206 research outputs found
Cryptanalysis of SKINNY in the Framework of the SKINNY 2018--2019 Cryptanalysis Competition
In April 2018, Beierle et al. launched the 3rd SKINNY cryptanalysis competition, a contest that aimed at motivating the analysis of their recent tweakable block cipher SKINNY . In contrary to the previous editions, the focus was made on practical attacks: contestants were asked to recover a 128-bit secret key from a given set of 2^20 plaintext blocks. The suggested SKINNY instances are 4- to 20-round reduced variants of SKINNY-64-128 and SKINNY-128-128. In this paper, we explain how to solve the challenges for 10-round SKINNY-128-128 and for 12-round SKINNY-64-128 in time equivalent to roughly 2^52 simple operations. Both techniques benefit from the highly biased sets of messages that are provided and that actually correspond to the encryption of various books in ECB mode
Constructive Relationships Between Algebraic Thickness and Normality
We study the relationship between two measures of Boolean functions;
\emph{algebraic thickness} and \emph{normality}. For a function , the
algebraic thickness is a variant of the \emph{sparsity}, the number of nonzero
coefficients in the unique GF(2) polynomial representing , and the normality
is the largest dimension of an affine subspace on which is constant. We
show that for , any function with algebraic thickness
is constant on some affine subspace of dimension
. Furthermore, we give an algorithm
for finding such a subspace. We show that this is at most a factor of
from the best guaranteed, and when restricted to the
technique used, is at most a factor of from the best
guaranteed. We also show that a concrete function, majority, has algebraic
thickness .Comment: Final version published in FCT'201
Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE
Subspace trail cryptanalysis is a very recent new cryptanalysis
technique, and includes differential, truncated differential,
impossible differential, and integral attacks as special cases.
In this paper, we consider PRINCE, a widely analyzed block cipher
proposed in 2012.
After the identification of a 2.5 rounds subspace trail of PRINCE, we
present several (truncated differential) attacks up to 6 rounds of PRINCE. This includes a very practical attack with the lowest data complexity of only 8 plaintexts for 4 rounds, which co-won the final round of the PRINCE challenge in the 4-round chosen-plaintext category.
The attacks have been verified using a C implementation.
Of independent interest, we consider a variant of PRINCE in which ShiftRows and MixLayer operations are exchanged in position. In particular, our result shows that the position of ShiftRows and MixLayer operations influences the security of PRINCE.
The same analysis applies to follow-up designs inspired by PRINCE
The related-key analysis of feistel constructions
Lecture Notes in Computer Science, Volume 8540, 2015.It is well known that the classical three- and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the
number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luckâs transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions
On Finding Quantum Multi-collisions
A -collision for a compressing hash function is a set of distinct
inputs that all map to the same output. In this work, we show that for any
constant , quantum
queries are both necessary and sufficient to achieve a -collision with
constant probability. This improves on both the best prior upper bound
(Hosoyamada et al., ASIACRYPT 2017) and provides the first non-trivial lower
bound, completely resolving the problem
Extended Generalized Feistel Networks using Matrix Representation
International audienceWhile Generalized Feistel Networks have been widely studied in the literature as a building block of a block cipher, we propose in this paper a unified vision to easily represent them through a matrix representation. We then propose a new class of such schemes called Extended Generalized Feistel Networks well suited for cryptographic applications. We instantiate those proposals into two particular constructions and we finally analyze their security
Feistel Structures for MPC, and More
We study approaches to generalized Feistel constructions with low-degree round functions with a focus on x -> x^3 . Besides known constructions, we also provide a new balanced Feistel construction with improved diffusion properties. This then allows us to propose more efficient generalizations of the MiMC design (Asiacryptâ16), which we in turn evaluate in three application areas. Whereas MiMC was not competitive at all in a recently proposed new class of PQ-secure signature schemes, our new construction leads to about 30 times smaller signatures than MiMC. In MPC use cases, where MiMC outperforms all other competitors, we observe improvements in throughput by a factor of more than 4 and simultaneously a 5-fold reduction of preprocessing effort, albeit at the cost of a higher latency. Another use case where MiMC already outperforms other designs, in the area of SNARKs, sees modest improvements. Additionally, this use case benefits from the flexibility to use smaller fields
The Exchange Attack: How to Distinguish Six Rounds of AES with chosen plaintexts
In this paper we present exchange-equivalence attacks which is a new cryptanalytic attack technique suitable for SPN-like block cipher designs. Our new technique results in the first secret-key chosen plaintext distinguisher for 6-round AES. The complexity of the distinguisher is about in terms of data, memory and computational complexity. The distinguishing attack for AES reduced to six rounds is a straight-forward extension of an exchange attack for 5-round AES that requires in terms of chosen plaintexts and computation. This is also a new record for AES reduced to five rounds. The main result of this paper is that AES up to at least six rounds is biased when restricted to exchange-invariant sets of plaintexts
A Key-recovery Attack on 855-round Trivium
In this paper, we propose a key-recovery attack on Trivium reduced to 855 rounds.
As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855-round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on -round Trivium costs time complexity . As far as we know, this is the best key-recovery attack on round-reduced Trivium.
To verify our attack, we also give some experimental data on 721-round reduced Trivium
- âŠ