Aayush Jain,Varun Kohli,Girish Mishra

DOI: https://doi.org/10.48550/arXiv.2112.05061

2021-12-09

Cryptography and Security

Abstract:Recent years have seen an increasing involvement of Deep Learning in the cryptanalysis of various ciphers. The present study is inspired by past works on differential distinguishers, to develop a Deep Neural Network-based differential distinguisher for round reduced lightweight block ciphers PRESENT and Simeck. We make improvements in the state-of-the-art approach and extend its use to the two structurally different block ciphers, PRESENT-80 and Simeck64/128. The obtained results suggest the universality of our cryptanalysis method. The proposed method can distinguish random data from the cipher data obtained until 6 rounds of PRESENT and 7 rounds of Simeck encryption with high accuracy. In addition to this, we explore a new approach to select good input differentials, which to the best of our knowledge has not been explored in the past. We also provide a minimum-security requirement for the discussed ciphers against our differential attack.

JiaShuo Liu,JiongJiong Ren,ShaoZhen Chen

DOI: https://doi.org/10.1186/s42400-023-00176-7

2023-11-07

Abstract:In CRYPTO 2019, Gohr opens up a new direction for cryptanalysis. He successfully applied deep learning to differential cryptanalysis against the NSA block cipher SPECK32/64, achieving higher accuracy than traditional differential distinguishers. Until now, one of the mainstream research directions is increasing the training sample size and utilizing different neural networks to improve the accuracy of neural distinguishers. This conversion mindset may lead to a huge number of parameters, heavy computing load, and a large number of memory in the distinguishers training process. However, in the practical application of cryptanalysis, the applicability of the attacks method in a resource-constrained environment is very important. Therefore, we focus on the cost optimization and aim to reduce network parameters for differential neural cryptanalysis.In this paper, we propose two cost-optimized neural distinguisher improvement methods from the aspect of data format and network structure, respectively. Firstly, we obtain a partial output difference neural distinguisher using only 4-bits training data format which is constructed with a new advantage bits search algorithm based on two key improvement conditions. In addition, we perform an interpretability analysis of the new neural distinguishers whose results are mainly reflected in the relationship between the neural distinguishers, truncated differential, and advantage bits. Secondly, we replace the traditional convolution with the depthwise separable convolution to reduce the training cost without affecting the accuracy as much as possible. Overall, the number of training parameters can be reduced by less than 50% by using our new network structure for training neural distinguishers. Finally, we apply the network structure to the partial output difference neural distinguishers. The combinatorial approach have led to a further reduction in the number of parameters (approximately 30% of Gohr's distinguishers for SPECK).

Huijiao Wang,Jiapeng Tian,Xin Zhang,Yongzhuang Wei,Hua Jiang

DOI: https://doi.org/10.1155/2022/7564678

IF: 1.968

2022-09-15

Security and Communication Networks

Abstract:Currently, deep learning has provided an important means to solve problems in various fields. Intelligent computing will bring a new solution to the security analysis of lightweight block cipher as its analysis becomes more and more intelligent and automatic. In this study, the novel multiple differential distinguishers of round-reduced SIMECK32/64 based on deep learning are proposed. Two kinds of SIMECK32/64's 6–11 rounds deep learning distinguishers are designed by using the neural network to simulate the case of the multiple input differences and multiple output differences in multiple differential cryptanalysis. The general models of the two distinguishers and the neural network structures are presented. The random multiple ciphertext pairs and the associated multiple ciphertext pairs are exploited as the input of the model. The generation method of the data set is given. The performance of the two proposed distinguishers is compared. The experimental results confirm that the proposed distinguishers have higher accuracy and rounds than the distinguisher with a single difference. The relationship between the quantity of multiple differences and the performance of the distinguishers is also verified. The differential distinguisher based on deep learning needs less time complexity and data complexity than the traditional distinguisher. The accuracy of filtering error ciphertext of our 8-round neural distinguisher is up to 96.10%.

