Behnam Zahednejad,Lijun Lyu

DOI: https://doi.org/10.1002/int.22895

IF: 8.993

2022-05-11

International Journal of Intelligent Systems

Abstract:At CRYPTO 2019, A. Gohr made a breakthrough in combining classical cryptanalysis and deep learning and applied his method to round reduced SPECK successfully. However, his suggested neural‐based distinguisher scheme is only limited to differential cryptanalysis. In this paper, we have the following contributions: 1. We combine integral cryptanalysis and deep learning to propose our neural‐based integral distinguisher scheme for the first time. To illustrate the effectiveness of our distinguisher scheme, we apply it to block ciphers of different structures, such as substitution‐permutation structure ciphers (PRESENT and RECTANGLE), Feistel structure cipher (LBLOCK), and add‐rotate‐XOR cipher (SPECK) and compare the results with the state‐of‐the‐art classical integral distinguishing method, namely, the bit‐based division property. To our great surprise, our neural network‐based integral distinguisher can extend the number of distinguished rounds for all block ciphers by two additional rounds (except RECTANGLE, where it is improved by one round) under the same data complexity. 2. As an additional advantage of our scheme, we demonstrate that our Neural Distinguisher (ND) is not only helpful for block cipher designers but also can assist attackers to mount key recovery attacks. To this end, we show how to exploit our ND to mount a key recovery attack and apply it to SPECK32/64. Out of the 1000 trials of key recovery attacks with different keys in 45% of cases, the first suggested subkey is exactly the real subkey of the last round of the cipher. For the remaining 55%, the second or third suggested subkey is exactly the real subkey of the last round of the cipher. 3. To have a piece of concrete evidence for the advantage of our scheme over classical integral methods, we design an experiment known as the same‐difference experiment. In this experiment, we show that our ND can learn some features beyond the capabilities of classical integral methods. We then propose a set of features that can justify the gap between classical integral methods and our neural‐based integral distinguisher and verify them by further experiments.

computer science, artificial intelligence

JiaShuo Liu,JiongJiong Ren,ShaoZhen Chen

DOI: https://doi.org/10.1186/s42400-023-00176-7

2023-11-07

Abstract:In CRYPTO 2019, Gohr opens up a new direction for cryptanalysis. He successfully applied deep learning to differential cryptanalysis against the NSA block cipher SPECK32/64, achieving higher accuracy than traditional differential distinguishers. Until now, one of the mainstream research directions is increasing the training sample size and utilizing different neural networks to improve the accuracy of neural distinguishers. This conversion mindset may lead to a huge number of parameters, heavy computing load, and a large number of memory in the distinguishers training process. However, in the practical application of cryptanalysis, the applicability of the attacks method in a resource-constrained environment is very important. Therefore, we focus on the cost optimization and aim to reduce network parameters for differential neural cryptanalysis.In this paper, we propose two cost-optimized neural distinguisher improvement methods from the aspect of data format and network structure, respectively. Firstly, we obtain a partial output difference neural distinguisher using only 4-bits training data format which is constructed with a new advantage bits search algorithm based on two key improvement conditions. In addition, we perform an interpretability analysis of the new neural distinguishers whose results are mainly reflected in the relationship between the neural distinguishers, truncated differential, and advantage bits. Secondly, we replace the traditional convolution with the depthwise separable convolution to reduce the training cost without affecting the accuracy as much as possible. Overall, the number of training parameters can be reduced by less than 50% by using our new network structure for training neural distinguishers. Finally, we apply the network structure to the partial output difference neural distinguishers. The combinatorial approach have led to a further reduction in the number of parameters (approximately 30% of Gohr's distinguishers for SPECK).

Anubhab Baksi,Jakub Breier,Yi Chen,Xiaoyang Dong

DOI: https://doi.org/10.23919/date51398.2021.9474092

2022-01-01

Abstract:At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an 'all-in-one' differential cryptanalysis approach, which considers all the output differences effect under the same input difference. Usually, the all-in-one differential cryptanalysis is more effective compared to the one using only one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr's work, we try to simulate the all-in-one differentials for non-Markov ciphers through machine learning. Our idea here is to reduce a distinguishing problem to a classification problem, so that it can be efficiently managed by machine learning. As a proof of concept, we show several distinguishers for four high profile ciphers, each of which works with trivial complexity. In particular, we show differential distinguishers for 8-round Gimli-Hash, Gimli-Cipher and Gimli-Permutation; 3-round Ascon-Permutation; 10-round Knot-256 permutation and 12-round Knot-512 permutation; and 4-round Chaskey-Permutation. Finally, we explore more on choosing an efficient machine learning model and observe that only a three layer neural network can be used. Our analysis shows the attacker is able to reduce the complexity of finding distinguishers by using machine learning techniques.

