Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-35999-6_19

2013-01-01

Abstract:The hash function Skein is one of the five finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper studies the boomerang attacks on Skein-512. Boomerang distinguishers on the compression function reduced to 32 and 36 rounds are proposed, with time complexities 2104.5 and 2454 hash computations respectively. Examples of the distinguishers on 28 and 31 rounds are also given. In addition, the boomerang distinguishers are applicable to the key-recovery attacks on reduced Threefish-512. The time complexities for key-recovery attacks reduced to 32-/33-/34-round are about 2181, 2305 and 2424 encryptions. Because the previous boomerang distinguishers for Threefish-512 are in fact not compatible [14], our attacks are the first valid boomerang attacks for the reduced-round Skein-512.

Hongbo Yu,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-43933-3_14

2013-01-01

Abstract:The hash function Skein is one of 5 finalists of the NIST SHA-3 competition. It is based on the block cipher Threefish which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper proposes a free-start partial-collision attack on round-reduced Skein-256 by combing the rebound attack with the modular differential techniques. The main idea of our attack is to connect two short differential paths into a long one with another differential characteristic that is complicated. Following our path, we give a free-start partial-collision attack on Skein-256 reduced to 32 rounds with Hamming distance 50 and complexity about 2(85) hash computations. In particular, we provide practical near-collision examples for Skein-256 reduced to 24 rounds and 28 rounds in the fixed tweaks and choosing tweaks setting separately. As far as we know, this is the first construction of a non-linear differential path for Skein which can lead to significantly improvement over previous analysis.

Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-12827-1_1

2010-01-01

Abstract:Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. Skein had been updated after it entered the second round; the only difference between the original and the new version is the rotation constants. In this paper we construct related-key boomerang distinguishers on round-reduced Threefish-512 based on the new rotation constants using the method of modular differential. With these distinguishers, we mount related-key boomerang key recovery attacks on Threefish-512 reduced to 32, 33 and 34 rounds. The attack on 32-round Threefish-512 has time complexity 2195 with memory of 212 bytes. The attacks on Threefish-512 reduced to 33 and 34 rounds have time complexity of 2324.6 and 2474.4 encryptions respectively, and both with negligible memory. The best key recovery attack known before is proposed by Aumasson et al. Their attack, which bases on the old rotation constants, is also a related-key boomerang attack. For 32-round Threefish-512, their attack requires 2312 encryptions and 271 bytes of memory.

Dongxia Bai,Hongbo Yu,Gaoli Wang,Xiaoyun Wang

DOI: https://doi.org/10.1049/iet-ifs.2013.0380

2014-01-01

IET Information Security

Abstract:In this study, the authors study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by Aumasson et al. For SM3, they present boomerang distinguishers for the compression function reduced to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 2192, respectively. Then, they show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, they launch boomerang attacks on up to 7- and 8-round keyed permutation of BLAKE-256, which are the first valid 7-round and 8-round boomerangs for BLAKE-256. Especially, since the author's distinguishers on 34/35-steps compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, they are able to obtain boomerang quartets of these attacks. As far as they know, these are the best results against round-reduced SM3 and BLAKE-256.

Hongbo Yu,Yonglin Hao,Dongxia Bai

DOI: https://doi.org/10.1007/s11432-015-5389-4

2016-01-01

Science China Information Sciences

Abstract:For an n-bit random permutation, there are three types of boomerang distinguishers, denoted as Type I, II and III, with generic complexities 2 n , 2 n/3 and 2 n/2 respectively. In this paper, we try to evaluate the security margins of three hash functions namely SHA-512, SHA-256 and DHA-256 against the boomerang attack.Firstly, we give a boomerang attack on 48-step SHA-512 with a practical complexity of 2 51 . The correctness of this attack is verified by providing a Type III boomerang quartet. Then, we extend the existing differential characteristics of the three hash functions to more rounds. We deduce the sufficient conditions and give thorough evaluations to the security margins as follows: Type I boomerang method can attack 54-step SHA-512, 51-step SHA-256 and 46-step DHA-256 with complexities 2 480 , 2 218 and 2 236 respectively. Type II boomerang method can attack 51-step SHA-512, 49-step SHA-256 and 43-step DHA-256 with complexities 2 158.50 , 2 72.91 and 2 74.50 respectively. Type III boomerang method can attack 52-step SHA-512, 50-step SHA-256 and 44-step DHA-256 with complexities 2 223.80 , 2 123.63 and 2 99.85 respectively.

