Xiutao Feng,Fan Zhang,Hui Wang

2014-01-01

Abstract:PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs about 132 pairs of known plaintext/ciphertext. Based on the above attack, we further deduce a forgery attack against PANDA-s. Our results show that PANDA-s is far from the goal of its security design (128-bit level).

Jeremy Jean,Ivica Nikolic,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e99.a.39

2016-01-01

Abstract:We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES. key words: PAES · universal forgery · distinguisher · symmetric property · authenticated encryption

Jeremy Jean,Ivica Nikolic,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-13051-4_14

2014-01-01

Abstract:We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 2(11) time and data. The second attack is a distinguisher for 2(64) out of 2(128) keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.

Qi Xie,Guilin Wang,Fubiao Xia,Deren Chen

DOI: https://doi.org/10.1002/cpe.3058

2013-01-01

Concurrency and Computation Practice and Experience

Abstract:By integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on discrete logarithm problem (DLP) in 2009. Though their schemes are claimed provably secure, we demonstrate that their schemes are existentially forgeable under adaptive chosen warrants, unconfidentiable and verifiable under adaptive chosen messages and designated verifiers. Then we propose a provably secure SP-CAE scheme in the random oracle model.

Divij Handa,Zehua Zhang,Amir Saeidi,Chitta Baral

2024-10-23

Abstract:Recent advancements in the safety of Large Language Models (LLMs) have primarily focused on mitigating attacks crafted in natural language or in common encryption techniques like Base64. However, new models which often possess better reasoning capabilities, open the door to new attack vectors that were previously non-existent in older models. This seems counter-intuitive at first glance, but these advanced models can decipher more complex cryptic queries that previous models could not, making them susceptible to attacks using such prompts. To exploit this vulnerability, we propose Attacks using Custom Encryptions (ACE), a novel method to jailbreak LLMs by leveraging custom encryption schemes. We evaluate the effectiveness of ACE on four state-of-the-art LLMs, achieving Attack Success Rates (ASR) of up to 66% on close-source models and 88% on open-source models. Building upon this, we introduce Layered Attacks using Custom Encryptions (LACE), which employs multiple layers of encryption through our custom ciphers to further enhance the ASR. Our findings demonstrate that LACE significantly enhances the ability to jailbreak LLMs, increasing the ASR of GPT-4o from 40% to 78%, a 38% improvement. Our results highlight that the advanced capabilities of LLMs introduce unforeseen vulnerabilities to complex attacks. Specifically complex and layered ciphers increase the chance of jailbreaking.

Computation and Language,Artificial Intelligence

Jérémy Jean,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-31301-6_28

2015-01-01

Abstract:In this paper, we present the first third-party cryptanalysis against the authenticated encryption scheme Silver. In high-level, Silver builds a tweakable block cipher by tweaking AES-128 with a dedicated method and performs a similar computation as OCB3 to achieve 128-bit security for both of integrity and confidentiality in nonce-respecting model. Besides, by modifying the tag generation of OCB3, some robustness against nonce-repeating adversaries is claimed. We first present a forgery attack against 8 out of 10 rounds with $$2^{111}$$2111 blocks of queries in the nonce-respecting model. The attack exploits a weakness of the dedicated AES tweaking method of Silver. Then, we present several attacks in the nonce-repeating model. Those include 1 a forgery against full Silver with $$2^{49.46}$$249.46 blocks of queries which matches a conservative security claim by the designers, 2 a plaintext recovery against full Silver with a single query and 3 a key recovery against 8 rounds with $$2^{111}$$2111 blocks of queries. In particular, the plaintext recovery breaks the security claim by the designers. Considering that the current best key recovery for plain AES-128 is up﾿to seven rounds, Silver lowers the security margin of AES due to its tweaking method. The attacks have been partially implemented and experimentally verified.

Fan Zhang,Zi-yuan Liang,Bo-lin Yang,Xin-jie Zhao,Shi-ze Guo,Kui Ren

DOI: https://doi.org/10.1631/fitee.1800576

IF: 2.526

2018-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) supported by the National Institute of Standards and Technology (NIST) is an ongoing project calling for submissions of authenticated encryption (AE) schemes. The competition itself aims at enhancing both the design of AE schemes and related analysis. The design goal is to pursue new AE schemes that are more secure than advanced encryption standard with Galois/counter mode (AES-GCM) and can simultaneously achieve three design aspects: security, applicability, and robustness. The competition has a total of three rounds and the last round is approaching the end in 2018. In this survey paper, we first introduce the requirements of the proposed design and the progress of candidate screening in the CAESAR competition. Second, the candidate AE schemes in the final round are classified according to their design structures and encryption modes. Third, comprehensive performance and security evaluations are conducted on these candidates. Finally, the research trends of design and analysis of AE for the future are discussed.

