Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices

Near-MDS matrices provide better trade-offs between security and efficiency compared to constructions based on MDS matrices, which are favored for hardwareoriented designs. We present new designs of lightweight linear diffusion layers by constructing lightweight near-MDS matrices. Firstly generic n×n near-MDS circulant matrices are found for 5 ≤ n ≤9. Secondly, the implementation cost of instantiations of the generic near-MDS matrices is examined. Surprisingly, for n = 7, 8, it turns out that some proposed near-MDS circulant matrices of order n have the lowest XOR count among all near-MDS matrices of the same order. Further, for n = 5, 6, we present near-MDS matrices of order n having the lowest XOR count as well. The proposed matrices, together with previous construction of order less than five, lead to solutions of n×n near-MDS matrices with the lowest XOR count over finite fields F2m for 2 ≤ n ≤ 8 and 4 ≤ m ≤ 2048. Moreover, we present some involutory near-MDS matrices of order 8 constructed from Hadamard matrices. Lastly, the security of the proposed linear layers is studied by calculating lower bounds on the number of active S-boxes. It is shown that our linear layers with a well-chosen nonlinear layer can provide sufficient security against differential and linear cryptanalysis

Links between Division Property and Other Cube Attack Variants

A theoretically reliable key-recovery attack should evaluate not only the non-randomness for the correct key guess but also the randomness for the wrong ones as well. The former has always been the main focus but the absence of the latter can also cause self-contradicted results. In fact, the theoretic discussion of wrong key guesses is overlooked in quite some existing key-recovery attacks, especially the previous cube attack variants based on pure experiments. In this paper, we draw links between the division property and several variants of the cube attack. In addition to the zero-sum property, we further prove that the bias phenomenon, the non-randomness widely utilized in dynamic cube attacks and cube testers, can also be reflected by the division property. Based on such links, we are able to provide several results: Firstly, we give a dynamic cube key-recovery attack on full Grain-128. Compared with Dinur et al.’s original one, this attack is supported by a theoretical analysis of the bias based on a more elaborate assumption. Our attack can recover 3 key bits with a complexity 297.86 and evaluated success probability 99.83%. Thus, the overall complexity for recovering full 128 key bits is 2125. Secondly, now that the bias phenomenon can be efficiently and elaborately evaluated, we further derive new secure bounds for Grain-like primitives (namely Grain-128, Grain-128a, Grain-V1, Plantlet) against both the zero-sum and bias cube testers. Our secure bounds indicate that 256 initialization rounds are not able to guarantee Grain-128 to resist bias-based cube testers. This is an efficient tool for newly designed stream ciphers for determining the number of initialization rounds. Thirdly, we improve Wang et al.’s relaxed term enumeration technique proposed in CRYPTO 2018 and extend their results on Kreyvium and ACORN by 1 and 13 rounds (reaching 892 and 763 rounds) with complexities 2121.19 and 2125.54 respectively. To our knowledge, our results are the current best key-recovery attacks on these two primitives

Annotator: A Generic Active Learning Baseline for LiDAR Semantic Segmentation

Active learning, a label-efficient paradigm, empowers models to interactively query an oracle for labeling new data. In the realm of LiDAR semantic segmentation, the challenges stem from the sheer volume of point clouds, rendering annotation labor-intensive and cost-prohibitive. This paper presents Annotator, a general and efficient active learning baseline, in which a voxel-centric online selection strategy is tailored to efficiently probe and annotate the salient and exemplar voxel girds within each LiDAR scan, even under distribution shift. Concretely, we first execute an in-depth analysis of several common selection strategies such as Random, Entropy, Margin, and then develop voxel confusion degree (VCD) to exploit the local topology relations and structures of point clouds. Annotator excels in diverse settings, with a particular focus on active learning (AL), active source-free domain adaptation (ASFDA), and active domain adaptation (ADA). It consistently delivers exceptional performance across LiDAR semantic segmentation benchmarks, spanning both simulation-to-real and real-to-real scenarios. Surprisingly, Annotator exhibits remarkable efficiency, requiring significantly fewer annotations, e.g., just labeling five voxels per scan in the SynLiDAR-to-SemanticKITTI task. This results in impressive performance, achieving 87.8% fully-supervised performance under AL, 88.5% under ASFDA, and 94.4% under ADA. We envision that Annotator will offer a simple, general, and efficient solution for label-efficient 3D applications. Project page: https://binhuixie.github.io/annotator-webComment: NeurIPS 2023. Project page at https://binhuixie.github.io/annotator-web

