Jialin Huang,Xuejia Lai

2012-01-01

Abstract:In this paper, we point out a new weakness of the AES key schedule by revisiting an old observation exploited by many known attacks. We also discover a major cause for this weakness is that the column-by-column word-wise property in the key schedule matches nicely with the MixColumns operation in the cipher’s diffusion layer. Then we propose a new key schedule by minor modification to increase the security level for AES. First, it reduces the number of rounds that some attacks are effective, such as SQUARE attacks and meet-in-the-middle attacks; Second, it is interesting that our new key schedule also protects AES from the most devastating related-key differential type attacks, which work against AES-192 and AES-256 with the full number of rounds. Compared with the original key schedule, ours just does a transposition on the output matrix of the subkeys. Compared with other proposed modifications of AES key schedule, our modification adds no non-linear operations, no need to complicate the diffusion method, or complicate the iteration process of generating subkeys. Finally, our results suggest that the route of diffusion propagation should get more attention in the design of key schedules.

Gaëtan Leurent,Clara Pernot

DOI: https://doi.org/10.1007/s00145-024-09522-5

2024-11-03

Journal of Cryptology

Abstract:In this paper, we present a new representation of the AES key schedule, with some implications to the security of AES-based schemes. In particular, we show that the AES-128 key schedule can be split into four independent parallel computations operating on 32-bit chunks, up to linear transformation. Surprisingly, this property has not been described in the literature after more than 20 years of analysis of AES. We show two consequences of our new representation, improving previous cryptanalysis results of AES-based schemes. First, we observe that iterating an odd number of key schedule rounds results in a permutation with short cycles. This explains an observation of Khairallah on mixFeed, a second-round candidate in the NIST lightweight competition. Our analysis actually shows that his forgery attack on mixFeed succeeds with probability 0.44 (with data complexity 220GB), breaking the scheme in practice. The same observation also leads to a novel attack on ALE, another AES-based AEAD scheme. Our new representation also gives efficient ways to combine information from the first subkeys and information from the last subkeys, in order to reconstruct the corresponding master key. This results in small improvements to previous attacks: We improve impossible differential attacks against several variants of AES (and Rijndael), and a square attack against AES-192.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Jialin Huang,Xuejia Lai

DOI: https://doi.org/10.1007/s10623-013-9804-9

2012-01-01

Abstract:We study the weakness of key schedules from an observation: many existing attacks use the fact that the key schedules poorly distribute key bits in the diffusion path of round functions. This reminds us of the importance of the diffusion's relation between key schedules and round functions. We present new cryptanalysis results by exploring such diffusion relation and propose a new criterion for necessary key schedule diffusion. We discuss potential attacks and summarize the causes for key schedules without satisfying this criterion. One major cause is that overlapping between the diffusion of key schedules and round functions leads to information leakage of key bits. Finally, a measure to estimate our criterion for recursive key schedules is presented. Today designing key schedule still lacks practical and necessary principles. For a practical key schedule with limited diffusion, our work adds more insight to its requirements and helps to maximize the security level.

Jialin Huang,Serge Vaudenay,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-319-13039-2_8

2014-01-01

Abstract:Key schedules in lightweight block ciphers are often highly simplified, which causes weakness that can be exploited in many attacks. Today it remains an open problem on how to use limited operations to guarantee enough diffusion of key bits in lightweight key schedules. Also, there are few tools special for detecting weakness in the key schedule.In 2013 Huang et al. pointed out that insufficient actual key information (AKI) in computation chains is responsible for many attacks especially the meet-in-the-middle (MITM) attacks. Motivated by this fact, in this paper we develop an efficient (with polynomial time complexity) and effective tool to search the computation chains which involve insufficient AKI for iterated key schedules of lightweight ciphers. The effectiveness of this tool is shown by an application on TWINE-80.Then, we formulate the cause of key bits leakage phenomenon, where the knowledge of subkey bits is leaked or overlapped by other subkey bits in the same computation chain. Based on the interaction of diffusion performed by the key schedule and by the round function, a necessary condition is thus given on how to avoid key bits leakage.Therefore, our work sheds light on the design of lightweight key schedules by guiding how to quickly rule out unreasonable key schedules and maximize the security under limited diffusion.