Dongxia Bai,Hongbo Yu,Gaoli Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-39059-3_17

2013-01-01

Abstract:The cryptographic hash function SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. It is based on the Merkle-Damgård design and is very similar to SHA-2 but includes some additional strengthening features. In this paper, we apply the boomerang attack to SM3 compression function, and present such distinguishers on up to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 293 compression function calls respectively. Especially, we are able to obtain the examples of the distinguishers on 34-step and 35-step on a PC due to their practical complexities. In addition, incompatible problems in the recent boomerang attack are pointed out. © 2013 Springer-Verlag.

Lingyue Qin,Xiaoyang Dong,Xiaoyun Wang,Keting Jia,Yunwen Liu

DOI: https://doi.org/10.46586/tosc.v2021.i2.249-291

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Hongbo Yu,Dongxia Bai

DOI: https://doi.org/10.1007/978-3-319-16745-9_18

2015-01-01

Abstract:SHA-2 (SHA-224, SHA-256, SHA-384 and SHA-512) is hash function family issued by the National Institute of Standards and Technology (NIST) in 2002 and is widely used all over the world. In this work, we analyze the security of SHA-512 with respect to boomerang attack. Boomerang distinguisher on SHA-512 compression function reduced to 48 steps is proposed, with a practical complexity of 2(51). A practical example of the distinguisher for 48-step SHA-512 is also given. As far as we know, it is the best practical attack on step-reduced SHA-512.

Hongkai Zou,Jian Zou,Yiyuan Luo

DOI: https://doi.org/10.1007/s11128-023-03921-6

IF: 1.965

2023-04-11

Quantum Information Processing

Abstract:At SAC 2021, Frixons et al. proposed quantum boomerang attacks that can effectively recover the keys of block ciphers in the quantum setting. Based on their work, we further consider how to quantize the generic boomerang attacks proposed by Biham et al. at FSE 2002, so as to obtain more generic quantum boomerang attacks. Similar to Frixons et al.'s work, we only consider quantum key recovery attacks in the single-key setting. With the help of some famous quantum algorithms, this paper presents two methods to convert the attacks of Biham et al. into some new quantum key recovery attacks. In order to proof our methods, we apply our new ideas to attack Serpent-256 and ARIA-196. To sum up, for Serpent-256, we give valid 9-round and 10-round quantum key recovery attacks respectively. The quantum time complexity of 9-round and 10-round of Serpent-256 is and respectively. Furthermore, we show a valid quantum key attack on 6-round ARIA-196 which has a time complexity of with negligible memory. The time complexity of the above quantum attacks are better than the corresponding classical attacks and quantum generic key recovery attack via Grover's algorithm.

physics, multidisciplinary,quantum science & technology, mathematical

Xiaoyang Dong,Lingyue Qin,Siwei Sun,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-07082-2_1

2022-01-01

Abstract:When generating quartets for the rectangle attacks on ciphers with linear key-schedule, we find the right quartets which may suggest key candidates have to satisfy some nonlinear relations. However, some quartets generated always violate these relations, so that they will never suggest any key candidates. Inspired by previous rectangle frameworks, we find that guessing certain key cells before generating quartets may reduce the number of invalid quartets. However, guessing a lot of key cells at once may lose the benefit from the early abort technique, which may lead to a higher overall complexity. To get better tradeoff, we build a new rectangle framework on ciphers with linear key-schedule with the purpose of reducing overall complexity or attacking more rounds. In the tradeoff model, there are many parameters affecting the overall complexity, especially for the choices of the number and positions of key guessing cells before generating quartets. To identify optimal parameters, we build a uniform automatic tool on SKINNY as an example, which includes the optimal rectangle distinguishers for key-recovery phase, the number and positions of key guessing cells before generating quartets, the size of key counters to build that affecting the exhaustive search step, etc. Based on the automatic tool, we identify a 32-round key-recovery attack on SKINNY-128-384 in the related-key setting, which extends the best previous attack by 2 rounds. For other versions with n-2n or n-3n, we also achieve one more round than before. In addition, using the previous rectangle distinguishers, we achieve better attacks on round-reduced ForkSkinny, Deoxys-BC-384 and GIFT-64. At last, we discuss the conversion of our rectangle framework from related-key setting into single-key setting and give new single-key rectangle attack on 10-round Serpent.