computer science, information systems,telecommunications

Yi Chen,Hongbo Yu

2021-01-01

Abstract:Machine learning aided cryptanalysis is an interesting but challenging research topic. At CRYPTO’19, Gohr proposed a Neural Distinguisher (ND) based on a plaintext difference. The ND takes a ciphertext pair as input and outputs its class (a real or random ciphertext pair). At EUROCRYPTO’20, Benamira et al proposed a deeper analysis of how two specific NDs against Speck32/64 work. However, there are still three research gaps that researchers are eager to fill in. (1) what features related to a ciphertext pair are learned by the ND? (2) how to explain various phenomena related to NDs? (3) what else can machine learning do in conventional cryptanalysis? In this paper, we filled in the three research gaps: (1) we first propose the Extended Differential-Linear Connectivity Table (EDLCT) which is a generic tool describing a cipher. Features corresponding to the EDLCT are designed to describe a ciphertext pair. Based on these features, various machine learning-based distinguishers including the ND are built. To explore various NDs from the EDLCT view, we propose a Feature Set Sensitivity Test (FSST) to identify which features may have a significant influence on NDs. Features identified by FSST share the same characteristic related to the cipher’s round function. Surrogate models of NDs are also built based on identified features. Experiments on Speck32/64 and DES confirm that features corresponding to the EDLCT are learned by NDs. (2) We explain phenomena related to NDs via EDLCT. (3) We show how to use machine learning to search differential-linear propagations ∆ → λ with a high correlation, which is a tough task in the differential-linear attack. Applications in Chaskey and DES demonstrate the advantages of machine learning. Furthermore, we provide some optional inputs to improve NDs.

Dukyoung Kim,Hyunji Kim,Kyungbae Jang,Seyoung Yoon,Hwajeong Seo

DOI: https://doi.org/10.3390/electronics13071196

IF: 2.9

2024-03-26

Electronics

Abstract:Distinguishing data that satisfy the differential characteristic from random data is called a distinguisher attack. At CRYPTO'19, Gohr presented the first deep-learning-based distinguisher for round-reduced SPECK. Building upon Gohr's work, various works have been conducted. Among many other works, we propose the first neural distinguisher using single and multiple differences for format-preserving encryption (FPE) schemes FF1 and FF3. We harnessed the differential characteristics used in FF1 and FF3 classical distinguishers. They used SKINNY as the inner encryption algorithm for FF3. On the other hand, we employ the standard FF1 and FF3 implementations with AES encryption (which may be more robust). This work utilizes the differentials employed in FF1 and FF3 classical distinguishers. In short, when using a single 0x0F (resp. 0x08) differential, we achieve the highest accuracy of 0.85 (resp. 0.98) for FF1 (resp. FF3) in the 10-round (resp. 8-round) number domain. In the lowercase domain, due to an increased number of plaintext and ciphertext combinations, we can distinguish with the highest accuracy of 0.52 (resp. 0.55) for FF1 (resp. FF3) in a maximum of 2 rounds. Furthermore, we present an advanced neural distinguisher designed with multiple differentials for FF1 and FF3. With this sophisticated model, we still demonstrate valid accuracy in guessing the input difference used for encryption.

engineering, electrical & electronic,computer science, information systems,physics, applied