Hailun Yan,Yiyuan Luo,Mo Chen,Xuejia Lai

DOI: https://doi.org/10.1007/s11432-018-9527-8

2019-01-01

Science China Information Sciences

Abstract:We evaluate the security of RECTANGLE from the perspective of actual key information(AKI).Insufficient AKI permits the attackers to deduce some subkey bits from some other subkey bits, thereby lowering the overall attack complexity or getting more attacked rounds. By considering the interaction between the key schedule’s diffusion and the round function’s diffusion, we find there exists AKI insufficiency in 4 consecutive rounds for RECTANGLE-80 and 6 consecutive rounds for RECTANGLE-128, although the master key bits achieve complete diffusion in 2 and 4 rounds, respectively. With such weakness of the key schedule, we give a generic meet-in-the-middle attack on 12-round reduced RECTANGLE-128 with only 8 known plaintexts. Moreover, we calculate AKI of variants of RECTANGLE as well as PRESENT.Surprisingly we find that both RECTANGLE-128 and PRESENT-128 with no key schedule involve more AKI than the original one. Based on this finding, we slightly modify the key schedule of RECTANGLE-128.Compared with the original one, this new key schedule matches better with the round function in terms of maximizing AKI. Our work adds more insight to the design of block ciphers’ key schedule.

Jie Cui,Liusheng Huang,Hong Zhong,Wei Yang

DOI: https://doi.org/10.1109/ICCSE.2010.5593579

2010-01-01

Abstract:In this paper the authors present an attack on 7-round AES-128/256 to improve the known cryptanalysis by changing the order of round transformation , using the alternative representation of the round keys, exploiting the relationship of keys, designing the key difference pattern properly. By using the improved attack method, the complexity is reduced from 2 192 to 2 104 with 2 72 chosen plaintexts, the authors reduce complexity to 2 88 using partial sums. ©2010 IEEE.

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Rui Luo,Xuejia Lai,Rong You

DOI: https://doi.org/10.1109/spac.2014.6982727

2014-01-01

Abstract:In this paper, we propose an improved table-based white-box implementation of AES which is able to resist different types of attack, including the BGE attack and De Mulder et al.'s cryptanalysis, to protect information under “white-box attack context”. The notion of white-box attack context, introduced by Chow et al., describes a general setting in which cryptographic algorithms are executed in untrusted environments. In this setting, adversaries have attained complete access to the implementations of cryptographic algorithms as well as the dynamic execution environments. The key strategy applied to our design is to compose different operations of the AES round function and convert the composition into encoded lookup tables. The new scheme exploits larger key-dependent tables, each of which contains two bytes of the round keys. We then analyze the security against different types of attack and measure two security metrics: the “white-box diversity” and “ambiguity”. The new scheme can withstand the BGE attack due to the utilization of larger mixing bijections and tabulated “ShiftRows” it can also resist the cryptanalysis of De Mulder et al. since the bindings between “nTMC” and “TSR” are irreducible and the non-linear encodings are introduced to all tables.

Tran Thi Luong,Nguyen Ngoc Cuong,Bay Vo

DOI: https://doi.org/10.1109/access.2024.3387268

IF: 3.9

2024-04-20

IEEE Access

Abstract:Increasing the security of block ciphers is a topic of great interest today, and thus there is a variety of work to enhance the strength of such ciphers. There are also many studies focusing on the Advanced Encryption Standard (AES), presenting methods of making block ciphers dynamic to improve their security. Animating methods can perform block cipher transformations such as substitution or permutation, or both. In this article, we propose an algorithm to create new, key-dependent XOR tables from an initial secret key. At the same time, we prove that in the ciphertext the new XOR operation can preserve the independent, co-probability distribution of the random key. We then apply these new XOR tables to make AES dynamic at the Addroundkey transformation. We created a considerable number of XOR tables, about tables. With such a vast number of key-dependent dynamic XOR tables, cryptanalysts will have great difficulty finding the actual XOR table used in the modified AES block cipher. Therefore, with our new XOR tables, AES will be significantly enhanced.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiao, Yaying,Xuejia Lai

DOI: https://doi.org/10.1109/csa.2009.5404239

2009-01-01

Abstract:ShiftRows has no effect on Chow’s scheme, the obfuscations of the key can be divided into smaller ones and removed with the help of specific characters of the MixColumns operation in AES. In this paper, we present a secure implementation of White-Box AES, the main difference lies in ShiftRows operation. It is now embedded in matrices product, the output encodings has the same size as the output of MixColumns operation (32bits). Thus the obfuscation of the key cannot be divided into smaller ones or removed by using Billet's attack technique. Thus, our scheme can resist Billet’s attack. It is more secure than Chow's.

