Multiple Limited-Birthday Distinguishers and Applications

In this article, we propose a new improvement of the rebound techniques, used for cryptanalyzing AES-like permutations during the past years. Our improvement, that allows to reduce the complexity of the attacks, increases the probability of the outbound part by considering a new type of differential paths. Moreover, we propose a new type of distinguisher, the multiple limited-birthday problem, based on the limited-birthday one, but where differences on the input and on the output might have randomized positions. We also discuss the generic complexity for solving this problem and provide a lower bound of it as well as we propose an efficient and generic algorithm for solving it. Our advances lead to improved distinguishing or collision results for many AES-based functions such as AES, ECHO, Grøstl, LED, PHOTON and Whirlpool

Cryptanalysis of Reduced-Round Whirlwind (Full Version)

The \texttt{Whirlwind} hash function, which outputs a 512-bit digest, was designed by Barreto $et\ al.$ and published by \textit{Design, Codes and Cryptography} in 2010. In this paper, we provide a thorough cryptanalysis on \texttt{Whirlwind}. Firstly, we focus on security properties at the hash function level by presenting (second) preimage, collision and distinguishing attacks on reduced-round \texttt{Whirlwind}. In order to launch the preimage attack, we have to slightly tweak the original Meet-in-the-Middle preimage attack framework on \texttt{AES}-like compression functions by partially fixing the values of the state. Based on this slightly tweaked framework, we are able to construct several new and interesting preimage attacks on reduced-round \texttt{Whirlpool} and \texttt{AES} hashing modes as well. Secondly, we investigate security properties of the reduced-round components of \texttt{Whirlwind}, including semi-free-start and free-start (near) collision attacks on the compression function, and a limited-birthday distinguisher on the inner permutation. As far as we know, our results are currently the best cryptanalysis on \texttt{Whirlwind}

(Quantum) Collision Attacks on Reduced Simpira v2

Simpira v2 is an AES-based permutation proposed by Gueron and Mouha at ASIACRYPT 2016. In this paper, we build an improved MILP model to count the differential and linear active Sboxes for Simpira v2, which achieves tighter bounds of the minimum number of active Sboxes for a few versions of Simpira v2. Then, based on the new model, we find some new truncated differentials for Simpira v2 and give a series (quantum) collision attacks on two versions of reduced Simpira v2

Quantum Collision Attacks on AES-like Hashing with Low Quantum Random Access Memories

At EUROCRYPT 2020, Hosoyamada and Sasaki proposed the first dedicated quantum attack on hash functions --- a quantum version of the rebound attack exploiting differentials whose probabilities are too low to be useful in the classical setting. This work opens up a new perspective toward the security of hash functions against quantum attacks. In particular, it tells us that the search for differentials should not stop at the classical birthday bound. Despite these interesting and promising implications, the concrete attacks described by Hosoyamada and Sasaki make use of large quantum random access memories (qRAMs), a resource whose availability in the foreseeable future is controversial even in the quantum computation community. Without large qRAMs, these attacks incur significant increases in time complexities. In this work, we reduce or even avoid the use of qRAMs by performing a quantum rebound attack based on differentials with non-full-active super S-boxes. Along the way, an MILP-based method is proposed to systematically explore the search space of useful truncated differentials with respect to rebound attacks. As a result, we obtain improved attacks on AES-MMO, AES-MP, and the first classical collision attacks on 4- and 5-round Grostl-512. Interestingly, the use of non-full-active super S-box differentials in the analysis of AES-MMO gives rise to new difficulties in collecting enough starting points. To overcome this issue, we consider attacks involving two message blocks to gain more degrees of freedom, and we successfully compress the qRAM demand of the collision attacks on AES-MMO and AES-MP (EUROCRYPT 2020) from $2^{48}$ to a range from $2^{16}$ to $0$, while still maintaining a comparable time complexity. To the best of our knowledge, these are the first dedicated quantum attacks on hash functions that slightly outperform Chailloux, Naya-Plasencia, and Schrottenloher\u27s generic quantum collision attack (ASIACRYPT 2017) in a model where large qRAMs are not available. This work demonstrates again how a clever combination of classical cryptanalytic technique and quantum computation leads to improved attacks, and shows that the direction pointed out by Hosoyamada and Sasaki deserves further investigation