Gao Wang,Gaoli Wang,Siwei Sun

DOI: https://doi.org/10.1049/2024/4097586

2024-11-03

IET Information Security

Abstract:At CRYPTO 2019, Gohr showed the significant advantages of neural distinguishers over traditional distinguishers in differential cryptanalysis. At fast software encryption (FSE) 2024, Bellini et al. provided a generic tool to automatically train the (related‐key) differential neural distinguishers for different block ciphers. In this paper, based on the intrinsic principle of differential cryptanalysis and neural distinguisher, we propose a superior (related‐key) differential neural distinguisher that uses the ciphertext pairs generated by two different differences. In addition, we give a framework to automatically train our (related‐key) differential neural distinguisher with four steps: difference selection, sample generation, training pipeline, and evaluation scheme. To demonstrate the effectiveness of our approach, we apply it to the block ciphers: Simon, Speck, Simeck, and Hight. Compared to the existing results, our method can provide improved accuracy and even increase the number of rounds that can be analyzed. The source codes are available in https://github.com/differentialdistinguisher/AutoND_New.

computer science, information systems, theory & methods

Huijiao Wang,Jiapeng Tian,Xin Zhang,Yongzhuang Wei,Hua Jiang

DOI: https://doi.org/10.1155/2022/7564678

IF: 1.968

2022-09-15

Security and Communication Networks

Abstract:Currently, deep learning has provided an important means to solve problems in various fields. Intelligent computing will bring a new solution to the security analysis of lightweight block cipher as its analysis becomes more and more intelligent and automatic. In this study, the novel multiple differential distinguishers of round-reduced SIMECK32/64 based on deep learning are proposed. Two kinds of SIMECK32/64's 6–11 rounds deep learning distinguishers are designed by using the neural network to simulate the case of the multiple input differences and multiple output differences in multiple differential cryptanalysis. The general models of the two distinguishers and the neural network structures are presented. The random multiple ciphertext pairs and the associated multiple ciphertext pairs are exploited as the input of the model. The generation method of the data set is given. The performance of the two proposed distinguishers is compared. The experimental results confirm that the proposed distinguishers have higher accuracy and rounds than the distinguisher with a single difference. The relationship between the quantity of multiple differences and the performance of the distinguishers is also verified. The differential distinguisher based on deep learning needs less time complexity and data complexity than the traditional distinguisher. The accuracy of filtering error ciphertext of our 8-round neural distinguisher is up to 96.10%.

computer science, information systems,telecommunications

Dukyoung Kim,Hyunji Kim,Kyungbae Jang,Seyoung Yoon,Hwajeong Seo

DOI: https://doi.org/10.3390/electronics13071196

IF: 2.9

2024-03-26

Electronics

Abstract:Distinguishing data that satisfy the differential characteristic from random data is called a distinguisher attack. At CRYPTO'19, Gohr presented the first deep-learning-based distinguisher for round-reduced SPECK. Building upon Gohr's work, various works have been conducted. Among many other works, we propose the first neural distinguisher using single and multiple differences for format-preserving encryption (FPE) schemes FF1 and FF3. We harnessed the differential characteristics used in FF1 and FF3 classical distinguishers. They used SKINNY as the inner encryption algorithm for FF3. On the other hand, we employ the standard FF1 and FF3 implementations with AES encryption (which may be more robust). This work utilizes the differentials employed in FF1 and FF3 classical distinguishers. In short, when using a single 0x0F (resp. 0x08) differential, we achieve the highest accuracy of 0.85 (resp. 0.98) for FF1 (resp. FF3) in the 10-round (resp. 8-round) number domain. In the lowercase domain, due to an increased number of plaintext and ciphertext combinations, we can distinguish with the highest accuracy of 0.52 (resp. 0.55) for FF1 (resp. FF3) in a maximum of 2 rounds. Furthermore, we present an advanced neural distinguisher designed with multiple differentials for FF1 and FF3. With this sophisticated model, we still demonstrate valid accuracy in guessing the input difference used for encryption.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yi Chen,Yantian Shen,Hongbo Yu,Sitong Yuan