Lingyue Qin,Xiaoyang Dong,Anyu Wang,Jialiang Hua,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-22963-3_10

2022-01-01

Abstract:Designing symmetric ciphers for particular applications becomes a hot topic. At EUROCRYPT 2020, Naito, Sasaki and Sugawara invented the threshold implementation friendly cipher SKINNYe-64-256 to meet the requirement of the authenticated encryption PFB $$\_$$ Plus. Soon, Thomas Peyrin pointed out that SKINNYe-64-256 may lose the security expectation due the new tweakey schedule. Although the security issue of SKINNYe-64-256 is still unclear, Naito et al. decided to introduce SKINNYe-64-256 v2 as a response. In this paper, we give a formal cryptanalysis on the new tweakey schedule of SKINNYe-64-256 and discover unexpected differential cancellations in the tweakey schedule. For example, we find the number of cancellations can be up to 8 within 30 consecutive rounds, which is significantly larger than the expected 3 cancellations. Moreover, we take our new discoveries into rectangle, MITM and impossible differential attacks, and adapt the corresponding automatic tools with new constraints from our discoveries. Finally, we find a 41-round related-tweakey rectangle attack on SKINNYe-64-256 and leave a security margin of 3 rounds only. As STK accepts arbitrary tweakey size, but SKINNY and SKINNYe-64-256 v2 only support up to 4n tweakey size. We introduce a new design of tweakey schedule for SKINNY-64 to further extend the supported tweakey size. We give a formal proof that our new tweakey schedule inherits the security requirement of STK and SKINNY. We also discuss possible ways to extend the tweakey size for SKINNY-128.

Xiaoyang Dong,Lingyue Qin,Siwei Sun,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-07082-2_1

2022-01-01

Abstract:When generating quartets for the rectangle attacks on ciphers with linear key-schedule, we find the right quartets which may suggest key candidates have to satisfy some nonlinear relations. However, some quartets generated always violate these relations, so that they will never suggest any key candidates. Inspired by previous rectangle frameworks, we find that guessing certain key cells before generating quartets may reduce the number of invalid quartets. However, guessing a lot of key cells at once may lose the benefit from the early abort technique, which may lead to a higher overall complexity. To get better tradeoff, we build a new rectangle framework on ciphers with linear key-schedule with the purpose of reducing overall complexity or attacking more rounds. In the tradeoff model, there are many parameters affecting the overall complexity, especially for the choices of the number and positions of key guessing cells before generating quartets. To identify optimal parameters, we build a uniform automatic tool on SKINNY as an example, which includes the optimal rectangle distinguishers for key-recovery phase, the number and positions of key guessing cells before generating quartets, the size of key counters to build that affecting the exhaustive search step, etc. Based on the automatic tool, we identify a 32-round key-recovery attack on SKINNY-128-384 in the related-key setting, which extends the best previous attack by 2 rounds. For other versions with n-2n or n-3n, we also achieve one more round than before. In addition, using the previous rectangle distinguishers, we achieve better attacks on round-reduced ForkSkinny, Deoxys-BC-384 and GIFT-64. At last, we discuss the conversion of our rectangle framework from related-key setting into single-key setting and give new single-key rectangle attack on 10-round Serpent.

Z. Y. You

2003-01-01

Abstract:In this paper the authors present an attack to improve the known cryptanalysis to reduce the complexity of keys exhaustion by changing the order of round transformation, using the alternative representation of the round keys, arranging the order of keyscomputation properly and exploiting the relationship of keys. Also,the authors give an example of attacking five round AES. By using the improved attack algorithm, the key exhaustion is reduced from 4·240 to 240+232+216+9·28. 

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Yin Jia,TingTing Lin,Xuejia Lai

DOI: https://doi.org/10.1109/cits.2016.7546449

2016-01-01

Abstract:White box attack context assumes that attackers have full access to the implementation and dynamic execution of cryptographic algorithms. How to protect keys in such an attack context has become a new challenge to implementation of cryptographic algorithms. In 2002, Chow et al. proposed a white box AES implementation whose construction could also be applied to other iterated block ciphers. This implementation was later improved and attacked several times. However those attacks greatly depend on the structure of specific cipher and its implementation. We propose a generic attack against a typical white box implementation of iterated block ciphers with Chow's techniques, which can be applied to block ciphers of different structures. Our attack relies on the connection of input-output difference probability distribution between block ciphers and their white box implementation, and recovers the subkey efficiently.