Guangqiu Lv,Chenhui Jin,Zhen Shi,Ting Cui

DOI: https://doi.org/10.1007/s11227-024-06375-4

IF: 3.3

2024-10-05

The Journal of Supercomputing

Abstract:At CRYPTO 2019, Gohr first proposed neural distinguishers (NDs) on SPECK32, which are superior to the distinguishers based on the differential distribution table (DDT). Benamira et al. noted that NDs rely on the differential distribution of the last three rounds, and Bao et al. pointed out that NDs depend on the strong correlations between the bit values of ciphertext pairs satisfying the expected differential. Hence, one may guess that there exist deep relations between NDs and the differential-linear imbalances. To approximate NDs under a single ciphertext pair, we utilize differential-linear imbalances to construct simplified distinguishers. These newly constructed distinguishers offer comparable distinguishing advantages to that of NDs but with reduced time complexities. For instance, one such simplified distinguisher has only of the original time complexity of NDs. Our experiments demonstrate that these new distinguishers achieve a matching rate of 98.2% for 5-round SPECK32 under a single ciphertext pair. Furthermore, we achieve the highest accuracies for 7-round and 8-round SPECK32 up to date by using a maximum of 512 ciphertext pairs. Finally, by replacing NDs with simplified distinguishers, we significantly reduce the time complexities of differential-neural attacks on 11–14 rounds of SPECK32.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Gao Wang,Gaoli Wang,Siwei Sun

DOI: https://doi.org/10.1049/2024/4097586

2024-11-03

IET Information Security

Abstract:At CRYPTO 2019, Gohr showed the significant advantages of neural distinguishers over traditional distinguishers in differential cryptanalysis. At fast software encryption (FSE) 2024, Bellini et al. provided a generic tool to automatically train the (related‐key) differential neural distinguishers for different block ciphers. In this paper, based on the intrinsic principle of differential cryptanalysis and neural distinguisher, we propose a superior (related‐key) differential neural distinguisher that uses the ciphertext pairs generated by two different differences. In addition, we give a framework to automatically train our (related‐key) differential neural distinguisher with four steps: difference selection, sample generation, training pipeline, and evaluation scheme. To demonstrate the effectiveness of our approach, we apply it to the block ciphers: Simon, Speck, Simeck, and Hight. Compared to the existing results, our method can provide improved accuracy and even increase the number of rounds that can be analyzed. The source codes are available in https://github.com/differentialdistinguisher/AutoND_New.

computer science, information systems, theory & methods

Jimmy Dani,Kalyan Nakka,Nitesh Saxena

2024-05-30

Abstract:In this research, we introduce MIND-Crypt, a novel attack framework that uses deep learning (DL) and transfer learning (TL) to challenge the indistinguishability of block ciphers, specifically SPECK32/64 encryption algorithm in CBC mode (Cipher Block Chaining) against Known Plaintext Attacks (KPA). Our methodology includes training a DL model with ciphertexts of two messages encrypted using the same key. The selected messages have the same byte-length and differ by only one bit at the binary level. This DL model employs a residual network architecture. For the TL, we use the trained DL model as a feature extractor, and these features are then used to train a shallow machine learning, such as XGBoost. This dual strategy aims to distinguish ciphertexts of two encrypted messages, addressing traditional cryptanalysis challenges. Our findings demonstrate that the DL model achieves an accuracy of approximately 99% under consistent cryptographic conditions (Same Key or Rounds) with the SPECK32/64 cipher. However, performance degrades to random guessing levels (50%) when tested with ciphertext generated from different keys or different encryption rounds of SPECK32/64. To enhance the results, the DL model requires retraining with different keys or encryption rounds using larger datasets (10^7 samples). To overcome this limitation, we implement TL, achieving an accuracy of about 53% with just 10,000 samples, which is better than random guessing. Further training with 580,000 samples increases accuracy to nearly 99%, showing a substantial reduction in data requirements by over 94%. This shows that an attacker can utilize machine learning models to break indistinguishability by accessing pairs of plaintexts and their corresponding ciphertexts encrypted with the same key, without directly interacting with the communicating parties.

