3,528 research outputs found
Known-key Distinguisher on Full PRESENT
In this article, we analyse the known-key security of the standardized PRESENT lightweight block cipher. Namely, we propose a known-key distinguisher on the full PRESENT, both 80- and 128-bit key versions. We first leverage the very latest advances in differential cryptanalysis on PRESENT, which are as strong as the best linear cryptanalysis in terms of number of attacked rounds. Differential properties are much easier to handle for a known-key distinguisher than linear properties, and we use a bias on the number of collisions on some predetermined input/output bits as distinguishing property. In order to reach the full PRESENT, we eventually introduce a new meet-in-the-middle layer to propagate the differential properties as far as possible. Our techniques have been implemented and verified on the small scale variant of PRESENT. While the known-key security model is very generous with the attacker, it makes sense in practice since PRESENT has been proposed as basic building block to design lightweight hash functions, where no secret is manipulated. Our distinguisher can for example apply to the compression function obtained by placing PRESENT in a Davies-Meyer mode. We emphasize that this is the very first attack that can reach the full number of rounds of the PRESENT block cipher
Full Round Zero-sum Distinguishers on TinyJAMBU-128 and TinyJAMBU-192 Keyed-permutation in the Known-key setting
TinyJAMBU is one of the finalists in the NIST lightweight
standardization competition. This paper presents full round practical
zero-sum distinguishers on the keyed permutation used in TinyJAMBU.
We propose a full round zero-sum distinguisher on the 128- and 192-bit
key variants and a reduced round zero-sum distinguisher for the 256-bit
key variant in the known-key settings. Our best known-key distinguisher
works with data/time complexity on the full 128-bit version and with
data/time complexity on the full 192-bit version. For the 256-bit ver-
sion, we can distinguish 1152 rounds (out of 1280 rounds) in the known-
key settings. In addition, we present the best zero-sum distinguishers
in the secret-key settings: with complexity we can distinguish 544
rounds in the forward direction or 576 rounds in the backward direction.
For finding the zero-sum distinguisher, we bound the algebraic degree of
the TinyJAMBU permutation using the monomial prediction technique
proposed by Hu et al. at ASIACRYPT 2020. We model the monomial
prediction rule on TinyJAMBU in MILP and find upper bounds on the
degree by computing the parity of the number of solutions
Improved cryptanalysis of skein
The hash function Skein is the submission of Ferguson et
al. to the NIST Hash Competition, and is arguably a serious candidate
for selection as SHA-3. This paper presents the rst third-party analysis
of Skein, with an extensive study of its main component: the block
cipher Three sh. We notably investigate near collisions, distinguishers,
impossible di erentials, key recovery using related-key di erential and
boomerang attacks. In particular, we present near collisions on up to 17
rounds, an impossible di erential on 21 rounds, a related-key boomerang
distinguisher on 34 rounds, a known-related-key boomerang distinguisher
on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in
total for Threefish-512. None of our attacks directly extends to the full
Skein hash. However, the pseudorandomness of Threefish is required to
validate the security proofs on Skein, and our results conclude that at
least 3
Related-Key Boomerang Attack on Block Cipher SQUARE
Square is 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of Square is simple and efficient but fully affie, so we apply a related-key attack on it.
We find a 3-round related-key differential trail with probability 2^28, which have zero differences both on its input and output states, and this trail is called the local collision in [5]. By extending of this related-key differential, we construct a 7-round related-key boomerang distinguisher and successful attack on full round Square. The best attack on Square have ever been known is the square attack on 6-round reduced variant of Square.
