Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits

The AES block cipher has a 128-bit block length and a user key of 128, 192 or 256 bits, released by NIST for data encryption in the USA; it became an ISO international standard in 2005. In 2008, Demirci and Selccuk gave a meet-in-the-middle attack on 7-round AES under 192 key bits. In 2009, Demirci et al. (incorrectly) described a new meet-in-the-middle attack on 7-round AES under 192 key bits. Subsequently, Dunkelman et al. described an attack on 8-round AES under 192 key bits by taking advantage of several advanced techniques, including one about the key schedule. In this paper, we show that by exploiting a simple observation on the key schedule, a meet-in-the-middle attack on 8-round AES under 192 key bits can be obtained from Demirci and Selccuk\u27s and Demirci et al.\u27s work; and a more efficient attack can be obtained when taking into account Dunkelman et al.\u27s observation on the key schedule. In the single-key attack scenario, attacking 8 rounds is the best currently known cryptanalytic result for AES in terms of the numbers of attacked rounds, and our attack has a dramatically smaller data complexity than the currently known attacks on 8-round AES under 192 key bits

Cycle structure of generalized and closed loop invariants

This article gives a rigorous mathematical treatment of generalized and closed loop invariants (CLI) which extend the standard notion of (nonlinear) invariants used in the cryptanalysis of block ciphers. Employing the cycle structure of bijective S-box components, we precisely characterize the cardinality of both generalized and CLIs. We demonstrate that for many S-boxes used in practice quadratic invariants (especially useful for mounting practical attacks in cases when the linear layer is an orthogonal matrix) might not exist, whereas there are many quadratic invariants of generalized type (alternatively quadratic CLIs). In particular, it is shown that the inverse mapping $S(x)=x^{-1}$ over $GF(2^4)$ admits quadratic CLIs that additionally possess linear structures. The use of cycle structure is further refined through a novel concept of active cycle set, which turns out to be useful for defining invariants of the whole substitution layer. We present an algorithm for finding such invariants provided the knowledge about the cycle structure of the constituent S-boxes used

Bent functions stemming from Maiorana-McFarland class being provably outside its completed version

In early nineties Carlet [1] introduced two new classes of bent functions, both derived from the Maiorana-McFarland ($\mathcal{M}$) class, and named them \cC and \cD class, respectively. Apart from a subclass of \cD, denoted by \cD_0 by Carlet, which is provably outside two main (completed) primary classes of bent functions, little is known about their efficient constructions. More importantly, both classes may easily remain in the underlying $\mathcal{M}$ class which has already been remarked in [21]. Assuming the possibility of specifying a bent function $f$ that belongs to one of these two classes (apart from \cD_0), the most important issue is then to determine whether $f$ is still contained in the known primary classes or lies outside their completed versions. In this article, we further elaborate on the analysis of the set of sufficient conditions given in \cite{OutsideMM} concerning the specification of bent functions in \cC and \cD which are provably outside \cM. It is shown that these conditions, related to bent functions in class \cD, can be relaxed so that even those permutations whose component functions admit linear structures still can be used in the design. It is also shown that monomial permutations of the form $x^{2^r+1}$ have inverses which are never quadratic for $n >4$, which gives rise to an infinite class of bent functions in \cC but outside \cM. Similarly, using a relaxed set of sufficient conditions for bent functions in \cD and outside \cM, one explicit infinite class of such bent functions is identified. We also extend the inclusion property of certain subclasses of bent functions in \cC and \cD, as addressed initially in [1,21], that are ultimately within the completed $\mathcal{M}$ class. Most notably, we specify {\em another generic and explicit subclass} of \cD, which we call \cD_2^\star, whose members are bent functions provably outside the completed $\mathcal{M}$ class