Carlos Cid,Tao Huang,Thomas Peyrin,Yu Sasaki,Ling Song

DOI: https://doi.org/10.1007/978-3-319-78375-8_22

2018-01-01

Abstract:A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers E1∘E0$$E_1\circ E_0$$ and builds a particular characteristic for E with probability p2q2$$p^2q^2$$ by combining differential characteristics for E0$$E_0$$ and E1$$E_1$$ with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for E0$$E_0$$ and E1$$E_1$$ can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between E0$$E_0$$ and E1$$E_1$$ by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as E1∘Em∘E0$$E_1\circ E_m \circ E_0$$, where Em$$E_m$$ satisfies some differential propagation among four texts with probability r, and the entire probability is p2q2r$$p^2q^2r$$. In this paper, we revisit the issue of dependency of two characteristics in Em$$E_m$$, and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when Em$$E_m$$ is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.

Mostafizar Rahman,Dhiman Saha,Goutam Paul

DOI: https://doi.org/10.46586/tosc.v2021.i3.137-169

2021-09-17

IACR Transactions on Symmetric Cryptology

Abstract:This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

Qianqian Yang,Ling Song,Nana Zhang,Danping Shi,Libo Wang,Jiahao Zhao,Lei Hu,Jian Weng

DOI: https://doi.org/10.1007/s00145-024-09499-1

2024-04-12

Journal of Cryptology

Abstract:The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Not only does it encompass the four existing rectangle key recovery algorithms, but it also reveals five new types of attacks that were previously overlooked. Further, we put forward a counterpart for boomerang key recovery attacks, which supports any possible attacking parameters as well. Along with these new key recovery algorithms, we propose a framework to automatically determine the best parameters for the attack. To demonstrate the efficiency of the new key recovery algorithms, we apply them to Serpent , AES -192, CRAFT , SKINNY , and Deoxys-BC -256 based on existing distinguishers, yielding a series of improved attacks.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Haibo Zhou,Zheng Li,Xiaoyang Dong,Keting Jia,Willi Meier

DOI: https://doi.org/10.1093/comjnl/bxz152

2020-01-01

The Computer Journal

Abstract:A new conditional cube attack was proposed by Li et al. at ToSC 2019 for cryptanalysis of KECCAK keyed modes. In this paper, we find a new property of Li et al.'s method. The conditional cube attack is modified and applied to cryptanalysis of 5-round KETJE Jr, 6-round XOODOO-AE and XOODYAK, where KETJE Jr is among the third round CAESAR competition candidates and XOODYAK is a Round 2 submission of the ongoing NIST lightweight cryptography project. For the updated conditional cube attack, all our results are shown to be of practical time complexity with negligible memory cost, and test codes are provided. Notably, our results on XOODYAK represent the first third-party cryptanalysis for XOODYAK.

Lingyue Qin,Xiaoyang Dong,Xiaoyun Wang,Keting Jia,Yunwen Liu

DOI: https://doi.org/10.46586/tosc.v2021.i2.249-291

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model. Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Yanzhao Shen,Dongxia Bai,Hongbo Yu

DOI: https://doi.org/10.1007/s11432-017-9119-6

2017-01-01

Science China Information Sciences

Abstract:SM3 is the Chinese hash standard and is standardized in GB/T 32905-2016 [1].As a hash function,it must fulfill three security requirements,collision resistance,preinage resistance,and second preimage resistance.During the ongoing evaluation,it is believed that whenever the hash function behaves differently from a random function,it is considered as the hash function's weakness.In recent years,the analysis has not only been limited to the classical security requirements,but also in the near-collision,boomerang distinguisher,and (semi-)free-start collision.Most of the previous preimage attacks on SM3 [2,3] are either without padding or padding is not present from the first step.The best boomerang attack on SM3 covers 37 steps [4,5].In this article,we focus on the preimage attack from the first step,with message padding.A preinage attack on 30-step SM3 is proposed.Furthermore,we improve the 37-step boomerang attack and extend it to the 38-step boomerang attack.A summary of the previous results and along with our owns is given in Table 1.

