Bit-wise Cryptanalysis on AND-RX Permutation Friet-PC

This paper presents three attack vectors of bit-wise cryptanalysis including rotational, bit-wise differential, and zero-sum distinguishing attacks on the AND-RX permutation Friet-PC, which is implemented in a lightweight authenticated encryption scheme Friet. First, we propose a generic procedure for a rotational attack on AND-RX cipher with round constants. By applying the proposed attack to Friet-PC, we can construct an 8-round rotational distinguisher with a time complexity of 2^{102}. Next, we explore single- and dual-bit differential biases, which are inspired by the existing study on Salsa and ChaCha, and observe the best bit-wise differential bias with 2^{−9.552}. This bias allows us to practically construct a 9-round bit-wise differential distinguisher with a time complexity of 2^{20.044}. Finally, we construct 13-, 15-, 17-, and 30-round zero-sum distinguishers with time complexities of 2^{31}, 2^{63}, 2^{127}, and 2^{383}, respectively. To summarize our study, we apply three attack vectors of bit-wise cryptanalysis to Friet-PC and show their superiority as effective attacks on AND-RX ciphers

Areion: Highly-Efficient Permutations and Its Applications (Extended Version)

In real-world applications, the overwhelming majority of cases require (authenticated) encryption or hashing with relatively short input, say up to 2K bytes. Almost all TCP/IP packets are 40 to 1.5K bytes, and the maximum packet lengths of major protocols, e.g., Zigbee, Bluetooth low energy, and Controller Area Network (CAN), are less than 128 bytes. However, existing schemes are not well optimized for short input. To bridge the gap between real-world needs (in the future) and limited performances of state-of-the-art hash functions and authenticated encryptions with associated data (AEADs) for short input, we design a family of wide-block permutations Areion that fully leverages the power of AES instructions, which are widely deployed in many devices. As for its applications, we propose several hash functions and AEADs. Areion significantly outperforms existing schemes for short input and even competitive to relatively long messages. Indeed, our hash function is surprisingly fast, and its performance is less than three cycles/byte in the latest Intel architecture for any message size. It is significantly much faster than existing state-of-the-art schemes for short messages up to around 100 bytes, which are the most widely-used input size in real-world applications, on both the latest CPU architectures (IceLake, Tiger Lake, and Alder Lake) and mobile platforms (Pixel 7, iPhone 14, and iPad Pro with Apple M2)

BAKSHEESH: Similar Yet Different From GIFT

We propose a lightweight block cipher named BAKSHEESH, which follows up on the popular cipher GIFT-128 (CHES\u2717). BAKSHEESH runs for 35 rounds, which is 12.50 percent smaller compared to GIFT-128 (runs for 40 rounds) while maintaining the same security claims against the classical attacks. The crux of BAKSHEESH is to use a 4-bit SBox that has a non-trivial Linear Structure (LS). An SBox with one or more non-trivial LS has not been used in a cipher construction until DEFAULT (Asiacrypt\u2721). DEFAULT is pitched to have inherent protection against the Differential Fault Attack (DFA), thanks to its SBox having 3 non-trivial LS. BAKSHEESH, however, uses an SBox with only 1 non-trivial LS; and is a traditional cipher just like GIFT-128, with no claims against DFA. The SBox requires a low number of AND gates, making BAKSHEESH suitable for side channel countermeasures (when compared to GIFT-128) and other niche applications. Indeed, our study on the cost of the threshold implementation shows that BAKSHEESH offers a few-fold advantage over other lightweight ciphers. The design is not much deviated from its predecessor (GIFT-128), thereby allowing for easy implementation (such as fix-slicing in software). However, BAKSHEESH opts for the full-round key XOR, compared to the half-round key XOR in GIFT. Thus, when taking everything into account, we show how a cipher construction can benefit from the unique vantage point of using 1 LS SBox, by combining the state-of-the-art progress in classical cryptanalysis and protection against device-dependent attacks. We, therefore, create a new paradigm of lightweight ciphers, by adequate deliberation on the design choice, and solidify it with appropriate security analysis and ample implementation/benchmark

Cubicle: A family of space‐hard ciphers for IoT

Abstract As IoT has increasingly evolved in recent years, it has become more important to ensure security on IoT devices. Many of such devices are under the threat of attacks in the beyond black‐box model. To protect from the threat, the cryptographic implementation that can offer secure execution in the grey‐/white‐box model is important. However, such cryptographic implementations require a large number of clock cycles to execute and cannot fully cover resistance against various types of side‐channel attacks. In this paper, a new family of table‐based cipher dubbed Cubicle is proposed, which can offer efficient execution and sufficient security against side‐channel attacks on IoT devices powered by ARM Cortex‐M processors, which are widely deployed in IoT applications. To evaluate the security of Cubicle in the grey‐box model, the authors derive the bound of table leakage in the grey‐box model by applying space hardness, which is the notion to evaluate the security against code lifting attacks in the white‐box. The security of Cubicle in the grey‐box model is shown by using this bound. In addition, the security of Cubicle is also shown in the black‐box and white‐box models. Finally, the performance of Cubicle and other ciphers in some devices powered by ARM Cortex‐M3, ‐M4, and ‐M7 processors is evaluated. The authors show that Cubicle is significantly efficient compared to other grey‐/white‐box‐ model‐secure ciphers in target experiments for IoT applications

Integral and impossible‐differential attacks on the reduced‐round Lesamnta‐LW‐BC

Abstract Lesamnta‐LW‐BC is the internal block cipher of the Lesamnta‐LW lightweight hash function, specified in ISO/IEC 29192‐5:2016. It is based on the unbalanced Feistel network and Advanced Encryption Standard round function. In this study, the security of Lesamnta‐LW‐BC against integral and impossible‐differential attacks is evaluated. Specifically, the authors searched for the integral distinguishers and impossible differentials with Mixed‐Integer Linear Programming‐based methods. As a result, the discovered impossible differential can reach up to 21 rounds, while three integral distinguishers reaching 18, 19 and 25 rounds are obtained, respectively. Moreover, it is also feasible to construct a 47‐round integral distinguisher in the known‐key setting. Finally, a 20‐round key‐recovery attack is proposed based on the discovered 18‐round integral distinguisher and a 19‐round key‐recovery attack using a 17‐round impossible differential. To the best of the authors' knowledge, this is the first third‐party cryptanalysis of Lesamnta‐LW‐BC

Areion: Highly-Efficient Permutations and Its Applications to Hash Functions for Short Input

In the real-world applications, the overwhelming majority of cases require hashing with relatively short input, say up to 2K bytes. The length of almost all TCP/IP packets is between 40 to 1.5K bytes, and the maximum packet lengths of major protocols, e.g., Zigbee, Bluetooth low energy, and Controller Area Network (CAN) are less than 128 bytes. However, existing schemes are not well optimized for short input. To bridge the gap between real-world needs (in future) and limited performances of state-of-the-art hash functions for short input, we design a family of wide-block permutations Areion that fully leverages the power of AES instructions, which are widely deployed in many devices. As its applications, we propose several hash functions. Areion significantly outperforms existing schemes for short input and even competitive to relatively long message. Indeed, our hash function is surprisingly fast, and its performance is less than 3 cycles/byte in the latest Intel architecture for any message size. Especially, it is about 10 times faster than existing state-of-the-art schemes for short message up to around 100 bytes, which are most widely-used input size in real-world applications, on both the latest CPU architectures (IceLake, Tiger Lake, and Alder Lake) and mobile platforms (Pixel 6 and iPhone 13)