DOI: https://doi.org/10.1093/comjnl/bxac019

2022-03-11

The Computer Journal

Abstract:Abstract Neural-aided cryptanalysis is a challenging topic, in which the neural distinguisher ($\mathcal{ND}$) is a core module. In this paper, we propose a new $\mathcal{ND}$ considering multiple ciphertext pairs simultaneously. Besides, multiple ciphertext pairs are constructed from different keys. The motivation is that the distinguishing accuracy can be improved by exploiting features derived from multiple ciphertext pairs. To verify this motivation, we have applied this new $\mathcal{ND}$ to five different ciphers. Experiments show that taking multiple ciphertext pairs as input indeed brings accuracy improvement. Then, we prove that our new $\mathcal{ND}$ applies to two different neural-aided key recovery attacks. Moreover, the accuracy improvement is helpful for reducing the data complexity of the neural-aided statistic attack. The code is available at https://github.com/AI-Lab-Y/ND_mc.

Yi Chen,Hongbo Yu

2021-01-01

Abstract:Machine learning aided cryptanalysis is an interesting but challenging research topic. At CRYPTO’19, Gohr proposed a Neural Distinguisher (ND) based on a plaintext difference. The ND takes a ciphertext pair as input and outputs its class (a real or random ciphertext pair). At EUROCRYPTO’20, Benamira et al proposed a deeper analysis of how two specific NDs against Speck32/64 work. However, there are still three research gaps that researchers are eager to fill in. (1) what features related to a ciphertext pair are learned by the ND? (2) how to explain various phenomena related to NDs? (3) what else can machine learning do in conventional cryptanalysis? In this paper, we filled in the three research gaps: (1) we first propose the Extended Differential-Linear Connectivity Table (EDLCT) which is a generic tool describing a cipher. Features corresponding to the EDLCT are designed to describe a ciphertext pair. Based on these features, various machine learning-based distinguishers including the ND are built. To explore various NDs from the EDLCT view, we propose a Feature Set Sensitivity Test (FSST) to identify which features may have a significant influence on NDs. Features identified by FSST share the same characteristic related to the cipher’s round function. Surrogate models of NDs are also built based on identified features. Experiments on Speck32/64 and DES confirm that features corresponding to the EDLCT are learned by NDs. (2) We explain phenomena related to NDs via EDLCT. (3) We show how to use machine learning to search differential-linear propagations ∆ → λ with a high correlation, which is a tough task in the differential-linear attack. Applications in Chaskey and DES demonstrate the advantages of machine learning. Furthermore, we provide some optional inputs to improve NDs.

Aayush Jain,Varun Kohli,Girish Mishra

DOI: https://doi.org/10.48550/arXiv.2112.05061

2021-12-09

Cryptography and Security

Abstract:Recent years have seen an increasing involvement of Deep Learning in the cryptanalysis of various ciphers. The present study is inspired by past works on differential distinguishers, to develop a Deep Neural Network-based differential distinguisher for round reduced lightweight block ciphers PRESENT and Simeck. We make improvements in the state-of-the-art approach and extend its use to the two structurally different block ciphers, PRESENT-80 and Simeck64/128. The obtained results suggest the universality of our cryptanalysis method. The proposed method can distinguish random data from the cipher data obtained until 6 rounds of PRESENT and 7 rounds of Simeck encryption with high accuracy. In addition to this, we explore a new approach to select good input differentials, which to the best of our knowledge has not been explored in the past. We also provide a minimum-security requirement for the discussed ciphers against our differential attack.

