12 research outputs found
On the QIC of quadratic APN functions
International audienceVectorial Boolean functions are useful in symmetric cryptography for designing block ciphers among other primitives. One of the main attacks on these ciphers is the differential attack. Differential attacks exploit the highest values in the differential distribution table (DDT). A function is called Almost Perfect Nonlinear (APN) if all entries in the DDT belong to {0, 2}, which is optimal against the differential attack. The search for APN permutations, as well as their classification, has been an open problem for more than 25 years. All these -variable permutations are known for ≤ 5, but the question remains unsolved for large values of . It has been conjectured for a long time that, when is even, APN bijective functions do not exist. However, in 2009, Dillon and his coauthors have found an APN permutation of 6 variables. Our aim on this thesis is to find such functions for larger n. Dillon et al.’s approach was finding an APN permutation from a quadratic APN function which are CCZ-equivalent. Two vectorial Boolean functions are “CCZ-equivalent” if there exists an affine permutation that maps the graph of one function to the other. It preserves the differential properties of a function and thus the APN property. Our approach to find APN permutations will be the same. We propose an idea of representing a quadratic vectorial Boolean function using a cubic structure called quadratic indicator cube (QIC). Also, we describe the criteria related to this cube that is necessary and sufficient for a function to be APN. Then we present some algorithms based on backtracking to change the elements of the cube in such a way that if we start from an APN function it remains APN. We implement our modification algorithm in SageMath and then, in order to get better performances, we also implement it in C++. We also use multithreading in order to get better performances. For = 6 our algorithm outputs 13 EA-equivalence class of functions, which covers all possible classes for = 6
Automatic Search for Bit-based Division Property
Division properties, introduced by Todo at Eurocrypt 2015,
are extremely useful in cryptanalysis, are an extension of square attack
(also called saturation attack or integral cryptanalysis). Given their im-
portance, a large number of works tried to offer automatic tools to find
division properties, primarily based on MILP or SAT/SMT. This paper
studies better modeling techniques for finding division properties using
the Constraint Programming and SAT/SMT-based automatic tools. We
use the fact that the Quine-McCluskey algorithm produces a concise
CNF representation corresponding to the division trail table of an Sbox.
As a result, we can offer significantly more compact models, which allow
SAT and Constraint Programming tools to outperform previous results.
To show the strength of our new approach, we look at the NIST lightweight
candidate KNOT and Ascon. We show several new distinguishers with
a lower data complexity for 17-round KNOT-256, KNOT-384 and 19-
round KNOT-512. In addition, for the 5-round Ascon, we get a lower
data distinguisher than the previous division-based results.
Finally, we revisit the method to extend the integral distinguisher by
composing linear layers at the input and output. We provide a formu-
lation to find the optimal number of linear combinations that need to
be considered. As a result of this new formulation, we prove that 18-
round KNOT-256 and KNOT-384 have no integral distinguisher using
conventional division property and we show this more efficiently than
the previous methods
INT-RUP Security of SAEB and TinyJAMBU
The INT-RUP security of an authenticated encryption (AE)
scheme is a well studied problem which deals with the integrity security
of an AE scheme in the setting of releasing unverified plaintext model.
Popular INT-RUP secure constructions either require a large state (e.g.
GCM-RUP, LOCUS, Oribatida) or employ a two-pass mode (e.g. MON-
DAE) that does not allow on-the-fly data processing. This motivates us
to turn our attention to feedback type AE constructions that allow small
state implementation as well as on-the-fly computation capability. In CT-
RSA 2016, Chakraborti et al. have demonstrated a generic INT-RUP
attack on rate-1 block cipher based feedback type AE schemes. Their
results inspire us to study about feedback type AE constructions at a
reduced rate. In this paper, we consider two such recent designs, SAEB
and TinyJAMBU and we analyze their integrity security in the setting of
releasing unverified plaintext model. We found an INT-RUP attack on
SAEB with roughly 232 decryption queries. However, the concrete analysis shows that if we reduce its rate to 32 bits, SAEB achieves the desired
INT-RUP security bound without any additional overhead. Moreover, we
have also analyzed TinyJAMBU, one of the finalists of the NIST LwC,
and found it to be INT-RUP secure. To the best of our knowledge, this
is the first work reporting the INT-RUP security analysis of the block cipher based single state, single pass, on-the-fly, inverse-free authenticated
ciphers
Practical Related-Key Forgery Attacks on the Full TinyJAMBU-192/256
TinyJambu is one of the finalists in the NIST lightweight cryptography competition. It has undergone extensive analysis in the recent years as both the keyed permutation as well as the mode are new designs. In this paper we present a related-key forgery attackon the updated TinyJambu scheme with 256- and 192-bit keys. We introduce a high probability related-key differential attack were the differences are only introduced into the key state. Therefore, the characteristic is applicable to the TinyJambu mode and can be used to mount a forgery attack. The time and data complexity of the forgery are using related-keys for the 256-bit key version, and using related-keys for the 192-bit key version.