Observations on the Dynamic Cube Attack of 855-Round TRIVIUM from Crypto\u2718

Recently, another kind of dynamic cube attack is proposed by Fu et al. With some key guesses and a transformation in the output bit, they claim that, when the key guesses are correct, the degree of the transformed output bit can drop so significantly that the cubes of lower dimension can not exist, making the output bit vulnerable to the zero-sum cube tester using slightly higher dimensional cubes. They applied their method to 855-round TRIVIUM. In order to verify the correctness of their result, they even proposed a practical attack on 721-round TRIVIUM claiming that the transformed output bit after 721-rounds of initialization does not contain cubes of dimensions 31 and below. However, the degree evaluation algorithm used by Fu et al. is innovative and complicated, and its complexity is not given. Their algorithm can only be implemented on huge clusters and cannot be verified by existing theoretic tools. In this paper, we theoretically analyze the dynamic cube attack method given by Fu et al. using the division property and MILP modeling technique. Firstly, we draw links between the division property and Fu et al.\u27s dynamic cube attack so that their method can be described as a theoretically well founded and computationally economic MILP-aided division-property-based cube attack. With the MILP model drawn according to the division property, we analyzed the 721-round TRIVIUM in detail and find some interesting results: \begin​{enumerate} \item The degree evaluation using our MILP method is more accurate than that of Fu et al.\u27s. Fu et al. prove that the degree of pure z721z721 is 40 while our method gives 29. We practically proved the correctness of our method by trying thousands of random keys, random 30-dimensional cubes and random assignments to non-cube IVs finding that the summations are constantly 0. \item For the transformed output bit (1+s2901)⋅z721(1+s1290)⋅z721, we proved the same degree 31 as Fu et al. and we also find 32-dimensional cubes have zero-sum property for correct key guesses. But since the degree of pure z721z721 is only 29, the 721-round practical attack on TRIVIUM is violating the principle of Fu et al.\u27s work: after the transformation in the output bit, when the key guesses are correct, the degree of the transformed output bit has not dropped but risen. \item Now that the degree theoretic foundation of the 721-round attack has been violated, we also find out that the key-recovery attack cannot be carried out either. We theoretically proved and practically verified that no matter the key guesses are correct or incorrect, the summation over 32-dimensional cube are always 0. So, no key bit can be recovered at all. \end{enumerate} All these analysis on 721-round TRIVIUM can be verified practically and we open our C++ source code for implementation as well. Secondly, we revisit their 855-round result. Our MILP model reveal that the 855-round result suffers from the same problems with its 721-round counterpart. We provide theoretic evidence that, after their transformation, the degree of the output bit is more likely to rise rather than drop. Furthermore, since Fu \etal\u27s degree evaluation is written in an unclear manner and no complexity analysis is given, we rewrite the algorithm according to their main ideas and supplement a detailed complexity analysis. Our analysis indicates that a precise evaluation to the degree requires complexities far beyond practical reach. We also demonstrate that further abbreviation to our rewritten algorithm can result in wrong evaluation. This might be the reason why Fu \etal give such a degree evaluation. This is also an additional argument against Fu \etal\u27s dynamic cube attack method. Thirdly, the selection of Fu \etal\u27s cube dimension is also questionable. According to our experiments and existing theoretic results, there is high risk that the correct key guesses and wrong ones share the same zero-sum property using Fu \etal\u27s cube testers. As a remedy, we suggest that concrete cubes satisfying particular conditions should be identified rather than relying on the IV-degree drop hypothesis. To conclude, Fu \etal\u27s dynamic cube attack on 855-round TRIVIUM is questionable. 855-round as well as 840-and-up-round TRIVIUM should still be open for further convincible cryptanalysis

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

The cube attack is an important technique for the cryptanalysis of symmetric key primitives, especially for stream ciphers. Aiming at recovering some secret key bits, the adversary reconstructs a superpoly with the secret key bits involved, by summing over a set of the plaintexts/IV which is called a cube. Traditional cube attack only exploits linear/quadratic superpolies. Moreover, for a long time after its proposal, the size of the cubes has been largely confined to an experimental range, e.g., typically 40. These limits were first overcome by the division property based cube attacks proposed by Todo et al. at CRYPTO 2017. Based on MILP modelled division property, for a cube (index set) $I$, they identify the small (index) subset $J$ of the secret key bits involved in the resultant superpoly. During the precomputation phase which dominates the complexity of the cube attacks, $2^{|I|+|J|}$ encryptions are required to recover the superpoly. Therefore, their attacks can only be available when the restriction $|I|+|J|<n$ is met. In this paper, we introduced several techniques to improve the division property based cube attacks by exploiting various algebraic properties of the superpoly. 1. We propose the ``flag\u27\u27 technique to enhance the preciseness of MILP models so that the proper non-cube IV assignments can be identified to obtain a non-constant superpoly. 2. A degree evaluation algorithm is presented to upper bound the degree of the superpoly. With the knowledge of its degree, the superpoly can be recovered without constructing its whole truth table. This enables us to explore larger cubes $I$\u27s even if $|I|+|J|\geq n$. 3. We provide a term enumeration algorithm for finding the monomials of the superpoly, so that the complexity of many attacks can be further reduced. As an illustration, we apply our techniques to attack the initialization of several ciphers. To be specific, our key recovery attacks have mounted to 839-round TRIVIUM, 891-round Kreyvium, 184-round Grain-128a and 750-round ACORN respectively