Chosen-Key Distinguishing Attacks on Full AES-192, AES-256, Kiasu-BC, and More

At CRYPTO 2020, Liu et al. find that many differentials on Gimli are actually incompatible. On the related-key differential of AES, the incompatibilities also exist and are handled in different ad-hoc ways by adding respective constraints into the searching models. However, such an ad-hoc method is insufficient to rule out all the incompatibilities and may still output false positive related-key differentials. At CRYPTO 2022, a new approach combining a Constraint Programming (CP) tool and a triangulation algorithm to search for rebound attacks against AES- like hashing was proposed. In this paper, we combine and extend these techniques to create a uniform related-key differential search model, which can not only generate the related-key differentials on AES and similar ciphers but also immediately verify the existence of at least one key pair fulfilling the differentials. With the innovative automatic tool, we find new related-key differentials on full-round AES-192, AES-256, Kiasu-BC, and round-reduced Deoxys-BC. Based on these findings, full- round limited-birthday chosen-key distinguishing attacks on AES-192, AES-256, and Kiasu-BC are presented, as well as the first chosen-key dis- tinguisher on reduced Deoxys-BC. Furthermore, a limited-birthday dis- tinguisher on 9-round Kiasu-BC with practical complexities is found for the first time

Automatic Classical and Quantum Rebound Attacks on AES-like Hashing by Exploiting Related-key Differentials

Collision attacks on AES-like hashing (hash functions constructed by plugging AES-like ciphers or permutations into the famous PGV modes or their variants) can be reduced to the problem of finding a pair of inputs respecting a differential of the underlying AES-like primitive whose input and output differences are the same. The rebound attack due to Mendel et al. is a powerful tool for achieving this goal, whose quantum version was first considered by Hosoyamada and Sasaki at EUROCRYPT 2020. In this work, we automate the process of searching for the configurations of rebound attacks by taking related-key differentials of the underlying block cipher into account with the MILP-based approach. In the quantum setting, our model guide the search towards characteristics that minimize the resources (e.g., QRAM) and complexities of the resulting rebound attacks. We apply our method to Saturnin-hash, SKINNY, and Whirlpool and improved results are obtained

New and Old Limits for AES Known-Key Distinguishers

Known-key distinguishers have been introduced by Knudsen and Rijmen in 2007 to better understand the security of block ciphers in situations where the key can not be considered to be secret, i.e. the ``thing between secret-key model and hash function use-cases\u27\u27. AES is often considered as a target of such analyses, simply because AES or its building blocks are used in many settings that go beyond classical encryption. The most recent approach of Gilbert (proposed at Asiacrypt 2014) considers 8 core rounds, and extends it by one round in each direction. The resulting approach on 10-round has a time complexity of $2^{64}$, and the best generic approach was shown to beat the proposed method with probably $<2^{-16.5}$ and is hence referred to as a ``distinguisher\u27\u27. Interestingly, Gilbert\u27s work also for the first time showed that the known-key model may not be weaker than the chosen-key model, as the best chosen-key attacks on AES only cover 9 rounds so far. This current state of affairs is unsatisfying as it contradicts the original intent of the known-key model. In this paper we pick up the work of Gilbert, further exploring the limits of the known-key model with a focus on the AES, and eventually propose a way to remedy the situation. In that work, arguments are put forward suggesting that a total of two extension rounds seem to be the limit in the known-key model, and that likely only a distinguisher that exploits the uniform distribution property can be extended in such way. We disprove both conjectures and arrive at the following results: We firstly show that the technique proposed by Gilbert can also be used to extend a known-key distinguisher based on truncated differential trails. This allows us to present improved known-key distinguishers for AES from 7 to 10 rounds of AES. In particular, we are able to set up a 9-round known-key distinguisher for AES with a time complexity of $2^{23}$ and a 10-round known-key distinguisher with a time complexity of $2^{50}$. Secondly we are also able to show that more than two extension rounds are possible. As a result of this, we describe the first known-key distinguishers on 12 rounds of AES, by extending Gilbert\u27s 8-round known-key distinguisher by two rounds in each direction. The time complexity is $2^{66}$, and for this result we do have supporting formal arguments, similar to Gilbert, that the best generic approach to beat the proposed method has probably $<2^{-25}$. This also shows that the counter-intuitive gap between the known-key and the chosen-key model may be wider than initially thought. To remedy the situation, we propose a refinement of the known-key model which restores its original intent

Multiple Limited-Birthday Distinguishers and Applications ⋆

Abstract. In this article, we propose a new improvement of the rebound techniques, used for cryptanalyzing AES-like permutations during the past years. Our improvement, that allows to reduce the complexity of the attacks, increases the probability of the outbound part by considering a new type of differential paths. Moreover, we propose a new type of distinguisher, the multiple limited-birthday problem, based on the limited-birthday one, but where differences on the input and on the output might have randomized positions. We also discuss the generic complexity for solving this problem and provide a lower bound of it as well as we propose an efficient and generic algorithm for solving it. Our advances lead to improved distinguishing or collision results for many AES-based functions such as AES, ECHO, Grøstl, LED, PHOTON and Whirlpool. Key words: AES-like permutation, distinguishers, limited-birthday, rebound attack