Practical Related-Key Forgery Attacks on the Full TinyJAMBU-192/256

TinyJambu is one of the finalists in the NIST lightweight cryptography competition. It has undergone extensive analysis in the recent years as both the keyed permutation as well as the mode are new designs. In this paper we present a related-key forgery attackon the updated TinyJambu scheme with 256- and 192-bit keys. We introduce a high probability related-key differential attack were the differences are only introduced into the key state. Therefore, the characteristic is applicable to the TinyJambu mode and can be used to mount a forgery attack. The time and data complexity of the forgery are $2^{32}$ using $2^{10}$ related-keys for the 256-bit key version, and $2^{42}$ using $2^{12}$ related-keys for the 192-bit key version. For the 128-bit key we construct a related-key differential characteristic on the full keyed permutation of TinyJambu with a probability of $2^{-16}$. We extend the related-key differential characteristics on TinyJambu to practical time key recovery attacks that extract the full key from the keyed permutation with a time and data complexity of $2^{23}$, $2^{20}$, and $2^{18}$ for respectively the 128-, 192-, and 256-bit key variants. All characteristics are experimentally verified and we provide key nonce pairs that produce the same tag to show the feasibility of the forgery attack

Full Round Zero-sum Distinguishers on TinyJAMBU-128 and TinyJAMBU-192 Keyed-permutation in the Known-key setting

TinyJAMBU is one of the finalists in the NIST lightweight standardization competition. This paper presents full round practical zero-sum distinguishers on the keyed permutation used in TinyJAMBU. We propose a full round zero-sum distinguisher on the 128- and 192-bit key variants and a reduced round zero-sum distinguisher for the 256-bit key variant in the known-key settings. Our best known-key distinguisher works with $2^{16}$ data/time complexity on the full 128-bit version and with $2^{23}$ data/time complexity on the full 192-bit version. For the 256-bit ver- sion, we can distinguish 1152 rounds (out of 1280 rounds) in the known- key settings. In addition, we present the best zero-sum distinguishers in the secret-key settings: with complexity $2^{23}$ we can distinguish 544 rounds in the forward direction or 576 rounds in the backward direction. For finding the zero-sum distinguisher, we bound the algebraic degree of the TinyJAMBU permutation using the monomial prediction technique proposed by Hu et al. at ASIACRYPT 2020. We model the monomial prediction rule on TinyJAMBU in MILP and find upper bounds on the degree by computing the parity of the number of solutions

How to Build Pseudorandom Functions From Public Random Permutations

Pseudorandom functions are traditionally built upon block ciphers, but with the trend of permutation based cryptography, it is a natural question to investigate the design of pseudorandom functions from random permutations. We present a generic study of how to build beyond birthday bound secure pseudorandom functions from public random permutations. We first show that a pseudorandom function based on a single permutation call cannot be secure beyond the $2^{n/2}$ birthday bound, where n is the state size of the function. We next consider the Sum of Even-Mansour (SoEM) construction, that instantiates the sum of permutations with the Even-Mansour construction. We prove that SoEM achieves tight $2n/3$-bit security if it is constructed from two independent permutations and two randomly drawn keys. We also demonstrate a birthday bound attack if either the permutations or the keys are identical. Finally, we present the Sum of Key Alternating Ciphers (SoKAC) construction, a translation of Encrypted Davies-Meyer Dual to a public permutation based setting, and show that SoKAC achieves tight $2n/3$-bit security even when a single key is used

A Practical Forgery Attack on Lilliput-AE

Lilliput-AE is a tweakable block cipher submitted as a candidate to the NIST lightweight cryptography standardization process. It is based upon the lightweight block cipher Lilliput, whose cryptanalysis so far suggests that it has a large security margin. In this note we present an extremely efficient forgery attack on Lilliput-AE: Given a single arbitrary message of length about 2^36 bytes, we can instantly produce another valid message that leads to the same tag, along with the corresponding ciphertext. The attack uses a weakness in the tweakey schedule of Lilliput-AE which leads to the existence of a related tweak differential characteristic with probability 1 in the underlying block cipher. The weakness we exploit, which does not exist in Lilliput, demonstrates the potential security risk in using a very simple tweakey schedule in which the same part of the key/tweak is re-used in every round, even when round constants are employed to prevent slide attacks. Following this attack, the Lilliput-AE submission to NIST was tweaked

Cryptanalysis of Feistel-Based Format-Preserving Encryption

Format-Preserving Encryption (FPE) is a method to encrypt non-standard domains, thus allowing for securely encrypting not only binary strings, but also special domains, e.g., social security numbers into social security numbers. The need for those resulted in a few standardized constructions such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2. Moreover, there are currently efforts both in ANSI and in ISO to include such block ciphers to standards (e.g., the ANSI X9.124 discussing encryption for financial services). Most of the proposed FPE schemes, such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2, are based on a Feistel construction with pseudo-random round functions. Moreover, to mitigate enumeration attacks against the possibly small domains, they all employ tweaks, which enrich the actual domain sizes. In this paper we present distinguishing attacks against Feistel-based FPEs. We show a distinguishing attack against the full FF1 with data complexity of $2^{60}$ 20-bit plaintexts, against the full FF3-1 with data complexity of $2^{40}$ 20-bit plaintexts. For FEA-1 with 128-bit, 192-bit and 256-bit keys, the data complexity of the distinguishing attack is $2^{32}$, $2^{40}$, and $2^{48}$ 8-bit plaintexts, respectively. The data complexity of the distinguishing attack against the full FEA-2 with 128-bit, 192-bit and 256-bit is $2^{56}$, $2^{68}$, and $2^{80}$ 8-bit plaintexts, respectively. Moreover, we show how to extend the distinguishing attack on FEA-1 and FEA-2 using 192-bit and 256-bit keys into key recovery attacks with time complexity $2^{136}$ (for both attacks)