For the 128-bit key we construct a related-key differential characteristic on the full keyed permutation of TinyJambu with a probability of . We extend the related-key differential characteristics on TinyJambu to practical time key recovery attacks that extract the full key from the keyed permutation with a time and data complexity of , , and for respectively the 128-, 192-, and 256-bit key variants.
All characteristics are experimentally verified and we provide key nonce pairs that produce the same tag to show the feasibility of the forgery attack
Full Round Zero-sum Distinguishers on TinyJAMBU-128 and TinyJAMBU-192 Keyed-permutation in the Known-key setting
TinyJAMBU is one of the finalists in the NIST lightweight
standardization competition. This paper presents full round practical
zero-sum distinguishers on the keyed permutation used in TinyJAMBU.
We propose a full round zero-sum distinguisher on the 128- and 192-bit
key variants and a reduced round zero-sum distinguisher for the 256-bit
key variant in the known-key settings. Our best known-key distinguisher
works with data/time complexity on the full 128-bit version and with
data/time complexity on the full 192-bit version. For the 256-bit ver-
sion, we can distinguish 1152 rounds (out of 1280 rounds) in the known-
key settings. In addition, we present the best zero-sum distinguishers
in the secret-key settings: with complexity we can distinguish 544
rounds in the forward direction or 576 rounds in the backward direction.
For finding the zero-sum distinguisher, we bound the algebraic degree of
the TinyJAMBU permutation using the monomial prediction technique
proposed by Hu et al. at ASIACRYPT 2020. We model the monomial
prediction rule on TinyJAMBU in MILP and find upper bounds on the
degree by computing the parity of the number of solutions
Simple Vs Vectorial: Exploiting Structural Symmetry to Beat the ZeroSum Distinguisher Applications to SHA3, Xoodyak and Bash
Higher order differential properties constitute a very insightful tool at the hands
of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as
SymSum_Vec in this paper), a new distinguisher based on higher order vectorial
Boolean derivatives of SHA-3, constituting one of the best distinguishers on the
latest cryptographic hash standard. SymSum_Vec exploits the difference in the
algebraic degree of highest degree monomials in the algebraic normal form of
SHA-3 with regards to their dependence on round constants. Later in Africacrypt
2020, Suryawanshi et al. extended SymSum_Vec using linearization techniques and
in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major
limitation of SymSum_Vec is the maximum attainable derivative (MAD) which is
less than half of the widely studied ZeroSum distinguisher. This is attributed
to SymSum_Vec being dependent on m−fold vectorial derivatives while ZeroSum
relies on m−fold simple derivatives. In this work we overcome this limitation
of SymSum_Vec by developing and validating the theory of computing SymSum_Vec
with simple derivatives. This gives us a close to 100% improvement in the MAD
that can be computed. The new distinguisher reported in this work can also be combined with one/two-round linearization to penetrate more rounds. Moreover, we identify an issue with the two-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnish an algebraic fix at the cost of some additional constraints.
