Qingyuan Yu,Lingyue Qin,Xiaoyang Dong,Keting Jia

DOI: https://doi.org/10.1093/comjnl/bxad071

2024-01-01

Abstract:GIFT is a lightweight cipher proposed by Banik et al. at CHES'17, motivated by the design strategy of PRESENT. GIFT-64[2021] is a variant of GIFT proposed by Sun et al. at EUROCRYPT'22 to achieve better resistance against differential attack while maintaining a similar security level against linear attack. At EUROCRYPT'22, Dong et al. proposed a new rectangle framework considering the key guessing strategies for linear key-schedule ciphers, and established a uniform automatic search model for the whole rectangle attack. In this paper, we extend it to be applicable to bit-oriented ciphers, and construct an automatic search model involved in the distinguisher and key-recovery phase for GIFT. Moreover, we utilize the key relations of the linear key-schedule to the model, and find some new distinguishers both for GIFT-64 and GIFT-64[2021]. To evaluate the probability more accurately, we propose a method to calculate the probability of the 2-round middle part which connects the boomerang distinguisher for GIFT, and apply it with the SAT method to evaluate the probability of the whole distinguishers. As a result, we search out a new 20-round related-key boomerang distinguisher for GIFT-64, and achieve a 26-round attack with better time complexity than the best previous attack. For GIFT-64[2021], we find a 20-round boomerang distinguisher and give the first 26-round rectangle attack under related-key scenario.

Huaifeng Chen,Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-030-41579-2_26

2019-01-01

Abstract:GIFT is a new lightweight PRESENT-like block cipher, proposed by Banik et al. at CHES 2017. There are two versions, i.e., GIFT-64 and GIFT-128, with block size 64 and 128 respectively. Both versions have a 128-bit key. The Sbox and the linear layer of GIFT are chosen carefully to avoid single difference bit or linear mask bit path in 2 consecutive rounds. This improves the security of GIFT against differential, linear and linear hull attacks. In this paper, we implement a new automatic search algorithm of differential characteristics on GIFT-64. Considering the situations that some characteristics have the same input and output difference, we find a few of improved differentials with longer rounds or higher probabilities. Among them, the best probability for 12-round differential is 2(-56.5737), while that for 13-round differential is 2(-61.)(3135). In addition, we find 52 13-round differentials with the same output differences. Based on them, we mount a multiple differential attack on 20-round GIFT-64 with 2(62) chosen plaintexts, which attacks one more round than the best previous result. Also, we can attack 21-round GIFT-64 with the full codebook, using one differential with probability 2(-)(62)(.)(0634). This is the longest attack as far as we know.

Carlos Cid,Tao Huang,Thomas Peyrin,Yu Sasaki,Ling Song

DOI: https://doi.org/10.1007/978-3-319-78375-8_22

2018-01-01

Abstract:A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers E1∘E0$$E_1\circ E_0$$ and builds a particular characteristic for E with probability p2q2$$p^2q^2$$ by combining differential characteristics for E0$$E_0$$ and E1$$E_1$$ with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for E0$$E_0$$ and E1$$E_1$$ can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between E0$$E_0$$ and E1$$E_1$$ by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as E1∘Em∘E0$$E_1\circ E_m \circ E_0$$, where Em$$E_m$$ satisfies some differential propagation among four texts with probability r, and the entire probability is p2q2r$$p^2q^2r$$. In this paper, we revisit the issue of dependency of two characteristics in Em$$E_m$$, and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when Em$$E_m$$ is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.

Shichang Wang,Meicheng Liu,Shiqi Hou,Dongdai Lin

DOI: https://doi.org/10.62056/a6n5txol7

2024-01-01

Abstract:At CHES 2017, Banik et al. proposed a lightweight block cipher GIFT consisting of two versions GIFT-64 and GIFT-128. Recently, there are lots of authenticated encryption schemes that adopt GIFT-128 as their underlying primitive, such as GIFT-COFB and HyENA. To promote a comprehensive perception of the soundness of the designs, we evaluate their security against differential-linear cryptanalysis. For this, automatic tools have been developed to search differential-linear approximation for the ciphers based on S-boxes. With the assistance of the automatic tools, we find 13-round differential-linear approximations for GIFT-COFB and HyENA. Based on the distinguishers, 18-round key-recovery attacks are given for the message processing phase and initialization phase of both ciphers. Moreover, the resistance of GIFT-64/128 against differential-linear cryptanalysis is also evaluated. The 12-round and 17-round differential-linear approximations are found for GIFT-64 and GIFT-128 respectively, which lead to 18-round and 19-round key-recovery attacks respectively. Here, we stress that our attacks do not threaten the security of these ciphers.