Zero-Correlation Attacks on Tweakable Block Ciphers with Linear Tweakey Expansion

The design and analysis of dedicated tweakable block ciphers is a quite recent and very active research field that provides an ongoing stream of new insights. For instance, results of Kranz, Leander, and Wiemer from FSE 2017 show that the addition of a tweak using a linear tweak schedule does not introduce new linear characteristics. In this paper, we consider – to the best of our knowledge – for the first time the effect of the tweak on zero-correlation linear cryptanalysis for ciphers that have a linear tweak schedule. It turns out that the tweak can often be used to get zero-correlation linear hulls covering more rounds compared to just searching zero-correlation linear hulls on the data-path of a cipher. Moreover, this also implies the existence of integral distinguishers on the same number of rounds. We have applied our technique on round reduced versions of Qarma, Mantis, and Skinny. As a result, we can present – to the best of our knowledge – the best attack (with respect to number of rounds) on a round-reduced variant of Qarma

Attacking the IETF/ISO Standard for Internal Re-keying CTR-ACPKM

Encrypting too much data using the same key is a bad practice from a security perspective. Hence, it is customary to perform re-keying after a given amount of data is transmitted. While in many cases, the re-keying is done using a fresh execution of some key exchange protocol (e.g., in IKE or TLS), there are scenarios where internal re-keying, i.e., without exchange of information, is performed, mostly due to performance reasons.Originally suggested by Abdalla and Bellare, there are several proposals on how to perform this internal re-keying mechanism. For example, Liliya et al. offered the CryptoPro Key Meshing (CPKM) to be used together with GOST 28147-89 (known as the GOST block cipher). Later, ISO and the IETF adopted the Advanced CryptoPro Key Meshing (ACKPM) in ISO 10116 and RFC 8645, respectively.In this paper, we study the security of ACPKM and CPKM. We show that the internal re-keying suffers from an entropy loss in successive repetitions of the rekeying mechanism. We show some attacks based on this issue. The most prominent one has time and data complexities of O(2κ/2) and success rate of O(2−κ/4) for a κ-bit key.Furthermore, we show that a malicious block cipher designer or a faulty implementation can exploit the ACPKM (or the original CPKM) mechanism to significantly hinder the security of a protocol employing ACPKM (or CPKM). Namely, we show that in such cases, the entropy of the re-keyed key can be greatly reduced

Practical Related-Key Forgery Attacks on Full-Round TinyJAMBU-192/256

TinyJAMBU is one of the finalists in the NIST lightweight cryptography competition. It is considered to be one of the more efficient ciphers in the competition and has undergone extensive analysis in recent years as both the keyed permutation as well as the mode are new designs. In this paper we present a related-key forgery attack on the updated TinyJAMBU-v2 scheme with 256- and 192-bit keys. We introduce a high probability related-key differential attack where the differences are only introduced into the key state. Therefore, the characteristic is applicable to the TinyJAMBU mode and can be used to mount a forgery attack. The time and data complexity of the forgery are 233 using 214 related-keys for the 256-bit key version, and 243 using 216 related-keys for the 192-bit key version.For the 128-bit key we construct a related-key differential characteristic on the full keyed permutation of TinyJAMBU with a probability of 2−16. We extend the relatedkey differential characteristics on TinyJAMBU to practical-time key-recovery attacks that extract the full key from the keyed permutation with a time and data complexity of 224, 221, and 219 for respectively the 128-, 192-, and 256-bit key variants.All characteristics are experimentally verified and we provide key nonce pairs that produce the same tag to show the feasibility of the forgery attack. We note that the designers do not claim related-key security, however, the attacks proposed in this paper suggest that the scheme is not key-commiting, which has been recently identified as a favorable property for AEAD schemes

Biased differential distinguisher – Cryptanalysis of reduced-round SKINNY

SKINNY is a lightweight tweakable block cipher which received a great deal of cryptanalytic attention due to its elegant structure and efficiency. Despite the cryptanalytic efforts the security margins are remaining high. This has led to SKINNY being used as a component of multiple submissions in the NIST Lightweight Competition, an effort to standardize a lightweight AEAD scheme. Inspired by the SKINNY competitions, multiple attacks on it were reported in different settings (e.g. single vs. related-tweakey) using different techniques (impossible differentials, zero-correlation, meet-in-the-middle, etc.). In this paper we revisit some of these attacks, identify issues with several of them, and offer a series of improved attacks which were experimentally verified. Our best attack can attack up to 18 rounds of SKINNY-64 using 260 chosen plaintexts data, 2116 time, and 2112 memory