Xinjie Zhao,Tao Wang,Shize Guo,Fan Zhang,Zhijie Shi,Huiying Liu,Kehui Wu

2011-01-01

Abstract:Introduced in 2009, Algebraic Side-Channel Attack (ASCA) has become a very effective cryptanalysis technique that is different from conventional side-channel attacks such as DPA and CPA. In this paper, we propose an innovative and generic attack framework named as SATETASCA (SAT based Error Tolerant Algebraic Side-Channel Attack). The proposed framework is effective even if the leakage information is not accurate and has large variants or errors. We show its generality by successfully launching SAT-ETASCA to AES on two different platforms, using different types of leakages. The first attack is to an AES implementation on an 8-bit microcontroller, using the Hamming weight leakage model. We demonstrate that SAT-ETASCA can recover the full key even when the obtained leakage information has about 60% errors. The second attack is based on an innovative idea of applying the external cache …

Xinjie Zhao,Fan Zhang,Shize Guo,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji

DOI: https://doi.org/10.1007/978-3-642-29912-4_17

2012-01-01

Abstract:Algebraic side-channel attack (ASCA) is a powerful cryptanalysis technique different from conventional side-channel attacks. This paper studies ASCA from three aspects: enhancement, analysis and application. To enhance ASCA, we propose a generic method, called Multiple Deductions-based ASCA (MDASCA), to cope the multiple deductions caused by inaccurate measurements or interferences. For the first time, we show that ASCA can exploit cache leakage models. We analyze the attacks and estimate the minimal amount of leakages required for a successful ASCA on AES under different leakage models. In addition, we apply MDASCA to attack AES on an 8-bit microcontroller under Hamming weight leakage model, on two typical microprocessors under access driven cache leakage model, and on a 32-bit ARM microprocessor under trace driven cache leakage model. Many better results are achieved compared to the previous work. The results are also consistent with the theoretical analysis. Our work shows that MDASCA poses great threats with its excellence in error tolerance and new leakage model exploitation.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-12280-9_6

2014-01-01

Abstract:In this paper, a new cryptanalysis approach for a class of authenticated encryption schemes is presented, which is inspired by the previous length extension attack against hash function based MACs. The approach is called message extension attack. The target class is the schemes that initialize the internal state with nonce and key, update the state by associated data and message, extract key stream from the state, and finally generate a tag from the updated state. A forgery attack can be mounted in the nonce-repeating model in the chosen-plaintext scenario when a function to update the internal state is shared for processing the message and generating the tag. The message extension attack is then applied to PANDA, which is a dedicated authenticated encryption design submitted to CAESAR. An existential forgery attack is mounted with 25 chosen plaintexts, 264 computations, and a negligible memory, which breaks the claimed 128-bit security for the nonce-repeating model. This is the first result that breaks the security claim of PANDA.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Yinsong Xu,Wenjie Liu,Wenbin Yu

DOI: https://doi.org/10.1007/s11128-021-03036-w

2023-09-23

Abstract:The classic forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms need to query about 2^(n/2) times, and their success probability is not high. To solve this problem, the corresponding quantum forgery attacks on COPA, AES-COPA and Marble authenticated encryption algorithms are presented. In the quantum forgery attacks on COPA and AES-COPA, we use Simon's algorithm to find the period of the tag generation function in COPA and AES-COPA by querying in superposition, and then generate a forged tag for a new message. In the quantum forgery attack on Marble, Simon's algorithm is used to recover the secret parameter L, and the forged tag can be computed with L. Compared with classic forgery attacks on COPA, AES-COPA and Marble, our attack can reduce the number of queries from O(2^(n/2)) to O(n) and improve success probability close to 100%.