Cryptography and Security,Machine Learning

Zehan Wu,Kexin Qiao,Zhaoyang WangÂ,Junjie ChengÂ,Liehuang ZhuÂ

DOI: https://doi.org/10.3390/math12091401

IF: 2.4

2024-05-03

Mathematics

Abstract:With the development of artificial intelligence (AI), deep learning is widely used in various industries. At CRYPTO 2019, researchers used deep learning to analyze the block cipher for the first time and constructed a differential neural network distinguisher to meet a certain accuracy. In this paper, a mixture differential neural network distinguisher using ResNet is proposed to further improve the accuracy by exploring the mixture differential properties. Experiments are conducted on SIMON32/64, and the accuracy of the 8-round mixture differential neural network distinguisher is improved from 74.7% to 92.3%, compared with that of the previous differential neural network distinguisher. The prediction accuracy of the differential neural network distinguisher is susceptible to the choice of the specified input differentials, whereas the mixture differential neural network distinguisher is less affected by the input difference and has greater robustness. Furthermore, by combining the probabilistic expansion of rounds and the neutral bit, the obtained mixture differential neural network distinguisher is extended to 11 rounds, which can realize the 12-round actual key recovery attack on SIMON32/64. With an appropriate increase in the time complexity and data complexity, the key recovery accuracy of the mixture differential neural network distinguisher can be improved to 55% as compared to 52% of the differential neural network distinguisher. The mixture differential neural network distinguisher proposed in this paper can also be applied to other lightweight block ciphers.

mathematics

Behnam Zahednejad,Lijun Lyu

DOI: https://doi.org/10.1002/int.22895

IF: 8.993

2022-05-11

International Journal of Intelligent Systems

Abstract:At CRYPTO 2019, A. Gohr made a breakthrough in combining classical cryptanalysis and deep learning and applied his method to round reduced SPECK successfully. However, his suggested neural‐based distinguisher scheme is only limited to differential cryptanalysis. In this paper, we have the following contributions: 1. We combine integral cryptanalysis and deep learning to propose our neural‐based integral distinguisher scheme for the first time. To illustrate the effectiveness of our distinguisher scheme, we apply it to block ciphers of different structures, such as substitution‐permutation structure ciphers (PRESENT and RECTANGLE), Feistel structure cipher (LBLOCK), and add‐rotate‐XOR cipher (SPECK) and compare the results with the state‐of‐the‐art classical integral distinguishing method, namely, the bit‐based division property. To our great surprise, our neural network‐based integral distinguisher can extend the number of distinguished rounds for all block ciphers by two additional rounds (except RECTANGLE, where it is improved by one round) under the same data complexity. 2. As an additional advantage of our scheme, we demonstrate that our Neural Distinguisher (ND) is not only helpful for block cipher designers but also can assist attackers to mount key recovery attacks. To this end, we show how to exploit our ND to mount a key recovery attack and apply it to SPECK32/64. Out of the 1000 trials of key recovery attacks with different keys in 45% of cases, the first suggested subkey is exactly the real subkey of the last round of the cipher. For the remaining 55%, the second or third suggested subkey is exactly the real subkey of the last round of the cipher. 3. To have a piece of concrete evidence for the advantage of our scheme over classical integral methods, we design an experiment known as the same‐difference experiment. In this experiment, we show that our ND can learn some features beyond the capabilities of classical integral methods. We then propose a set of features that can justify the gap between classical integral methods and our neural‐based integral distinguisher and verify them by further experiments.

computer science, artificial intelligence

D. R. Chowdhury,Upasana Mandal,D. Pal,Abhijit Das,Mainak Chaudhury

Abstract:Over the last few years, deep learning is becoming the most trending topic for the classical cryptanalysis of block ciphers. Differential cryptanalysis is one of the primary and potent attacks on block ciphers. Here we apply deep learning techniques to model differential cryptanalysis more easily. In this paper, we report a generic tool using deep neural classifier that assists to find differential distinguishers for block ciphers with reduced round. We apply this approach for the differential cryptanalysis of ARX-based encryption schemes HIGHT, LEA, and SPARX. The result shows that our deep learning based distinguishers work with high accuracy for 14-round HIGHT, 13-Round LEA and 11-round SPARX. We also achieve an improvement of the lower bound of data complexity for these three ARX based ciphers.

