How Not To Design An Efficient FHE-Friendly Block Cipher:Seljuk

status: publishe

Arithmetization Oriented Encryption

We design a SNARKs/STARKs-optimized AEAD scheme based on the $\texttt{MonkeySpongeWrap}$ (ToSC 2023(2)) and the RPO permutation (ePrint 2022/1577)

Linear Analysis of Reduced-Round CubeHash

Recent developments in the field of cryptanalysis of hash functions has inspired NIST to announce a competition for selecting a new cryptographic hash function to join the SHA family of standards. One of the 14 second-round candidates is CubeHash designed by Daniel J. Bernstein. CubeHash is a unique hash function in the sense that it does not iterate a common compression function, and offers a structure which resembles a sponge function, even though it is not exactly a sponge function. In this paper we analyze reduced-round variants of CubeHash where the adversary controls the full 1024-bit input to reduced-round CubeHash and can observe its full output. We show that linear approximations with high biases exist in reduced-round variants. For example, we present an 11-round linear approximation with bias of 2^{−235}, which allows distinguishing 11-round CubeHash using about 2^{470} queries. We also discuss the extension of this distinguisher to 12 rounds using message modification techniques. Finally, we present a linear distinguisher for 14-round CubeHash which uses about 2^{812} queries

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

In this paper we extend the work presented by Ashur and Posteuca in BalkanCryptSec 2018, by designing 0-correlation key-dependent linear trails covering more than one round of DES. First, we design a 2-round 0-correlation key-dependent linear trail which we then connect to Matsui\u27s original trail in order to obtain a linear approximation covering the full DES and 3DES. We show how this approximation can be used for a key recovery attack against both ciphers. To the best of our knowledge, this paper is the first to use this kind of property to attack a symmetric-key algorithm, and our linear attack against 3DES is the first statistical attack against this cipher

Rotational Cryptanalysis in the Presence of Constants

Rotational cryptanalysis is a statistical method for attacking ARX constructions. It was previously shown that ARX-C, i.e., ARX with the injection of constants can be used to implement any function. In this paper we investigate how rotational cryptanalysis is affected when constants are injected into the state. We introduce the notion of an RX-difference, generalizing the idea of a rotational difference. We show how RX-differences behave around modular addition, and give a formula to calculate their transition probability. We experimentally verify the formula using Speck32/64, and present a 7-round distinguisher based on RX-differences. We then discuss two types of constants: round constants, and constants which are the result of using a fixed key, and provide recommendations to designers for optimal choice of parameters

Prelude to Marvellous (With the Designers\u27 Commentary, Two Bonus Tracks, and a Foretold Prophecy)

This epos tells the origin story of Rescue, a family of cryptographic algorithms in the Marvellous cryptoverse

A New Linear Distinguisher for Four-Round AES

In SAC’14, Biham and Carmeli presented a novel attack on DES, involving a variation of Partitioning Cryptanalysis. This was further extended in ToSC’18 by Biham and Perle into the Conditional Linear Cryptanalysis in the context of Feistel ciphers. In this work, we formalize this cryptanalytic technique for block ciphers in general and derive several properties. This conditional approximation is then used to approximate the inv : GF(2^8) → GF(2^8) : x → x^254 function which forms the only source of non-linearity in the AES. By extending the approximation to encompass the full AES round function, a linear distinguisher for four-round AES in the known-plaintext model is constructed; the existence of which is often understood to be impossible. We furthermore demonstrate a key-recovery attack capable of extracting 32 bits of information in 4-round AES using 2^125.62 data and time. In addition to suggesting a new approach to advancing the cryptanalysis of the AES, this result moreover demonstrates a caveat in the standard interpretation of the Wide Trail Strategy — the design framework underlying many SPN-based ciphers published in recent years

Rotational Cryptanalysis on MAC Algorithm Chaskey

In this paper we analyse the algorithm Chaskey - a lightweight MAC algorithm for 32-bit micro controllers - with respect to rotational cryptanalysis. We perform a related-key attack over Chaskey and find a distinguisher by using rotational probabilities. Having a message $m$ we can forge and present a valid tag for some message under a related key with probability $2^{-57}$ for 8 rounds and $2^{-86}$ for all 12 rounds of the permutation for keys in a defined weak-key class. This attack can be extended to full key recovery with complexity $2^{120}$ for the full number of rounds. To our knowledge this is the first published attack targeting all 12 rounds of the algorithm. Additionally, we generalize the Markov theory with respect to a relation between two plaintexts and not their difference and apply it for rotational pairs

Algebraic Cryptanalysis of HADES Design Strategy: Application to POSEIDON and Poseidon2

The HADES design strategy aims to provide an efficient way to instantiate Arithmetization-Oriented primitives by generalizing substitution-permutation networks to include partial S-box rounds. A notable instance of HADES, introduced by Grassi et al. at USENIX Security \u2721, is POSEIDON. Owing to its impressive efficiency and low arithmetic complexity, Poseidon has garnered attention from designers of integrity-proof systems. An updated version of POSEIDON, namely, Poseidon2 was published recently at AfricaCrypt \u2723 aiming to improve the efficiency of POSEIDON by optimizing its linear operations. In this work, we show some caveats in the security argument of HADES against algebraic attacks. We provide an upper bound on the complexity of XL attacks against the HADES instances POSEIDON and Poseidon2. When the desired security level is high, some instances of these hash functions fail to provide the promised security. In particular, the complexity of the XL attack against an instance of POSEIDON and Poseidon2 claiming 512 bits of desired security is upper bounded by 402.64 bits. Furthermore, we quantify the complexity of Gröbner basis attacks as a function of the number of S-boxes. We observe that the complexity is lower than claimed with the direct implication that there are cases where the recommended number of rounds is insufficient for meeting the claimed security. Concretely, the complexity of a Gröbner basis attack for an instance with 1024 bits of security is 731.77 bits and the original security argument starts failing already at the 384-bit security level. The findings presented in this paper are asymptotic in nature and at this moment, only non-standard security levels seem to be practically affected. The results were shared with the designers

XHash8 and XHash12: Efficient STARK-friendly Hash Functions

Zero-Knowledge proof systems are widely used as building blocks of different protocols, e.g., such as those supporting blockchains. A core element in Zero-Knowledge proof systems is the underlying PRF, usually modeled as a hash function that needs to be efficient over finite fields of prime order. Such hash functions are part of a newly developed paradigm known as Arithmetization-Oriented designs. In this paper, we propose two new AO hash functions, XHash8 and XHash12 which are designed based on improving the bottlenecks in RPO [ePrint 2022/1577]. Based on our experiments, XHash8 performs $\approx2.75$ times faster than RPO, and XHash12 performs $\approx2$ times faster than RPO, while at the same time inheriting the security and robustness of the battle-tested Marvellous design strategy