Quantum Physics,Cryptography and Security,Emerging Technologies

Luyao Xu,Zhengyi Dai,Baofeng Wu,Dongdai Lin

DOI: https://doi.org/10.46586/tches.v2023.i2.568-586

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Lattice reduction algorithms have been proved to be one of the most powerful and versatile tools in public key cryptanalysis. In this work, we primarily concentrate on lattice attacks against (EC)DSA with nonce leakage via some sidechannel analysis. Previous works relying on lattice reduction algorithms such as LLL and BKZ will finally lead to the “lattice barrier”: lattice algorithms become infeasible when only fewer nonce is known. Recently, Albrecht and Heninger introduced lattice algorithms augmented with a predicate and broke the lattice barrier (Eurocrypt 2021). We improve their work in several aspects. We first propose a more efficient predicate algorithm which aims to search for the target lattice vector in a large database. Then, we combine sieving with predicate algorithm with the “dimensions for free” and “progressive sieving” techniques to further improve the performance of our attacks. Furthermore, we give a theoretic analysis on how to choose the optimal Kannan embedding factor. As a result, our algorithm outperforms the state-of-the-art lattice attacks for existing records such as 3-bit nonce leakage for a 256-bit curve and 2-bit nonce leakage for a 160-bit curve in terms of running time, sample numbers and success probability. We also break the lattice records on the 384-bit curve with 3-bit nonce leakage and the 256-bit curve with 2-bit nonce leakage which are thought infeasible previously. Finally, we give the first lattice attack against ECDSA with a single-bit nonce leakage, which enables us to break a 112-bit curve with 1-bit nonce leakage in practical time.

Xiaojuan Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-75160-3_21

2017-01-01

Abstract:Acorn is a third-round candidate of the CAESAR competition. It is a lightweight authenticated stream cipher. In this paper, we show how to recover the initial state of Acorn when one pair of Key and IV is used to encrypt three messages. Our method contains two main steps: (1) gathering different states; (2) retrieving linear equations. At the first step, we demonstrate how to gather the relation between states when two different plaintexts are encrypted under the same nonce. And at the second step, we exploit how to retrieve a system of linear equations with respect to the initial state, and how to recover the initial state from this system of equations. We apply this method to both Acorn v2 and Acorn v3. The time complexity to recover the initial state of Acorn v2 is (2^{78} c), where c is the time complexity of solving linear equations. It is lower than that of the previous methods. For Acorn v3, we can recover the initial state with the time complexity of (2^{120.6}c), lower than that of the exhaustion attack. We also apply it on shrunk ciphers with similar structure and properties of Acorn v2 and Acorn v3 to prove the validity of our method. This paper is the first time to analyze Acorn v3 when a nonce is reused and our method provides some insights into the diffusion ability of such stream ciphers.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Xiaojuan Zhang,Xiutao Feng,Dongdai Lin

DOI: https://doi.org/10.1155/2017/3834685

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c·2179.19-1.76N at worst, where N is the number of fault injections such that 31≤N≤88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers.

Jianting Ning,Xinyi Huang,Geong Sen Poh,Jiaming Yuan,Yingjiu Li,Jian Weng,Robert H. Deng

DOI: https://doi.org/10.1145/3460120.3484540

2021-01-01

Abstract:Searchable Encryption (SE) enables private queries on encrypted documents. Most existing SE schemes focus on constructing industrial-ready, practical solutions at the expense of information leakages that are considered acceptable. In particular, ShadowCrypt utilizes a cryptographic approach named ''efficiently deployable, efficiently searchable encryption'' (EDESE) that reveals the encrypted dataset and the query tokens among other information. However, recent attacks showed that such leakages can be exploited to (partially) recover the underlying keywords of query tokens under certain assumptions on the attacker's background knowledge. We continue this line of work by presenting LEAP, a new leakage-abuse attack on EDESE schemes that can accurately recover the underlying keywords of query tokens based on partially known documents and the L2 leakage as per defined by Cash et al. (CCS '15). As an auxiliary function, our attack supports document recovery in the similar setting. To the best of our knowledge, this is the first attack on EDESE schemes that achieves keyword recovery and document recovery without error based on partially known documents and L2 leakage. We conduct extensive experiments to demonstrate the effectiveness of our attack by varying levels of attacker's background knowledge.

Thomas Peyrin,Siang Meng Sim,Lei Wang,Guoyan Zhang

DOI: https://doi.org/10.1007/978-3-662-48116-5_13

2015-01-01

Abstract:In this article, we analyse the security of the authenticated encryption mode JAMBU, a submission to the CAESAR competition that remains currently unbroken. We show that the security claims of this candidate regarding its nonce-misuse resistance can be broken. More precisely, we explain a technique to guess in advance a ciphertext block corresponding to a plaintext that has never been queried before (nor its prefix), thus breaking the confidentiality of the scheme when the attacker can make encryption queries with the same nonce. Our attack is very practical as it requires only about 2(32) encryption queries and computations (instead of the 2(128) claimed by the designers). Our cryptanalysis has been fully implemented in order to verify our findings. Moreover, due to the small tag length of JAMBU, we show how this attack can be extended in the nonce-respecting scenario to break confidentiality in the adaptive chosen-ciphertext model (IND-CCA2) with 2(96) computations, with message prefixes not previously queried.