Computer Science

Byoungjin Seok

DOI: https://doi.org/10.3390/electronics13204053

IF: 2.9

2024-10-16

Electronics

Abstract:Recently, differential-neural cryptanalysis, which integrates deep learning with differential cryptanalysis, has emerged as a powerful and practical cryptanalysis method. It has been particularly applied to lightweight block ciphers, which are characterized by simple structures and operations, and relatively small block and key sizes. In resource-constrained environments, such as Internet of Things (IoT), it is essential to verify the resistance of existing lightweight block ciphers against differential-neural cryptanalysis to ensure security. In differential-neural cryptanalysis, a deep learning model, known as a neural distinguisher, is trained to differentiate a target cipher from others, facilitating key recovery through statistical analysis. For successful differential-neural cryptanalysis, it is crucial to develop a highly accurate neural distinguisher and to optimize the key recovery attack algorithm. In this paper, we introduce a novel neural distinguisher and key recovery attack against the 15-round reduced HIGHT cipher. Our proposed neural distinguisher is capable of distinguishing HIGHT ciphertext by analyzing only a portion of the ciphertext, which we refer to as a truncated neural distinguisher. Notably, our experiments demonstrate that the truncated neural distinguisher achieves performance comparable to existing distinguishers trained on entire ciphertext blocks, while enabling a more efficient key recovery attack through a divide-and-conquer strategy. Furthermore, we observe a significant improvement in key recovery efficiency compared to traditional cryptanalysis methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Qingqing Zhang,Hongxing Zhang,Xiaotong Cui,Xing Fang,Xingyang Wang

DOI: https://doi.org/10.3390/s22134671

2022-06-21

Abstract:Although side-channel attacks based on deep learning are widely used in AES encryption algorithms, there is little research on lightweight algorithms. Lightweight algorithms have fewer nonlinear operations, so it is more difficult to attack successfully. Taking SPECK, a typical lightweight encryption algorithm, as an example, directly selecting the initial key as the label can only crack the first 16-bit key. In this regard, we evaluate the leakage of SPECK's operations (modular addition, XOR, shift), and finally select the result of XOR operation as the label, and successfully recover the last 48-bit key. Usually, the divide and conquer method often used in side-channel attacks not only needs to train multiple models, but also the different bytes of the key are regarded as unrelated individuals. Through the visualization method, we found that different key bytes overlap in the position of the complete electromagnetic leakage signal. That is, when SPECK generates a round key, there is a connection between different bytes of the key. In this regard, we propose a transfer learning method for different byte keys. This method can take advantage of the similarity of key bytes, improve the performance starting-point of the model, and reduce the convergence time of the model by 50%.

Runlian Zhang,Mi Zhang,Jiaxu Yan,Yixing Li,Xiaonian Wu,Lingchen Li

DOI: https://doi.org/10.1109/dsc53577.2021.00084

2021-10-01

Abstract:It is a new trend of cryptographic analysis to realize automatic analysis on cryptographic algorithms by means of deep learning in recent years. TweGIFT-128 algorithm is an instantiation tweak block cipher algorithm for encryption authentication scheme ESTATE, and it was selected as a candidate cipher algorithm in the second round NIST challenge. Aiming at the security of TweGIFT-128 algorithm, the neural network model was used to realize automatic differential analysis in this paper, and the problem of searching differential distinguishers was transformed into a classification problem. Then based on DNN, the neural network differential distinguishers on TweGIFT-128 algorithm were constructed, and the 4–8 round neural network differential distinguishers were trained by using fixed difference. Experimental results show that the obtained 4–7 round TweGIFT-128 differential distinguishers can distinguish ciphertext from random data well, and the method constructing distinguisher based on neural network model is simpler and more general than the traditional methods.

