Jeremy Jean,Ivica Nikolic,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-13051-4_14

2014-01-01

Abstract:We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 2(11) time and data. The second attack is a distinguisher for 2(64) out of 2(128) keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.

Jeremy Jean,Ivica Nikolic,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1587/transfun.e99.a.39

2016-01-01

Abstract:We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES. key words: PAES · universal forgery · distinguisher · symmetric property · authenticated encryption

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Jieshen Mao,Daoguang Mu,Xuejia Lai

DOI: https://doi.org/10.2991/esac-15.2015.32

2015-01-01

Abstract:The CAESAR competition is launched in 2013 which aims to find some authenticated encryption with good security and performance. Among these submissions, LAC is designed in a unique way with leaked-state structure. In this paper, based on birthday paradox, we find a forgery attack on LAC in nonce-misused case with time complexity 228. Moreover, we generalize the attack on normal version of leaked-state authenticated encryption and conclude some suggestions on how to use such structure.

Xiutao Feng,Fan Zhang,Hui Wang

2014-01-01

Abstract:PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs about 132 pairs of known plaintext/ciphertext. Based on the above attack, we further deduce a forgery attack against PANDA-s. Our results show that PANDA-s is far from the goal of its security design (128-bit level).

Ya Liu,Bing Shi,Dawu Gu,Fengyu Zhao,Wei Li,Zhiqiang Liu

DOI: https://doi.org/10.1093/comjnl/bxaa028

2020-01-01

The Computer Journal

Abstract:In ASIACRYPT 2014, Jean et al. proposed the authentication encryption scheme Deoxys, which is one of the third-round candidates in CAESAR competition. Its internal block cipher is called Deoxys-BC that adopts the tweakey frame. Deoxys-BC has two versions of the tweakey size that are 256 bits and 384 bits, denoted by Deoxys-BC-256 and Deoxys-BC-384, respectively. In this paper, we revaluate the security of Deoxys-BC-256 against the meet-in-the-middle attack to obtain some new results. First, we append one round at the top and two rounds at the bottom of a 6-round distinguisher to form a 9-round truncated differential path with the probability of $2^{-144}$. Based on it, the adversary can attack 9-round Deoxys-BC-256 with $2^{108}$ chosen plaintext-tweaks, $2^{113.6}$ encryptions and $2^{102}$ blocks. Second, we construct a new 6.5-round distinguisher to form 10-round attacking path with the probability of $2^{-152}$. On the basis of it, the adversary could attack 10-round Deoxys-BC-256 with $2^{115}$ chosen plaintext-tweaks, $2^{171}$ encryptions and $2^{152}$ blocks. These two attacks improve the previous cryptanalytic results on reduced-round Deoxys-BC-256 against the meet-in-the-middle attack.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Nasour Bagheri,Tao Huang,Keting Jia,Florian Mendel,Yu Sasaki

DOI: https://doi.org/10.1007/978-3-662-52993-5_28

2016-01-01

Abstract:NORX is a second round candidate of the ongoing CAESAR competition for authenticated encryption. It is a nonce based authenticated encryption scheme based on the sponge construction. Its two variants denoted by NORX32 and NORX64 provide a security level of 128 and 256 bits, respectively. In this paper, we present a state/key recovery attack for both variants with the number of rounds of the core permutation reduced to 2 out of 4 rounds. The time and data complexities of the attack for NORX32 are $$2^{119}$$ and $$ 2^{66} $$ respectively, and for NORX64 are $$ 2^{234} $$ and $$ 2^{132} $$ respectively, while the memory complexity is negligible. Furthermore, we show a state recovery attack against NORX in the parallel mode using an internal differential attack for 2 rounds of the permutation. The data, time and memory complexities of the attack for NORX32 are $$2^{7.3}$$, $$2^{124.3}$$ and $$2^{115}$$ respectively and for NORX64 are $$2^{6.2}$$, $$2^{232.8}$$ and $$2^{225}$$ respectively. Finally, we present a practical distinguisher for the keystream of NORX64 based on two rounds of the permutation in the parallel mode using an internal differential-linear attack. To the best of our knowledge, our results are the best known results for NORX in nonce respecting manner.

Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.

Thomas Peyrin,Siang Meng Sim,Lei Wang,Guoyan Zhang

DOI: https://doi.org/10.1007/978-3-662-48116-5_13

2015-01-01

Abstract:In this article, we analyse the security of the authenticated encryption mode JAMBU, a submission to the CAESAR competition that remains currently unbroken. We show that the security claims of this candidate regarding its nonce-misuse resistance can be broken. More precisely, we explain a technique to guess in advance a ciphertext block corresponding to a plaintext that has never been queried before (nor its prefix), thus breaking the confidentiality of the scheme when the attacker can make encryption queries with the same nonce. Our attack is very practical as it requires only about 2(32) encryption queries and computations (instead of the 2(128) claimed by the designers). Our cryptanalysis has been fully implemented in order to verify our findings. Moreover, due to the small tag length of JAMBU, we show how this attack can be extended in the nonce-respecting scenario to break confidentiality in the adaptive chosen-ciphertext model (IND-CCA2) with 2(96) computations, with message prefixes not previously queried.

Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-12280-9_6

2014-01-01

Abstract:In this paper, a new cryptanalysis approach for a class of authenticated encryption schemes is presented, which is inspired by the previous length extension attack against hash function based MACs. The approach is called message extension attack. The target class is the schemes that initialize the internal state with nonce and key, update the state by associated data and message, extract key stream from the state, and finally generate a tag from the updated state. A forgery attack can be mounted in the nonce-repeating model in the chosen-plaintext scenario when a function to update the internal state is shared for processing the message and generating the tag. The message extension attack is then applied to PANDA, which is a dedicated authenticated encryption design submitted to CAESAR. An existential forgery attack is mounted with 25 chosen plaintexts, 264 computations, and a negligible memory, which breaks the claimed 128-bit security for the nonce-repeating model. This is the first result that breaks the security claim of PANDA.

Wei Wang,Xiaoyun Wang

2007-01-01

Abstract:This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on 11-round CLEFIA-192/256, which also firstly works for CLEFIA-128. The complexity is about 2 encryptions and 2 chosen plaintexts. By putting more constraint conditions on plaintext pairs, we give the first attack on 12-round CLEFIA for all three key lengths with 2 encryptions and 2 chosen plaintexts. For CLEFIA-192/256, our attack is applicable to 13-round variant, of which the time complexity is about 2, and the data complexity is 2. We also extend our attack to 14-round CLEFIA-256, with about 2 encryptions and 2 chosen plaintexts. Moreover, a birthday sieve method is introduced to decrease the complexity of the core precomputation.

Xiaojuan Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-75160-3_21

2017-01-01

Abstract:Acorn is a third-round candidate of the CAESAR competition. It is a lightweight authenticated stream cipher. In this paper, we show how to recover the initial state of Acorn when one pair of Key and IV is used to encrypt three messages. Our method contains two main steps: (1) gathering different states; (2) retrieving linear equations. At the first step, we demonstrate how to gather the relation between states when two different plaintexts are encrypted under the same nonce. And at the second step, we exploit how to retrieve a system of linear equations with respect to the initial state, and how to recover the initial state from this system of equations. We apply this method to both Acorn v2 and Acorn v3. The time complexity to recover the initial state of Acorn v2 is (2^{78} c), where c is the time complexity of solving linear equations. It is lower than that of the previous methods. For Acorn v3, we can recover the initial state with the time complexity of (2^{120.6}c), lower than that of the exhaustion attack. We also apply it on shrunk ciphers with similar structure and properties of Acorn v2 and Acorn v3 to prove the validity of our method. This paper is the first time to analyze Acorn v3 when a nonce is reused and our method provides some insights into the diffusion ability of such stream ciphers.

Fukang Liu,Takanori Isobe,Willi Meier,Kosei Sakamoto

DOI: https://doi.org/10.46586/tosc.v2021.i2.104-139

2021-06-11

IACR Transactions on Symmetric Cryptology

Abstract:AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

English Else

Kaiyu Zhang,Sen Xu,Dawu Gu,Haihua Gu,Junrong Liu,Zheng Guo,Ruitong Liu,Liang Liu,Xiaobo Hui

DOI: https://doi.org/10.1109/cis.2017.00061

2017-01-01

Abstract:Power analysis against elliptic curve digital signature algorithm (ECDSA) has been researched for many years. Nowadays traditional methods like simple power analysis (SPA) or differential power analysis (DPA) are no longer effective against secure ECDSA implementations. In this situation, Howgrave-Graham and Smart introduced a new lattice-based attack to recover the secret key of Digital Signature Algorithm (DSA) even if only several bits of the nonce are revealed. Later Nguyen and Shparlinski extended the attack to ECDSA. In this paper, we further extend the attack to SM2 Digital Signature Algorithm (SM2-DSA), which is a Chinese version of ECDSA. We implemented the secure SM2-DSA implementation on Atmega128 microcontroller to evaluate its security under lattice attack. We performed experiments with different parameter configuration to find optimal key-recovery strategies. We also performed the same experiments on ECDSA to show that due to the differences on scheme between the two algorithms, lattice attack on SM2-DSA is harder than on ECDSA.

Fan Zhang,Zi-yuan Liang,Bo-lin Yang,Xin-jie Zhao,Shi-ze Guo,Kui Ren

DOI: https://doi.org/10.1631/fitee.1800576

IF: 2.526

2018-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) supported by the National Institute of Standards and Technology (NIST) is an ongoing project calling for submissions of authenticated encryption (AE) schemes. The competition itself aims at enhancing both the design of AE schemes and related analysis. The design goal is to pursue new AE schemes that are more secure than advanced encryption standard with Galois/counter mode (AES-GCM) and can simultaneously achieve three design aspects: security, applicability, and robustness. The competition has a total of three rounds and the last round is approaching the end in 2018. In this survey paper, we first introduce the requirements of the proposed design and the progress of candidate screening in the CAESAR competition. Second, the candidate AE schemes in the final round are classified according to their design structures and encryption modes. Third, comprehensive performance and security evaluations are conducted on these candidates. Finally, the research trends of design and analysis of AE for the future are discussed.