Byoungjin Seok

DOI: https://doi.org/10.3390/electronics13204053

IF: 2.9

2024-10-16

Electronics

Abstract:Recently, differential-neural cryptanalysis, which integrates deep learning with differential cryptanalysis, has emerged as a powerful and practical cryptanalysis method. It has been particularly applied to lightweight block ciphers, which are characterized by simple structures and operations, and relatively small block and key sizes. In resource-constrained environments, such as Internet of Things (IoT), it is essential to verify the resistance of existing lightweight block ciphers against differential-neural cryptanalysis to ensure security. In differential-neural cryptanalysis, a deep learning model, known as a neural distinguisher, is trained to differentiate a target cipher from others, facilitating key recovery through statistical analysis. For successful differential-neural cryptanalysis, it is crucial to develop a highly accurate neural distinguisher and to optimize the key recovery attack algorithm. In this paper, we introduce a novel neural distinguisher and key recovery attack against the 15-round reduced HIGHT cipher. Our proposed neural distinguisher is capable of distinguishing HIGHT ciphertext by analyzing only a portion of the ciphertext, which we refer to as a truncated neural distinguisher. Notably, our experiments demonstrate that the truncated neural distinguisher achieves performance comparable to existing distinguishers trained on entire ciphertext blocks, while enabling a more efficient key recovery attack through a divide-and-conquer strategy. Furthermore, we observe a significant improvement in key recovery efficiency compared to traditional cryptanalysis methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zehan Wu,Kexin Qiao,Zhaoyang WangÂ,Junjie ChengÂ,Liehuang ZhuÂ

DOI: https://doi.org/10.3390/math12091401

IF: 2.4

2024-05-03

Mathematics

Abstract:With the development of artificial intelligence (AI), deep learning is widely used in various industries. At CRYPTO 2019, researchers used deep learning to analyze the block cipher for the first time and constructed a differential neural network distinguisher to meet a certain accuracy. In this paper, a mixture differential neural network distinguisher using ResNet is proposed to further improve the accuracy by exploring the mixture differential properties. Experiments are conducted on SIMON32/64, and the accuracy of the 8-round mixture differential neural network distinguisher is improved from 74.7% to 92.3%, compared with that of the previous differential neural network distinguisher. The prediction accuracy of the differential neural network distinguisher is susceptible to the choice of the specified input differentials, whereas the mixture differential neural network distinguisher is less affected by the input difference and has greater robustness. Furthermore, by combining the probabilistic expansion of rounds and the neutral bit, the obtained mixture differential neural network distinguisher is extended to 11 rounds, which can realize the 12-round actual key recovery attack on SIMON32/64. With an appropriate increase in the time complexity and data complexity, the key recovery accuracy of the mixture differential neural network distinguisher can be improved to 55% as compared to 52% of the differential neural network distinguisher. The mixture differential neural network distinguisher proposed in this paper can also be applied to other lightweight block ciphers.

mathematics

Chun Guo,Hailong Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-17533-1_16

2015-01-01

Abstract:At FSE 2014, Blondeau et al. proposed an exact expression of the bias of differential-linear approximation and a multidimensional generalization of differential-linear distinguisher. In this paper, we study the application of the theory to concrete designs. We first propose a meet-in-the-middle style searching-and-estimating process. Then, we show that the capacity of a multiple differential distinguisher using.2 statistical test can be written as the summation of squared correlations of several differential-linear distinguishers. This link provides us with another approach to estimating the theoretical capacity of multiple differential distinguisher. We apply the above methods to CTC2. CTC2 was designed by Courtois to show the strength of algebraic cryptanalysis on block ciphers. For CTC2 with a 255-bit block size and key, we give a multiple differential attack against 11-round version, which to our knowledge is the best with respect to the number of attacked rounds. Experimental results firmly verify the correctness of the proposed method. The attack itself, and its potential to be further extended, reveals that the resistance of CTC2 against statistical attacks may be much weaker than expected before.

Jimmy Dani,Kalyan Nakka,Nitesh Saxena

2024-05-30

Abstract:In this research, we introduce MIND-Crypt, a novel attack framework that uses deep learning (DL) and transfer learning (TL) to challenge the indistinguishability of block ciphers, specifically SPECK32/64 encryption algorithm in CBC mode (Cipher Block Chaining) against Known Plaintext Attacks (KPA). Our methodology includes training a DL model with ciphertexts of two messages encrypted using the same key. The selected messages have the same byte-length and differ by only one bit at the binary level. This DL model employs a residual network architecture. For the TL, we use the trained DL model as a feature extractor, and these features are then used to train a shallow machine learning, such as XGBoost. This dual strategy aims to distinguish ciphertexts of two encrypted messages, addressing traditional cryptanalysis challenges. Our findings demonstrate that the DL model achieves an accuracy of approximately 99% under consistent cryptographic conditions (Same Key or Rounds) with the SPECK32/64 cipher. However, performance degrades to random guessing levels (50%) when tested with ciphertext generated from different keys or different encryption rounds of SPECK32/64. To enhance the results, the DL model requires retraining with different keys or encryption rounds using larger datasets (10^7 samples). To overcome this limitation, we implement TL, achieving an accuracy of about 53% with just 10,000 samples, which is better than random guessing. Further training with 580,000 samples increases accuracy to nearly 99%, showing a substantial reduction in data requirements by over 94%. This shows that an attacker can utilize machine learning models to break indistinguishability by accessing pairs of plaintexts and their corresponding ciphertexts encrypted with the same key, without directly interacting with the communicating parties.

