17 research outputs found
Single Key Recovery Attacks on 9-round Kalyna-128/256 and Kalyna-256/512
The Kalyna block cipher has recently been established as the Ukranian encryption standard in June, 2015. It was selected in a Ukrainian National Public Cryptographic Competition running from 2007 to 2010.
Kalyna supports block sizes and key lengths of 128, 256 and 512 bits. Denoting the variants of Kalyna as Kalyna-, where denotes the block size and denotes the keylength, the design specifies . In this work, we re-evaluate the security bound of some reduced round Kalyna variants, specifically Kalyna- and Kalyna- against key recovery attacks in the single key model. We first construct new 6-round distinguishers and then use these distinguishers to demonstrate 9-round attacks on these Kalyna variants. These attacks improve the previous best 7-round attacks on the same.\\
Our 9-round attack on Kalyna-128/256 has data, time and memory complexity of , and respectively. For our 9-round attack on Kalyna-256/512, the data/time/memory complexities are , and respectively. The time and data complexities for Kalyna-256/512 reported in this work improve upon the previous best 7-round attack complexities on the same. The attacks presented in this work are currently the best on Kalyna. We apply multiset attack - a variant of meet-in-the-middle attack to achieve these results
Mini-ciphers: a reliable testbed for cryptanalysis?
This paper reports on higher-order square analysis of the
AES cipher. We present experimental results of attack simulations on
mini-AES versions with word sizes of 3, 4, 5, 6 and 7 bits and describe
the propagation of higher-order Lambda-sets inside some of these distinguishers.
A possible explanation of the length of the square distinguishers uses the
concept of higher-order derivatives of discrete mappings
White-Box and Asymmetrically Hard Crypto Design
In this talk we surveyed some our recent works related to the area of white-box cryptogaphy. Specifically the resource hardness framework from Asiacrypt'2017 and its relation to the incompressibility and weak-WBC
Decomposition attack on SASASASAS
We demonstrate the first attacks on the SPN ciphers with 6, 7, 8, and 9 secret layers. In particular, we show a decomposition attack on the SASASASAS scheme when the S-box size M and the block length N satisfy the condition M^2 < N (for example, 8-bit S-box and 128-bit block)
Zero-Sum Partitions of PHOTON Permutations
We describe an approach to zero-sum partitions using Todo’s division property at EUROCRYPT 2015. It follows the inside-out methodology, and includes MILP-assisted search for the forward and backward trails, and subspace approach to connect those two trails that is less restrictive than commonly done.
As an application we choose PHOTON, a family of sponge-like hash function proposals that was recently standardized by ISO. With respect to the security claims made by the designers, we for the first time show zero-sum partitions for almost all of those full 12-round permutation variants that use a 4-bit S-Box. As with essentially any other zero-sum property in the literature, also here the gap between a generic attack and the shortcut is small
Meet-in-the-Middle Attacks and Structural Analysis of Round-Reduced PRINCE
NXP Semiconductors and its academic partners challenged the
cryptographic community with finding practical attacks on the block
cipher they designed, PRINCE. Instead of trying to attack as many
rounds as possible using attacks which are usually impractical
despite being faster than brute-force, the challenge invites
cryptographers to find practical attacks and encourages them to
actually implement them.
In this paper, we present new attacks on round-reduced PRINCE including the ones which won the challenge in the 4,
6 and 8-round categories --- the highest for which winners were
identified. Our first attacks rely on a meet-in-the-middle approach and break up to 10 rounds of the cipher.
We also describe heuristic methods we used to find practical SAT-based and differential attacks.
Finally, we also present an analysis of the cycle structure of the
internal rounds of PRINCE leading both to a low complexity
distinguisher for 4-round PRINCE-core and an alternative
representation of the cipher valid in particular contexts and which
highlights, in this cases, a poor diffusion
White-Box AES Implementation Revisited
White-box cryptography is an obfuscation technique for protecting secret keys in software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms.
This concept was presented by Chow et al. with white-box implementations of DES and AES in 2002.
The strategy used in the implementations has become a design principle for subsequent white-box implementations.
However, despite its practical importance, progress has not been substantial.
In fact, it is repeated that as a proposal for a white-box implementation is reported, an attack of lower complexity is soon announced.
This is mainly because most cryptanalytic methods target specific implementations, and there is no general attack tool for white-box cryptography.
In this paper, we present an analytic toolbox on white-box implementations in this design framework and show how to reveal the secret information obfuscated in the implementation using this.
For a substitution-linear transformation cipher on bits with S-boxes on bits, if -bit nonlinear encodings are used to obfuscate output values in the implementation, our attack tool can remove the nonlinear encodings with complexity .
We should increase to obtain higher security, but it yields exponential storage blowing up and so there are limits to increase the security using the nonlinear encoding.
If the inverse of the encoded round function on bits is given, the affine encoding can be recovered in time using our specialized affine equivalence algorithm, where is the smallest integer such that (or its similar matrix obtained by permuting rows and columns) is a block-diagonal matrix with matrix blocks.
According to our toolbox, a white-box implementation in the Chow et al.\u27s framework has complexity at most within reasonable storage, which is much less than .
To overcome this, we introduce an idea that obfuscates two AES-128 ciphers at once with input/output encoding on 256 bits.
To reduce storage, we use a sparse unsplit input encoding.
As a result, our white-box AES implementation has up to 110-bit security against our toolbox, close to that of the original cipher.
More generally, we may consider a white-box implementation on the concatenation of ciphertexts to increase security