Combining all results we report SymSum_Sim , a new variant of the SymSum_Vec
distinguisher based on m−fold simple derivatives that outperforms ZeroSum by
a factor of , for 10-round SHA-3-384 and 9-round SHA-3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant,
SymSum_Sim maintains an advantage of factor 2. Combined with one/two-round
linearization, SymSum_Sim improves upon all existing ZeroSum and SymSum_Vec
distinguishers on both SHA-3 and Xoodyak. As regards Keccak-p, the internal
permutation of SHA-3, we report the best 15-round distinguisher with a complexity of and the first better than birthday-bound 16-round distinguisher with
a complexity of (improving upon the 15/16-round results by Guo et al. in
Asiacrypt 2016). We also devise the best full-round distinguisher on the Xoodoo
internal permutation of Xoodyak with a practically verifiable complexity of
and furnish the first third-party distinguishers on the Belarushian hash function
Bash. All distinguishers furnished in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken,
SymSum_Sim emerges as a better distinguisher than ZeroSum on all fronts and
adds to the state-of-the-art of cryptanalytic tools investigating non-randomness
of crypto primitives
Divide and Rule: DiFA - Division Property Based Fault Attacks on PRESENT and GIFT
The division property introduced by Todo in Crypto 2015 is one of the most versatile tools in the arsenal of a cryptanalyst which has given new insights into many ciphers primarily from an algebraic perspective. On the other end of the spectrum we have fault attacks which have evolved into the deadliest of all physical attacks on cryptosystems. The current work aims to combine these seemingly distant tools to come up with a new type of fault attack. We show how fault invariants are formed under special input division multi-sets and are independent of the fault injection location. It is further shown that the same division trail can be exploited as a multi-round Zero-Sum distinguisher to reduce the key-space to practical limits. As a proof of concept division trails of PRESENT and GIFT are exploited to mount practical key-recovery attacks based on the random nibble fault model. For GIFT-64, we are able to recover the unique master-key with 30 nibble faults with faults injected at rounds 21 and 19. For PRESENT-80, DiFA reduces the key-space from to with 15 faults in round 25 while for PRESENT-128, the unique key is recovered with 30 faults in rounds 25 and 24. This constitutes the best fault attacks on these ciphers in terms of fault injection rounds. We also report an interesting property pertaining to fault induced division trails which shows its inapplicability to attack GIFT-128. Overall, the usage of division trails in fault based cryptanalysis showcases new possibilities and reiterates the applicability of classical cryptanalytic tools in physical attacks
Partial Sums Meet FFT: Improved Attack on 6-Round AES
The partial sums cryptanalytic technique was introduced in 2000 by Ferguson et al., who used it to break 6-round AES with time complexity of S-box computations -- a record that has not been beaten ever since. In 2014, Todo and Aoki showed that for 6-round AES, partial sums can be replaced by a technique based on the Fast Fourier Transform (FFT), leading to an attack with a comparable complexity.
In this paper we show that the partial sums technique can be combined with an FFT-based technique, to get the best of the two worlds. Using our combined technique, we obtain an attack on 6-round AES with complexity of about additions. We fully implemented the attack experimentally, along with the partial sums attack and the Todo-Aoki attack, and confirmed that our attack improves the best known attack on 6-round AES by a factor of more than 32.
We expect that our technique can be used to significantly enhance numerous attacks that exploit the partial sums technique. To demonstrate this, we use our technique to improve the best known attack on 7-round Kuznyechik by a factor of more than 80, and to reduce the complexity of the best known attack on the full MISTY1 from to
The QARMAv2 Family of Tweakable Block Ciphers
We introduce the QARMAv2 family of tweakable block ciphers. It is a redesign of QARMA (from FSE 2017) to improve its security bounds and allow for longer tweaks, while keeping similar latency and area. The wider tweak input caters to both specific use cases and the design of modes of operation with higher security bounds. This is achieved through new key and tweak schedules, revised S-Box and linear layer choices, and a more comprehensive security analysis. QARMAv2 offers competitive latency and area in fully unrolled hardware implementations.
Some of our results may be of independent interest. These include: new MILP models of certain classes of diffusion matrices; the comparative analysis of a full reflection cipher against an iterative half-cipher; our boomerang attack framework; and an improved approach to doubling the width of a block cipher
Practical Related-Key Forgery Attacks on Full-Round TinyJAMBU-192/256
TinyJAMBU is one of the finalists in the NIST lightweight cryptography competition. It is considered to be one of the more efficient ciphers in the competition and has undergone extensive analysis in recent years as both the keyed permutation as well as the mode are new designs. In this paper we present a related-key forgery attack on the updated TinyJAMBU-v2 scheme with 256- and 192-bit keys. We introduce a high probability related-key differential attack where the differences are only introduced into the key state. Therefore, the characteristic is applicable to the TinyJAMBU mode and can be used to mount a forgery attack. The time and data complexity of the forgery are 233 using 214 related-keys for the 256-bit key version, and 243 using 216 related-keys for the 192-bit key version.For the 128-bit key we construct a related-key differential characteristic on the full keyed permutation of TinyJAMBU with a probability of 2−16. We extend the relatedkey differential characteristics on TinyJAMBU to practical-time key-recovery attacks that extract the full key from the keyed permutation with a time and data complexity of 224, 221, and 219 for respectively the 128-, 192-, and 256-bit key variants.All characteristics are experimentally verified and we provide key nonce pairs that produce the same tag to show the feasibility of the forgery attack. We note that the designers do not claim related-key security, however, the attacks proposed in this paper suggest that the scheme is not key-commiting, which has been recently identified as a favorable property for AEAD schemes