Cryptography and Security,Machine Learning

Runlian Zhang,Mi Zhang,Jiaxu Yan,Yixing Li,Xiaonian Wu,Lingchen Li

DOI: https://doi.org/10.1109/dsc53577.2021.00084

2021-10-01

Abstract:It is a new trend of cryptographic analysis to realize automatic analysis on cryptographic algorithms by means of deep learning in recent years. TweGIFT-128 algorithm is an instantiation tweak block cipher algorithm for encryption authentication scheme ESTATE, and it was selected as a candidate cipher algorithm in the second round NIST challenge. Aiming at the security of TweGIFT-128 algorithm, the neural network model was used to realize automatic differential analysis in this paper, and the problem of searching differential distinguishers was transformed into a classification problem. Then based on DNN, the neural network differential distinguishers on TweGIFT-128 algorithm were constructed, and the 4–8 round neural network differential distinguishers were trained by using fixed difference. Experimental results show that the obtained 4–7 round TweGIFT-128 differential distinguishers can distinguish ciphertext from random data well, and the method constructing distinguisher based on neural network model is simpler and more general than the traditional methods.

Guangqiu Lv,Chenhui Jin,Zhen Shi,Ting Cui

DOI: https://doi.org/10.1049/2024/2939486

2024-05-26

IET Information Security

Abstract:Given a differential characteristic and an existing plaintext pair that satisfies it (referred to as a right pair), generating additional right pairs at a reduced cost is an appealing prospect. The neutral bit technique, referred to as neutral differences throughout this paper, provides a solution to this challenge. Traditionally, the search for neutral differences has heavily depended on experimental testing, leading to limitations in the search range. In this work, we propose the neutral difference table and establish a link between boomerang cryptanalysis and neutral differences. Furthermore, we propose an automated search for neutral differences to address the problem of a limited search range of neutral differences, as previous approaches relied on experimental testing. This approach provides a basis for the subspace spanned by the neutral differences, and we apply this technique to both SPECK32 and LEA, where the predicted results closely match the experimental ones. Consequently, we present the improved differential‐linear distinguishers for SPECK32 and LEA, along with the 18‐round attacks on LEA192 and LEA256 with the lowest time complexity up to date.

computer science, information systems, theory & methods

Rahul Girme,Raghvendra Rohit,Santanu Sarkar

DOI: https://doi.org/10.1038/s41598-024-69361-z

2024-08-30

Abstract:We introduce augmented vector spaces of output differences, new generic and black-box distinguishers for Substitution Permutation Network (SPN) ciphers. Our distinguishers are based on a novel method of constructing a vector of size n ( d ) bits from a given vector of size n bits, where n ( d ) = ∑ i = 1 d n i and d is a positive integer. We list all such n ( d ) -bit vectors into a set called the corresponding d th -order augmented set and define its linear span as the corresponding d th -order augmented vector space . These sets are related to Reed-Muller codes and we prove that the rank of linear span of d th -order augmented set is n ( d ) using Reed-Muller codes. We then experimentally estimate the number of n-bit vectors required to span augmented vector spaces of output differences. Following these results, we give a generic and efficient algorithm to compute d th -order augmented vector space (of difference sets) for substitution permutation network ciphers. We apply our algorithm to lightweight ciphers GIFT, PRESENT and SKINNY and provide in-depth comparison of round-reduced ciphers' distinguishers with random sets. Most notably, our new distinguishers for these ciphers cover more rounds than the subspace trails.