Minimal binary linear codes - a general framework based on bent concatenation

Minimal codes are characterized by the property that none of the codewords is covered by some other linearly independent codeword. We first show that the use of a bent function $g$ in the so-called direct sum of Boolean functions $h(x,y)=f(x)+g(y)$, where $f$ is arbitrary, induces minimal codes. This approach gives an infinite class of minimal codes of length $2^n$ and dimension $n+1$ (assuming that h: \F_2^n \rightarrow \F_2), whose weight distribution is exactly specified for certain choices of $f$. To increase the dimension of these codes with respect to their length, we introduce the concept of \textit{non-covering permutations} (referring to the property of minimality) used to construct a bent function $g$ in $s$ variables, which allows us to employ a suitable subspace of derivatives of $g$ and generate minimal codes of dimension $s+s/2+1$ instead. Their exact weight distribution is also determined. In the second part of this article, we first provide an efficient method (with easily satisfied initial conditions) of generating minimal $[2^n,n+1]$ linear codes that cross the so-called Ashikhmin-Barg bound. This method is further extended for the purpose of generating minimal codes of larger dimension $n+s/2+2$, through the use of suitable derivatives along with the employment of non-covering permutations. To the best of our knowledge, the latter method is the most general framework for designing binary minimal linear codes that violate the Ashikhmin-Barg bound. More precisely, for a suitable choice of derivatives of $h(x,y)=f(x) + g(y)$, where $g$ is a bent function and $f$ satisfies certain minimality requirements, for any fixed $f$, one can derive a huge class of non-equivalent wide binary linear codes of the same length by varying the permutation $\phi$ when specifying the bent function $g(y_1,y_2)=\phi(y_2)\cdot y_1$ in the Maiorana-McFarland class. The weight distribution is given explicitly for any (suitable) $f$ when $\phi$ is an almost bent permutation

Minimal pp-ary codes from non-covering permutations

In this article, we propose several generic methods for constructing minimal linear codes over the field $\mathbb{F}_p$. The first construction uses the method of direct sum of an arbitrary function $f:\mathbb{F}_{p^r}\to \mathbb{F}_{p}$ and a bent function $g:\mathbb{F}_{p^s}\to \mathbb{F}_p$ to induce minimal codes with parameters $[p^{r+s}-1,r+s+1]$ and minimum distance larger than $p^r(p-1)(p^{s-1}-p^{s/2-1})$. For the first time, we provide a general construction of linear codes from a subclass of non-weakly regular plateaued functions, which partially answers an open problem posed in [22]. The second construction deals with a bent function $g:\mathbb{F}_{p^m}\to \mathbb{F}_p$ and a subspace of suitable derivatives $U$ of $g$, i.e., functions of the form $g(y+a)-g(y)$ for some $a\in \mathbb{F}_{p^m}^*$. We also provide a sound generalization of the recently introduced concept of non-covering permutations [45]. Some important structural properties of this class of permutations are derived in this context. The most remarkable observation is that the class of non-covering permutations contains the class of APN power permutations (characterized by having two-to-one derivatives). Finally, the last general construction combines the previous two methods (direct sum, non-covering permutations and subspaces of derivatives) together with a bent function in the Maiorana-McFarland class to construct minimal codes (even those violating the Ashikhmin-Barg bound) with a larger dimension. This last method proves to be quite flexible since it can lead to several non-equivalent codes, depending to a great extent on the choice of the underlying non-covering permutation

Generalized Nonlinear Invariant Attack and a New Design Criterion for Round Constants

The nonlinear invariant attack was introduced at ASIACRYPT 2016 by Todo et al.. The attack has received extensive attention of cryptographic community due to its practical application on the full-round block ciphers SCREAM, iSCREAM, and Midori64. However, the attack heavily relies on the choice of round constants and it becomes inefficient in the case these constants nonlinearly affect the so-called nonlinear invariants. In this article, to eliminate the impact from the round constants, a generalized nonlinear invariant attack which uses a pair of constants in the input of nonlinear invariants is proposed. The efficiency of this extended framework is practically confirmed by mounting a distinguishing attack on a variant of full-round iSCREAM cipher under a class of 280 weak keys. The considered variant of iSCREAM is however resistant against nonlinear invariant attack of Todo et al.. Furthermore, we investigate the resistance of block ciphers against generalized nonlinear invariant attacks with respect to the choice of round constants in an extended framework. We introduce a useful concept of closed-loop invariants of the substitution box (S-box) and show that the choice of robust round constants is closely related to the existence of linear structure of the closed-loop invariants of the substitution layer. In particular, we demonstrate that the design criteria for the round constants in Beierle et al.’s work at CRYPTO 2017 is not an optimal strategy. The round constants selected using this method may induce certain weaknesses that can be exploited in our generalized nonlinear invariant attack model. This scenario is efficiently demonstrated in the case of a slightly modified variant of the Midori64 block cipher