Wei Li,Jiayao Li,Dawu Gu,Chaoyun Li,Tianpei Cai

DOI: https://doi.org/10.1109/tifs.2021.3102485

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the development of wireless technology, the ubiquitous sensor networks have a profound effect on the way human interacts with computers, devices and environment. In order to reduce the potentially serious risks in the interaction, applying lightweight ciphers is effective to balance security, efficiency and convenience. Simeck is such a lightweight cipher that provides data confidentiality, authentication and integrity. It is significant to explore whether Simeck remains robust security. Up to now, the attacking assumptions of the previous security analysis of Simeck focus on the known-plaintext attack and the chosen-plaintext attack. There is no literature about Simeck against the ciphertext-only attack, which represents the weakest attacking capability of the attackers. On the assumption of the ciphertext-only attack, this paper proposes the security analysis of Simeck against the statistical fault analysis with a series of novel distinguishers of KDE, MME and MME-GF. The experimental results show that the proposed distinguishers can recover the secret key of Simeck in both decreasing faults and increasing reliability and accuracy. Thus, Simeck cannot resist against the statistical fault analysis with the proposed distinguishers. Furthermore, the good performance of these novel distinguishers can be applied on the PRESENT lightweight cipher. It offers the valuable reference for the design and analysis of the lightweight ciphers in the ubiquitous sensor networks.

computer science, theory & methods,engineering, electrical & electronic

Ren, Jiongjiong

DOI: https://doi.org/10.1631/fitee.2300848

IF: 2.526

2024-11-06

Frontiers of Information Technology & Electronic Engineering

Abstract:At the Annual International Cryptology Conference in 2019, Gohr introduced a deep learning based cryptanalysis technique applicable to the reduced-round lightweight block ciphers with a short block of SPECK32/64. One significant challenge left unstudied by Gohr's work is the implementation of key recovery attacks on large-state block ciphers based on deep learning. The purpose of this paper is to present an improved deep learning based framework for recovering keys for large-state block ciphers. First, we propose a key bit sensitivity test (KBST) based on deep learning to divide the key space objectively. Second, we propose a new method for constructing neural distinguisher combinations to improve a deep learning based key recovery framework for large-state block ciphers and demonstrate its rationality and effectiveness from the perspective of cryptanalysis. Under the improved key recovery framework, we train an efficient neural distinguisher combination for each large-state member of SIMON and SPECK and finally carry out a practical key recovery attack on the large-state members of SIMON and SPECK. Furthermore, we propose that the 13-round SIMON64 attack is the most effective approach for practical key recovery to date. Noteworthly, this is the first attempt to propose deep learning based practical key recovery attacks on 18-round SIMON128, 19-round SIMON128, 14-round SIMON96, and 14-round SIMON64. Additionally, we enhance the outcomes of the practical key recovery attack on SPECK large-state members, which amplifies the success rate of the key recovery attack in comparison to existing results.

engineering, electrical & electronic,computer science, information systems, software engineering

Yanyan Zhou,Senpeng Wang,Bin Hu

DOI: https://doi.org/10.1049/2024/8315115

2024-01-12

IET Information Security

Abstract:Differential-linear (DL) cryptanalysis is an important cryptanalytic method in cryptography and has received extensive attention from the cryptography community since its proposal by Langford and Hellman in 1994. At CT-RSA 2023, Bellini et al. introduced continuous difference propagations of XOR, rotation, and modulo-addition operations and proposed a fully automatic method using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques to search for DL distinguishers of Addition-Rotation-XOR (ARX) ciphers. In this paper, we propose continuous difference propagation of AND operation and construct an MILP/MIQCP-based fully automatic model of searching for DL distinguishers of SIMON-like ciphers. We apply the fully automatic model to all versions of SIMON and SIMECK. As a result, for SIMON, we find 13 and 14-round DL distinguishers of SIMON32, 15, 16, and 17-round DL distinguishers of SIMON48, 20-round DL distinguishers of SIMON64, 25 and 26-round DL distinguishers of SIMON96, 31 and 32-round DL distinguishers of SIMON128. For SIMECK, we find 14-round DL distinguishers of SIMECK32, 17 and 18-round DL distinguishers of SIMECK48, 22, 23, 24, and 25-round DL distinguishers of SIMECK64. As far as we know, our results are currently the best.