Sahiba Suryawanshi,Shibam Ghosh,Dhiman Saha,Prathamesh Ram

DOI: https://doi.org/10.1007/s10623-024-01502-x

IF: 1.4

2024-11-03

Designs Codes and Cryptography

Abstract:Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3 , constituting one of the best distinguishers on the latest cryptographic hash standard. exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak . However, a major limitation of is the maximum attainable derivative ( MAD ) of the polynomial representation, which is less than half of the widely studied ZeroSum distinguisher. This is attributed to being dependent on k -fold vectorial derivatives while ZeroSum relies on k -fold simple derivatives. In this work we overcome this limitation of by developing and validating the theory of computing with simple derivatives. This gives us a close to improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report , a new variant of the distinguisher based on k -fold simple derivatives that outperforms ZeroSum by a factor of for round SHA3-384 and 9-round SHA3-512 respectively while enjoying the same MAD as ZeroSum . For every other SHA-3 variant, maintains an advantage of factor 2 over the ZeroSum . Combined with 1/2-round linearization, improves upon all existing ZeroSum and distinguishers on both SHA-3 and Xoodyak . As regards Keccak , the internal permutation of SHA-3 , we report the best 15-round distinguisher with a complexity of and the first better than birthday-bound 16-round distinguisher with a complexity of (improving upon the 15/16-round results by Guo et al. in ASIACRYPT 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of and furnish the first third-party distinguishers on the Belarushian-standard hash function Bash . All distinguishers presented in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken, emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomnes -Abstract Truncated-

mathematics, applied,computer science, theory & methods

Rui Zong,Xiaoyang Dong,Huaifeng Chen,Yiyuan Luo,Si Wang,Zheng Li

DOI: https://doi.org/10.46586/tosc.v2021.i1.156-184

2021-01-01

Abstract:When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Ting Cui,Yiming Mao,Yang Yang,Yi Zhang,Jiyan Zhang,Chenhui Jin

DOI: https://doi.org/10.1109/tifs.2024.3350374

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:This study is focused on the differential clustering effect of the SPN block cipher, which employs a binary matrix as its diffusion layer. We present a novel strategy for differential estimation, named the congruent differential cluster. This method does not guarantee the optimization of each single differential characteristic but gathers a large number of characteristics satisfying a specific condition, i.e., the output differences of active S-boxes are equal. Given a binary SPN cipher, the exact probability of the congruent differential cluster can be obtained with negligible computational resources. Moreover, we consider a popular instance, binary AES-like ciphers, since the processing of their column-mixing layer can be divided into several independent parts. Therefore, if we set the output differences of the active S-boxes in the same partition to be equal, we can obtain more differential characteristics in the cluster, known as a semicongruent differential cluster. To demonstrate the application of the proposed method, we apply it to several block ciphers, i.e., Midori-64, CRAFT-64, SKINNY-64 and their variants proposed in Todo and Sasaki (2022). Compared with the active S-box counting method, the congruent differential clusters have considerably higher probabilities for most instances. In addition, we find a 7-round semicongruent differential cluster for Midori-64 with probability 2−52.25, an 8-round semicongruent differential cluster for SKINNY-64 with probability 2−50.72 and a 10-round semicongruent differential cluster for CRAFT-64 with probability 2−42.32. To the best of our knowledge, the semicongruent differential clusters we identify for 7-round Midori-64, 8-round SKINNY-64 and 10-round CRAFT-64 have the highest probabilities thus far among the existing differential clusters with the same rounds. Therefore, we believe that the proposed method is a valuable tool for evaluating the differential security of associated block ciphers.

computer science, theory & methods,engineering, electrical & electronic

Yi Chen,Zhenzhen Bao,Hongbo Yu

DOI: https://doi.org/10.1007/978-981-99-8727-6_8

2023-01-01

Abstract:The differential-linear attack is one of the most effective attacks against ARX ciphers. However, two technical problems are preventing it from being more effective and having more applications: (1) there is no efficient method to search for good differential-linear approximations. Existing methods either have many constraints or are currently inefficient. (2) partitioning technique has great potential to reduce the time complexity of the key-recovery attack, but there is no general tool to construct partitions for ARX ciphers. In this work, we step forward in solving the two problems. First, we propose a novel idea for generating new good differential-linear approximations from known ones, based on which new searching algorithms are designed. Second, we propose a general tool named partition tree, for constructing partitions for ARX ciphers. Based on these new techniques, we present better attacks for two ISO/IEC standards, i.e., LEA and Speck. For LEA, we present the first 17-round distinguisher which is 1 round longer than the previous best distinguisher. Furthermore, we present the first key recovery attacks on 17-round LEA-128, 18-round LEA-192, and 18-round LEA-256, which attack 3, 4, and 3 rounds more than the previous best attacks. For Speck, we find better differential-linear distinguishers for Speck48 and Speck64. The first differential-linear distinguishers for Speck96 and Speck128 are also presented.