Cryptanalysis of SKINNY in the Framework of the SKINNY 2018--2019 Cryptanalysis Competition

In April 2018, Beierle et al. launched the 3rd SKINNY cryptanalysis competition, a contest that aimed at motivating the analysis of their recent tweakable block cipher SKINNY . In contrary to the previous editions, the focus was made on practical attacks: contestants were asked to recover a 128-bit secret key from a given set of 2^20 plaintext blocks. The suggested SKINNY instances are 4- to 20-round reduced variants of SKINNY-64-128 and SKINNY-128-128. In this paper, we explain how to solve the challenges for 10-round SKINNY-128-128 and for 12-round SKINNY-64-128 in time equivalent to roughly 2^52 simple operations. Both techniques benefit from the highly biased sets of messages that are provided and that actually correspond to the encryption of various books in ECB mode

Constructive Relationships Between Algebraic Thickness and Normality

We study the relationship between two measures of Boolean functions; \emph{algebraic thickness} and \emph{normality}. For a function $f$, the algebraic thickness is a variant of the \emph{sparsity}, the number of nonzero coefficients in the unique GF(2) polynomial representing $f$, and the normality is the largest dimension of an affine subspace on which $f$ is constant. We show that for $0 < \epsilon<2$, any function with algebraic thickness $n^{3-\epsilon}$ is constant on some affine subspace of dimension $\Omega\left(n^{\frac{\epsilon}{2}}\right)$. Furthermore, we give an algorithm for finding such a subspace. We show that this is at most a factor of $\Theta(\sqrt{n})$ from the best guaranteed, and when restricted to the technique used, is at most a factor of $\Theta(\sqrt{\log n})$ from the best guaranteed. We also show that a concrete function, majority, has algebraic thickness $\Omega\left(2^{n^{1/6}}\right)$.Comment: Final version published in FCT'201

Polytopic Cryptanalysis

Standard differential cryptanalysis uses statistical dependencies between the difference of two plaintexts and the difference of the respective two ciphertexts to attack a cipher. Here we introduce polytopic cryptanalysis which considers interdependencies between larger sets of texts as they traverse through the cipher. We prove that the methodology of standard differential cryptanalysis can unambiguously be extended and transferred to the polytopic case including impossible differentials. We show that impossible polytopic transitions have generic advantages over impossible differentials. To demonstrate the practical relevance of the generalization, we present new low-data attacks on round-reduced DES and AES using impossible polytopic transitions that are able to compete with existing attacks, partially outperforming these

Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE

Subspace trail cryptanalysis is a very recent new cryptanalysis technique, and includes differential, truncated differential, impossible differential, and integral attacks as special cases. In this paper, we consider PRINCE, a widely analyzed block cipher proposed in 2012. After the identification of a 2.5 rounds subspace trail of PRINCE, we present several (truncated differential) attacks up to 6 rounds of PRINCE. This includes a very practical attack with the lowest data complexity of only 8 plaintexts for 4 rounds, which co-won the final round of the PRINCE challenge in the 4-round chosen-plaintext category. The attacks have been verified using a C implementation. Of independent interest, we consider a variant of PRINCE in which ShiftRows and MixLayer operations are exchanged in position. In particular, our result shows that the position of ShiftRows and MixLayer operations influences the security of PRINCE. The same analysis applies to follow-up designs inspired by PRINCE

The related-key analysis of feistel constructions

Lecture Notes in Computer Science, Volume 8540, 2015.It is well known that the classical three- and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luck’s transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions

Systematic Construction of Nonlinear Product Attacks on Block Ciphers

A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract the attack from any particular block cipher. We study these attacks in terms of transformations on multivariate polynomials. We shall demonstrate how numerous variables including key variables may sometimes be eliminated and at the end two very complex Boolean polynomials will become equal. We present a general construction of an attack where multiply all the polynomials lying on one or several cycles. Then under suitable conditions the non-linear functions involved will be eliminated totally. We obtain a periodic invariant property holding for any number of rounds. A major difficulty with invariant attacks is that they typically work only for some keys. In T-310 our attack works for any key and also in spite of the presence of round constants