computer science, information systems, theory & methods

Ongee Jeong,Ezat Ahmadzadeh,Inkyu Moon

DOI: https://doi.org/10.3390/math12131936

IF: 2.4

2024-06-22

Mathematics

Abstract:In this paper, we perform neural cryptanalysis on five block ciphers: Data Encryption Standard (DES), Simplified DES (SDES), Advanced Encryption Standard (AES), Simplified AES (SAES), and SPECK. The block ciphers are investigated on three different deep learning-based attacks, Encryption Emulation (EE), Plaintext Recovery (PR), Key Recovery (KR), and Ciphertext Classification (CC) attacks. The attacks attempt to break the block ciphers in various cases, such as different types of plaintexts (i.e., block-sized bit arrays and texts), different numbers of round functions and quantity of training data, different text encryption methods (i.e., Word-based Text Encryption (WTE) and Sentence-based Text Encryption (STE)), and different deep learning model architectures. As a result, the block ciphers can be vulnerable to EE and PR attacks using a large amount of training data, and STE can improve the strength of the block ciphers, unlike WTE, which shows almost the same classification accuracy as the plaintexts, especially in a CC attack. Moreover, especially in the KR attack, the Recurrent Neural Network (RNN)-based deep learning model shows higher average Bit Accuracy Probability than the fully connected-based deep learning model. Furthermore, the RNN-based deep learning model is more suitable than the transformer-based deep learning model in the CC attack. Besides, when the keys are the same as the plaintexts, the KR attack can perfectly break the block ciphers, even if the plaintexts are randomly generated. Additionally, we identify that DES and SPECK32/64 applying two round functions are more vulnerable than those applying the single round function by performing the KR attack with randomly generated keys and randomly generated single plaintext.

mathematics

Yi Chen,Zhenzhen Bao,Hongbo Yu

DOI: https://doi.org/10.1007/978-981-99-8727-6_8

2023-01-01

Abstract:The differential-linear attack is one of the most effective attacks against ARX ciphers. However, two technical problems are preventing it from being more effective and having more applications: (1) there is no efficient method to search for good differential-linear approximations. Existing methods either have many constraints or are currently inefficient. (2) partitioning technique has great potential to reduce the time complexity of the key-recovery attack, but there is no general tool to construct partitions for ARX ciphers. In this work, we step forward in solving the two problems. First, we propose a novel idea for generating new good differential-linear approximations from known ones, based on which new searching algorithms are designed. Second, we propose a general tool named partition tree, for constructing partitions for ARX ciphers. Based on these new techniques, we present better attacks for two ISO/IEC standards, i.e., LEA and Speck. For LEA, we present the first 17-round distinguisher which is 1 round longer than the previous best distinguisher. Furthermore, we present the first key recovery attacks on 17-round LEA-128, 18-round LEA-192, and 18-round LEA-256, which attack 3, 4, and 3 rounds more than the previous best attacks. For Speck, we find better differential-linear distinguishers for Speck48 and Speck64. The first differential-linear distinguishers for Speck96 and Speck128 are also presented.

Rahul Girme,Raghvendra Rohit,Santanu Sarkar

DOI: https://doi.org/10.1038/s41598-024-69361-z

2024-08-30

Abstract:We introduce augmented vector spaces of output differences, new generic and black-box distinguishers for Substitution Permutation Network (SPN) ciphers. Our distinguishers are based on a novel method of constructing a vector of size n ( d ) bits from a given vector of size n bits, where n ( d ) = ∑ i = 1 d n i and d is a positive integer. We list all such n ( d ) -bit vectors into a set called the corresponding d th -order augmented set and define its linear span as the corresponding d th -order augmented vector space . These sets are related to Reed-Muller codes and we prove that the rank of linear span of d th -order augmented set is n ( d ) using Reed-Muller codes. We then experimentally estimate the number of n-bit vectors required to span augmented vector spaces of output differences. Following these results, we give a generic and efficient algorithm to compute d th -order augmented vector space (of difference sets) for substitution permutation network ciphers. We apply our algorithm to lightweight ciphers GIFT, PRESENT and SKINNY and provide in-depth comparison of round-reduced ciphers' distinguishers with random sets. Most notably, our new distinguishers for these ciphers cover more rounds than the subspace trails.