nonlinear case. Using this framework we in particular show that there exist ciphers for which some transformed versions are significantly weaker with regard to linear cryptanalysis than their original counterparts

INRIA a CCSD electronic archive server

Directory of Open Access Journals

Proving Resistance Against Invariant Attacks: How to Choose the Round Constants.

Author: C Beierle
C Chaigneau
DS Dummit
E Dawson
FR Gantmacher
G Leander
G Leander
IN Herstein
J Borghoff
J Guo
J Guo
J Jean
M Giesbrecht
R Lidl
X Lai
Y Todo
Publication venue: 'Springer Science and Business Media LLC'
Publication date: 20/08/2017
Field of study

International audienceMany lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a round-specific constant. Generally, there is not much theory on how to choose appropriate constants. In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and Mantis 7 are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the S-box layer. We also explain how to construct optimal round constants for a given, but arbitrary, linear layer

INRIA a CCSD electronic archive server

The Exchange Attack: How to Distinguish Six Rounds of AES with $2^{88.2}$ chosen plaintexts

Author: A Joux
B Sun
C Bouillaguet
J Daemen
J Daemen
J Daemen
L Grassi
L Grassi
L Grassi
LR Knudsen
P Derbez
S Gueron
S Rønjom
Publication venue: International Association for Cryptologic Research (IACR)
Publication date: 14/09/2019
Field of study

In this paper we present exchange-equivalence attacks which is a new cryptanalytic attack technique suitable for SPN-like block cipher designs. Our new technique results in the first secret-key chosen plaintext distinguisher for 6-round AES. The complexity of the distinguisher is about

2^{88.2}

in terms of data, memory and computational complexity. The distinguishing attack for AES reduced to six rounds is a straight-forward extension of an exchange attack for 5-round AES that requires

2^{30}

in terms of chosen plaintexts and computation. This is also a new record for AES reduced to five rounds. The main result of this paper is that AES up to at least six rounds is biased when restricted to exchange-invariant sets of plaintexts