Safety and immunogenicity of the chlamydia vaccine candidate CTH522 adjuvanted with CAF01 liposomes or aluminium hydroxide: a first-in-human, randomised, double-blind, placebo-controlled, phase 1 trial

BACKGROUND: Chlamydia is the most common sexually transmitted bacterial infection worldwide. National screening programmes and antibiotic treatment have failed to decrease incidence, and to date no vaccines against genital chlamydia have been tested in clinical trials. We aimed to assess the safety and immunogenicity, in humans, of a novel chlamydia vaccine based on a recombinant protein subunit (CTH522) in a prime-boost immunisation schedule. METHODS: This phase 1, first-in-human, double-blind, parallel, randomised, placebo-controlled trial was done at Hammersmith Hospital in London, UK, in healthy women aged 19-45 years. Participants were randomly assigned (3:3:1) to three groups: CTH522 adjuvanted with CAF01 liposomes (CTH522:CAF01), CTH522 adjuvanted with aluminium hydroxide (CTH522:AH), or placebo (saline). Participants received three intramuscular injections of 85 μg vaccine (with adjuvant) or placebo to the deltoid region of the arm at 0, 1, and 4 months, followed by two intranasal administrations of 30 μg unadjuvanted vaccine or placebo (one in each nostril) at months 4·5 and 5·0. The primary outcome was safety and the secondary outcome was humoral immunogenicity (anti-CTH522 IgG seroconversion). This study is registered with Clinicaltrials.gov, number NCT02787109. FINDINGS: Between Aug 15, 2016, and Feb 13, 2017, 35 women were randomly assigned (15 to CTH522:CAF01, 15 to CTH522:AH, and five to placebo). 32 (91%) received all five vaccinations and all participants were included in the intention-to-treat analyses. No related serious adverse reactions were reported, and the most frequent adverse events were mild local injection-site reactions, which were reported in all (15 [100%] of 15) participants in the two vaccine groups and in three (60%) of five participants in the placebo group (p=0·0526 for both comparisons). Intranasal vaccination was not associated with a higher frequency of related local reactions (reported in seven [47%] of 15 participants in the active treatment groups vs three [60%] of five in the placebo group; p=1·000). Both CTH522:CAF01 and CTH522:AH induced anti-CTH522 IgG seroconversion in 15 (100%) of 15 participants after five immunisations, whereas no participants in the placebo group seroconverted. CTH522:CAF01 showed accelerated seroconversion, increased IgG titres, an enhanced mucosal antibody profile, and a more consistent cell-mediated immune response profile compared with CTH522:AH. INTERPRETATION: CTH522 adjuvanted with either CAF01 or aluminium hydroxide appears to be safe and well tolerated. Both vaccines were immunogenic, although CTH522:CAF01 had a better immunogenicity profile, holding promise for further clinical development. FUNDING: European Commission and The Innovation Fund Denmark

Computing Expected Differential Probability of (Truncated) Differentials and Expected Linear Potential of (Multidimensional) Linear Hulls in SPN Block Ciphers

In this paper we introduce new algorithms that, based only on the independent round keys assumption, allow to practically compute the exact expected differential probability of (truncated) differentials and the expected linear potential of (multidimensional) linear hulls. That is, we can compute the exact sum of the probability or the potential of all characteristics that follow a given activity pattern. We apply our algorithms to various recent SPN ciphers and discuss the results

On Finding Quantum Multi-collisions

A $k$-collision for a compressing hash function $H$ is a set of $k$ distinct inputs that all map to the same output. In this work, we show that for any constant $k$, $\Theta\left(N^{\frac{1}{2}(1-\frac{1}{2^k-1})}\right)$ quantum queries are both necessary and sufficient to achieve a $k$-collision with constant probability. This improves on both the best prior upper bound (Hosoyamada et al., ASIACRYPT 2017) and provides the first non-trivial lower bound, completely resolving the problem

Extended Generalized Feistel Networks using Matrix Representation

International audienceWhile Generalized Feistel Networks have been widely studied in the literature as a building block of a block cipher, we propose in this paper a unified vision to easily represent them through a matrix representation. We then propose a new class of such schemes called Extended Generalized Feistel Networks well suited for cryptographic applications. We instantiate those proposals into two particular constructions and we finally analyze their security