Boxin Zhao,Xiaoyang Dong,Keting Jia

DOI: https://doi.org/10.46586/tosc.v2019.i3.121-151

2019-01-01

Abstract:In the CAESAR competition, Deoxys-I and Deoxys-II are two important authenticated encryption schemes submitted by Jean et al. Recently, Deoxys-II together with Ascon, ACORN, AEGIS-128, OCB and COLM have been selected as the final CAESAR portfolio. Notably, Deoxys-II is also the primary choice for the use case “Defense in depth”. However, Deoxys-I remains to be one of the third-round candidates of the CAESAR competition. Both Deoxys-I and Deoxys-II adopt Deoxys-BC-256 and Deoxys-BC-384 as their internal tweakable block ciphers.In this paper, we investigate the security of round-reduced Deoxys-BC-256/-384 and Deoxys-I against the related-tweakey boomerang and rectangle attacks with some new boomerang distinguishers. For Deoxys-BC-256, we present 10-round related-tweakey boomerang and rectangle attacks for the popular setting (|tweak|, |key|) = (128, 128), which reach one more round than the previous attacks in this setting. Moreover, an 11-round related-tweakey rectangle attack on Deoxys-BC-256 is given for the first time. We also put forward a 13-round related-tweakey boomerang attack in the popular setting (|tweak|, |key|) = (128, 256) for Deoxys-BC-384, while the previous attacks in this setting only work for 12 rounds at most. In addition, the first 14-round relatedtweakey rectangle attack on Deoxys-BC-384 is given when (|tweak| < 98, |key| > 286), that attacks one more round than before. Besides, we give the first 10-round rectangle attack on the authenticated encryption mode Deoxys-I-128-128 with one more round than before, and we also reduce the complexity of the related-tweakey rectangle attack on 12-round Deoxys-I-256-128 by a factor of 228. Our attacks can not be applied to (round-reduced) Deoxys-II.

Jiangshan Long,Changhai Ou,Zhu Wang,Shihui Zheng,Fei Yan,Fan Zhang,Siew-Kei Lam

2022-01-01

Abstract:The performance of Side-Channel Attacks (SCAs) decays rapidly when considering more sub-keys, making the full-key recovery a very challenging problem. Limited to independent collision information utilization, collision attacks establish the relationship among sub-keys but do not significantly slow down this trend. To solve it, we first exploit the samples from the previously attacked S-boxes to assist attacks on the targeted S-box under an assumption that similar leakage occurs in program loop or code reuse scenarios. The later considered S-boxes are easier to be recovered since more samples participate in this assist attack, which results in the “snowball” effect. We name this scheme as Snowball, which significantly slows down the attenuation rate of attack performance. We further introduce confusion coefficient into the collision attack to construct collision confusion coefficient, and deduce its relationship with correlation coefficient. Based on this relationship, we give two optimizations on our Snowball exploiting the “values” information and “rankings” information of collision correlation coefficients named Least Deviation from Pearson correlation coefficient (PLD) and Least Deviation from confusion coefficient (CLD). Experiments show that the above optimizations significantly improve the performance of our Snowball.

Elena Andreeva,Bart Mennink,Bart Preneel,Marjan Škrobot

DOI: https://doi.org/10.1007/978-3-642-31410-0_18

2012-01-01

Abstract:In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and $$\mathrm{SHA\text{-}1}$$. NIST received many submissions, 51 of which got accepted to the first round. At present, 5 candidates are left in the third round of the competition. At NIST’s second SHA-3 Candidate Conference 2010, Andreeva et al. provided a provable security classification of the second round SHA-3 candidates in the ideal model. In this work, we revisit this classification for the five SHA-3 finalists. We evaluate recent provable security results on the candidates, and resolve remaining open problems for Grøstl, JH, and Skein.

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.