Specifying cycles of minimal length for commonly used linear layers in block ciphers

With the advances of Internet-of-Things (IoT) applications in smart cities and the pervasiveness of network devices with limited resources, lightweight block ciphers have achieved rapid development recently. Due to their relatively simple key schedule, nonlinear invariant attacks have been successfully applied to several families of lightweight block ciphers. This attack relies on the existence of a nonlinear invariant g:\F_2^n \rightarrow \F_2 for the round function $F_k$ so that $g(x) + g(F_k(x))$ is constant for any input value $x$. Whereas invariants of the entire $S$-box layer has been studied in terms of the corresponding cycle structure [TLS16,WRP20] (assuming the use of bijective S-boxes), a similar analysis for the linear layer has not been performed yet. In this article, we provide a theoretical analysis for specifying the minimal length of cycles for commonly used linear permutations (implementing linear layers) in lightweight block ciphers. Namely, using a suitable matrix representation, we exactly specify the minimal cycle lengths for those (efficiently implemented) linear layers that employ ShiftRows, Rotational-XOR and circular Boolean matrix operations which can be found in many well-known families of block ciphers. These results are practically useful for the purpose of finding nonlinear invariants of the entire encryption rounds since these can be specified using the intersection of cycles corresponding to the linear and S-box layer. We also apply our theoretical analysis practically and specify minimal cycle lengths of linear layers for certain families of block ciphers including some NIST candidates

Several classes of minimal binary linear codes violating the Aschikhmin-Barg\u27s bound

Minimal linear codes are a special class of codes which have important applications in secret sharing and secure two-party computation. These codes are characterized by the property that none of the codewords is covered by some other codeword. Denoting by $w_{min}$ and $w_{max}$ minimal and maximal weight of the codewords respectively, such codes are relatively easy to design when the ratio $w_{min}/w_{max} > 1/2$ (known as Aschikhmin-Barg\u27s bound). On the other hand, there are few known classes of minimal codes violating this bound, hence having the property $w_{min}/w_{max} \leq 1/2$. In this article, we provide several explicit classes of minimal binary linear codes violating the Aschikhmin-Barg\u27s bound, at the same time achieving a great variety of the ratio $w_{min}/w_{max}$. Our first generic method employs suitable characteristic functions of relatively low weight within the range $[n+1, 2^{n-2}]$. The second approach addresses a specification of characteristic functions covering the weights in $[2^{n-2}+1, 2^{n-2} + 2^{n-3}-1]$ and containing a skewed (removing one element) affine subspace of dimension $n-2$. Finally, we also characterize an infinite family of such codes that utilize the class of so-called root Boolean functions of weight $2^{n-1}-(n-1)$, which are useful in certain hardware testing applications. Consequently, many infinite classes of minimal codes crossing the Aschikhmin-Barg\u27s bound, with a wide range of the weight of their characteristic functions, are deduced. In certain cases we also completely specify the weight distribution of resulting codes

Efficient probabilistic algorithm for estimating the algebraic properties of Boolean functions for large nn

Although several methods for estimating the resistance of a random Boolean function against (fast) algebraic attacks were proposed, these methods are usually infeasible in practice for relative large input variables $n$ (for instance $n\geq 30)$ due to increased computational complexity. An efficient estimation the resistance of Boolean function (with relative large input variables $n$) against (fast) algebraic attacks appears to be a rather difficult task. In this paper, the concept of partial linear relations decomposition is introduced, which decomposes any given nonlinear Boolean function into many linear (affine) subfunctions by using the disjoint sets of input variables. Based on this result, a general probabilistic decomposition algorithm for nonlinear Boolean functions is presented which gives a new framework for estimating the resistance of Boolean function against (fast) algebraic attacks. It is shown that our new probabilistic method gives very tight estimates (lower and upper bound) and it only requires about $O(n^22^n)$ operations for a random Boolean function with $n$ variables, thus having much less time complexity than previously known algorithms