In this paper, we present a key recovery attack on the full round of Square using a related-key boomerang distinguisher. We construct a 7-round related-key boomerang distinguisher with probability 2^119 by finding local collision, and calculate its probability using ladder switch and local amplification techniques. As a result, one round on top of distinguisher is added to construct a full round attack on Square which recovers 16-bit key information with 2^36 encryptions and 2^123 data
Cryptanalysis of SPEEDY
SPEEDY is a family of ultra-lightweight block ciphers designed by Leander et al. at CHES 2021. There are three recommended variants denoted as SPEEDY--192 with ∈{5,6,7}. All of them support the 192-bit block and the 192-bit key. The main focus during its design is to ensure hardware-aware low latency, thus, whether it is designed to have enough security is worth to be studied. Recently, the full-round security of SPEEDY-7-192 is announced to be broken by Boura et al. at EUROCRYPT 2023 under the chosen-ciphertext setting, where a round-reduced attack on SPEEDY-6-192 is also proposed. However, no valid attack on SPEEDY-5-192 is given due to its more restricted security parameters. Up to now, the best key recovery attack on this variant only covers 3 rounds proposed by Rohit et al. at AFRICACRYPT 2022. In this paper, we give three full-round attacks on SPEEDY-7-192. Using the divide-and-conquer strategy and other new proposed techniques, we found a 5.5-round differential distinguisher which can be used to mount the first chosen-plaintext full-round key recovery attack. With a similar strategy, we also found a 5-round linear distinguisher which leads to the first full-round attack under the known-plaintext setting. Meanwhile, the 5.5-round differential distinguisher also helps us slightly improve the full-round attack in the chosen-ciphertext setting compared with the previous result. Besides, we also present a 4-round differential attack on SPEEDY-5-192, which is the best attack on this variant in terms of the number of rounds so far. A faster key recovery attack covering the same rounds is also given using a differential-linear distinguisher. Both attacks cannot threaten the full round security of SPEEDY-5-192
Improved Cryptanalysis of Skein
The hash function Skein is the submission of Ferguson et
al. to the NIST Hash Competition, and is arguably a serious candidate
for selection as SHA-3. This paper presents the rst third-party analysis
of Skein, with an extensive study of its main component: the block
cipher Three sh. We notably investigate near collisions, distinguishers,
impossible di erentials, key recovery using related-key di erential and
boomerang attacks. In particular, we present near collisions on up to 17
rounds, an impossible di erential on 21 rounds, a related-key boomerang
distinguisher on 34 rounds, a known-related-key boomerang distinguisher
on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in
total for Threefish-512. None of our attacks directly extends to the full
Skein hash. However, the pseudorandomness of Threefish is required to
validate the security proofs on Skein, and our results conclude that at
least 3
Cryptographic security of quantum key distribution
This work is intended as an introduction to cryptographic security and a
motivation for the widely used Quantum Key Distribution (QKD) security
definition. We review the notion of security necessary for a protocol to be
usable in a larger cryptographic context, i.e., for it to remain secure when
composed with other secure protocols. We then derive the corresponding security
criterion for QKD. We provide several examples of QKD composed in sequence and
parallel with different cryptographic schemes to illustrate how the error of a
composed protocol is the sum of the errors of the individual protocols. We also
discuss the operational interpretations of the distance metric used to quantify
these errors.Comment: 31+23 pages. 28 figures. Comments and questions welcom
Quantum authentication with key recycling
We show that a family of quantum authentication protocols introduced in
[Barnum et al., FOCS 2002] can be used to construct a secure quantum channel
and additionally recycle all of the secret key if the message is successfully
authenticated, and recycle part of the key if tampering is detected. We give a
full security proof that constructs the secure channel given only insecure
noisy channels and a shared secret key. We also prove that the number of
recycled key bits is optimal for this family of protocols, i.e., there exists
an adversarial strategy to obtain all non-recycled bits. Previous works
recycled less key and only gave partial security proofs, since they did not
consider all possible distinguishers (environments) that may be used to
distinguish the real setting from the ideal secure quantum channel and secret
key resource.Comment: 38+17 pages, 13 figures. v2: constructed ideal secure channel and
secret key resource have been slightly redefined; also added a proof in the
appendix for quantum authentication without key recycling that has better
parameters and only requires weak purity testing code
Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives
We present new connections between quantum information and the field of
classical cryptography. In particular, we provide examples where Simon's
algorithm can be used to show insecurity of commonly used cryptographic
symmetric-key primitives. Specifically, these examples consist of a quantum
distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC
which forges a tag for a chosen-prefix message querying only other messages (of
the same length). We assume that an adversary has quantum-oracle access to the
respective classical primitives. Similar results have been achieved recently in
independent work by Kaplan et al. Our findings shed new light on the
post-quantum security of cryptographic schemes and underline that classical
security proofs of cryptographic constructions need to be revisited in light of
quantum attackers.Comment: 14 pages, 2 figures. v3: final polished version, more formal
definitions adde
- …