Kexin Qiao,Zhiyu Zhang,Zhongfeng Niu,Liehuang Zhu,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2023.00.008

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Recent results show that the differential properties within quadruples boom as a new inspiration in cryptanalysis of Advanced Encryption Standard (AES)-like constructions. These methods include the exchange attack proposed in Asiacrypt'19, the mixture differential attack proposed in ToSC'18, etc., where the essential properties are obtained by manually scrutinizing the structures of the AES-like constructions. This paper presents a novel framework and an automatic tool based on mixed integer linear programming to search for mixture differential distinguishers for general constructions. This framework considers what equality patterns among quadruples can make a distinguisher and traces how the patterns propagate through cipher components with accurate probability estimation. With this tool, a 5-round AES distinguishing attack with lower complexity and more 6-round distinguishing attacks in the chosen plaintext scenarios are deduced. We prove that no exchange-type or mixture differential distinguisher exists for 7 and above rounds AES if the details of the Sbox and MixColumns matrix are not taken into account.

engineering, electrical & electronic

Xue Gong,Fan Zhang,Xinjie Zhao,Jie Xiao,Shize Guo

DOI: https://doi.org/10.1109/tifs.2024.3495234

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Persistent Fault Analysis (PFA) is a powerful analysis technique proposed in CHES 2018, which utilizes those faults that are injected before execution and persist throughout the encryption. However, when it is applied to the block cipher which has multiple S-boxes, the key can not be recovered in just one attack. The adversary has to conduct the fault attack several times and inject faults into all the distinct S-boxes. In this paper, we propose Key Schedule Guided Persistent Fault Attack (KGPFA), which utilizes the key schedule to guide the fault injection and fault analysis. By analyzing the key schedule, KGPFA exploits the relations between the key leakages caused by the same faulty S-box in various rounds. It can reduce the number of attacks and the number of faults required to recover the key. Our major contributions are twofold. Firstly, in the fault injection step, we provide Key Schedule Guided Persistent Fault Injection (KGPFI) strategies to reduce the number of attacks and the number of faults under the assumption of both ciphertext-only and known-plaintext attacks. Secondly, in the fault analysis step, as our target ciphers are Feistel-based, we propose the Ineffective Algebraic Persistent Fault Analysis (IAPFA) to extend the usage of Algebraic Persistent Fault Analysis (APFA) in the ineffective persistent fault setting. To demonstrate the effectiveness of our technique, we apply KGPFA to four widely used block ciphers with multiple S-boxes, DES, 3DES, LBlock, and Camellia. In our experiment, in the ciphertext-only attack, the key of DES can be recovered with 300 ineffective ciphertexts (coresponding to 827 ciphertexts) and four faulty S-boxes within 12.18min. Under the assumption of known-plaintext, the key of DES is recovered within two faulty S-boxes in 2.34h. For LBlock, the key is recovered with two faulty S-boxes and 100 ineffective ciphertexts (coresponding to 6211 ciphertexts) in 1.16min.

Lorenzo Grassi,Christian Rechberger,Sondre Rønjom

DOI: https://doi.org/10.1007/978-3-319-56614-6_10

2017-01-01

Abstract:AES is probably the most widely studied and used block cipher. Also versions with a reduced number of rounds are used as a building block in many cryptographic schemes, e.g. several candidates of the SHA-3 and CAESAR competition are based on it.So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. These include differential, impossible differential, and integral properties.In this paper we describe a new structural property for up to 5 rounds of AES, differential in nature and which is independent of the secret key, of the details of the MixColumns matrix (with the exception that the branch number must be maximal) and of the SubBytes operation. It is very simple: By appropriate choices of difference for a number of input pairs it is possible to make sure that the number of times that the difference of the resulting output pairs lie in a particular subspace is always a multiple of 8.We not only observe this property experimentally (using a small-scale version of AES), we also give a detailed proof as to why it has to exist. As a first application of this property, we describe a way to distinguish the 5-round AES permutation (or its inverse) from a random permutation with only $$2^{32}$$ chosen texts that has a computational cost of $$2^{35.6}$$ look-ups into memory of size $$2^{36}$$ bytes which has a success probability greater than 99%.

Xiaoqiang Zhang,Fan Yang,Xinxing Zheng,Xinggan Zhang,Ning Wu

DOI: https://doi.org/10.1587/elex.17.20200391

2020-01-01

IEICE Electronics Express

Abstract:Among Advanced Encryption Standard (AES) operations, MixColumns/InvMixColumns is the second most computationally complex operation after S-box. It occupies a large hardware resources and critical path delay (CPD) in AES hardware implementations. To reduce the hardware complexity of the MixColumns/InvMixColumns, a whole matrix joint optimization method is proposed in this paper. All coefficient multiplications in MixColumns/InvMixColumns are combined into a single matrix multiplication in the proposed method, and larger number of common subexpressions can be shared in the combined matrix. Therefore, the area can be drastically reduced in implementations. The validity of our whole matrix joint optimization is verified by theoretical analyses and synthesis tools. Both analyses results and synthesized results indicate that, compared with column joint optimization and row joint optimization, the optimization efficiency is improved greatly in the whole matrix joint optimization. Compared with previous works, our implementations have wider area-delay tradeoff, from less delay to minimal area cost.