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis. Firstly, by introducing the concept of structure and dual structure, we prove that $a\rightarrow b$ is an impossible differential of a structure $\mathcal E$ if and only if it is a zero correlation linear hull of the dual structure $\mathcal E^\bot$. More specifically, constructing a zero correlation linear hull of a Feistel structure with $SP$-type round function where $P$ is invertible, is equivalent to constructing an impossible differential of the same structure with $P^T$ instead of $P$. Constructing a zero correlation linear hull of an SPN structure is equivalent to constructing an impossible differential of the same structure with $(P^{-1})^T$ instead of $P$. Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with $SP$-type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis. Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher while a special integral implies the existence of a zero correlation linear hull. With this observation we improve the integral distinguishers of Feistel structures by $1$ round, build a $24$-round integral distinguisher of CAST-$256$ based on which we propose the best known key recovery attack on reduced round CAST-$256$ in the non-weak key model, present a $12$-round integral distinguisher of SMS4 and an $8$-round integral distinguisher of Camellia without $FL/FL^{-1}$. Moreover, this result provides a novel way for establishing integral distinguishers and converting known plaintext attacks to chosen plaintext attacks. Finally, we conclude that an $r$-round impossible differential of $\mathcal E$ always leads to an $r$-round integral distinguisher of the dual structure $\mathcal E^\bot$. In the case that $\mathcal E$ and $\mathcal E^\bot$ are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of $\mathcal E$. Specifically, we obtain that an $r$-round impossible differential of an SPN structure, which adopts a bit permutation as its linear layer, always indicates the existence of an $r$-round integral distinguisher. Based on this newly established link, we deduce that impossible differentials of SNAKE(2), PRESENT, PRINCE and ARIA, which are independent of the choices of the $S$-boxes, always imply the existence of integral distinguishers. Our results could help to classify different cryptanalytic tools. Furthermore, when designing a block cipher, the designers need to demonstrate that the cipher has sufficient security margins against important cryptanalytic approaches, which is a very tough task since there have been so many cryptanalytic tools up to now. Our results certainly facilitate this security evaluation process

Impossible meet-in-the-middle fault analysis on the LED lightweight cipher in VANETs

With the expansion of wireless technology, vehicular ad-hoc networks (VANETs) are emerging as a promising approach for realizing smart cities and addressing many serious traffic problems, such as road safety, convenience, and efficiency. To avoid any possible rancorous attacks, employing lightweight ciphers is most effective for implementing encryption/decryption, message authentication, and digital signatures for the security of the VANETs. Light encryption device (LED) is a lightweight block cipher with two basic keysize variants: LED-64 and LED-128. Since its inception, many fault analysis techniques have focused on provoking faults in the last four rounds to derive the 64-bit and 128-bit secret keys. It is vital to investigate whether injecting faults into a prior round enables breakage of the LED. This study presents a novel impossible meet-in-the-middle fault analysis on a prior round. A detailed analysis of the expected number of faults is used to uniquely determine the secret key. It is based on the propagation of truncated differentials and is surprisingly reminiscent of the computation of the complexity of a rectangle attack. It shows that the impossible meet-in-the-middle fault analysis could successfully break the LED by fault injections

Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices

Near-MDS matrices provide better trade-offs between security and efficiency compared to constructions based on MDS matrices, which are favored for hardwareoriented designs. We present new designs of lightweight linear diffusion layers by constructing lightweight near-MDS matrices. Firstly generic n×n near-MDS circulant matrices are found for 5 ≤ n ≤9. Secondly, the implementation cost of instantiations of the generic near-MDS matrices is examined. Surprisingly, for n = 7, 8, it turns out that some proposed near-MDS circulant matrices of order n have the lowest XOR count among all near-MDS matrices of the same order. Further, for n = 5, 6, we present near-MDS matrices of order n having the lowest XOR count as well. The proposed matrices, together with previous construction of order less than five, lead to solutions of n×n near-MDS matrices with the lowest XOR count over finite fields F2m for 2 ≤ n ≤ 8 and 4 ≤ m ≤ 2048. Moreover, we present some involutory near-MDS matrices of order 8 constructed from Hadamard matrices. Lastly, the security of the proposed linear layers is studied by calculating lower bounds on the number of active S-boxes. It is shown that our linear layers with a well-chosen nonlinear layer can provide sufficient security against differential and linear cryptanalysis