Rui Zong,Xiaoyang Dong,Huaifeng Chen,Yiyuan Luo,Si Wang,Zheng Li

DOI: https://doi.org/10.46586/tosc.v2021.i1.156-184

2021-01-01

Abstract:When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Qianqian Yang,Ling Song,Siwei Sun,Danping Shi,Lei Hu

DOI: https://doi.org/10.46586/tosc.v2022.i4.208-242

2022-12-07

IACR Transactions on Symmetric Cryptology

Abstract:The double boomerang connectivity table (DBCT) is a new table proposed recently to capture the behavior of two consecutive S-boxes in boomerang attacks. In this paper, we observe an interesting property of DBCT of S-box that the ladder switch and the S-box switch happen in most cases for two continuous S-boxes, and for some S-boxes only S-box switch and ladder switch are possible. This property implies an additional criterion for S-boxes to resist the boomerang attacks and provides as well a new evaluation direction for an S-box. Using an extension of the DBCT, we verify that some boomerang distinguishers of TweAES and Deoxys are flawed. On the other hand, inspired by the property, we put forward a formula for estimating boomerang cluster probabilities. Furthermore, we introduce the first model to search for boomerang distinguishers with good cluster probabilities. Applying the model to CRAFT, we obtain 9-round and 10-round boomerang distinguishers with a higher probability than that of previous works.

Yuxuan Lu,Sihem Mesnager,Nian Li,Lisha Wang,Xiangyong Zeng

2024-08-21

Abstract:The Feistel Boomerang Connectivity Table ($\rm{FBCT}$), which is the Feistel version of the Boomerang Connectivity Table ($\rm{BCT}$), plays a vital role in analyzing block ciphers' ability to withstand strong attacks, such as boomerang attacks. However, as of now, only four classes of power functions are known to have explicit values for all entries in their $\rm{FBCT}$. In this paper, we focus on studying the FBCT of the power function $F(x)=x^{2^{n-2}-1}$ over $\mathbb{F}_{2^n}$, where $n$ is a positive integer. Through certain refined manipulations to solve specific equations over $\mathbb{F}_{2^n}$ and employing binary Kloosterman sums, we determine explicit values for all entries in the $\rm{FBCT}$ of $F(x)$ and further analyze its Feistel boomerang spectrum. Finally, we demonstrate that this power function exhibits the lowest Feistel boomerang uniformity.

Information Theory

K. Garg,S.U. Hasan,C. Riera,P. Stanica

2024-07-17

Abstract:It is well-known that functions over finite fields play a crucial role in designing substitution boxes (S-boxes) in modern block ciphers. In order to analyze the security of an S-box, recently, three new tables have been introduced: the Extended Boomerang Connectivity Table (EBCT), the Lower Boomerang Connectivity Table (LBCT), and the Upper Boomerang Connectivity Table (UBCT). In fact, these tables offer improved methods over the usual Boomerang Connectivity Table (BCT) for analyzing the security of S-boxes against boomerang-style attacks. Here, we put in context these new EBCT, LBCT, and UBCT concepts by connecting them to the DDT for a differentially $\delta$-uniform function and also determine the EBCT, LBCT, and UBCT entries of three classes of differentially $4$-uniform power permutations, namely, Gold, Kasami and Bracken-Leander. We also determine the Double Boomerang Connectivity Table (DBCT) entries of the Gold function. As byproducts of our approach, we obtain some previously published results quite easily.

Cryptography and Security,Information Theory

Baoyu Zhu,Xiaoyang Dong,Hongbo Yu

DOI: https://doi.org/10.1007/978-3-030-12612-4_19

2019-01-01

Abstract:At Asiacrypt 2014, Sun et al. proposed a MILP model [20] to search for differential characteristics of bit-oriented block ciphers. In this paper, we improve this model to search for differential characteristics of GIFT [2], a new lightweight block cipher proposed at CHES 2017. GIFT has two versions, namely GIFT-64 and GIFT-128. For GIFT-64, we find the best 12-round differential characteristic and a number of iterative 4-round differential characteristics with our MILP-based model. We give a key-recovery attack on 19-round GIFT-64. For GIFT-128, we find a 18-round differential characteristic and give the first attack on 23-round GIFT-128.

Kangquan Li,Longjiang Qu,Bing Sun,Chao Li

DOI: https://doi.org/10.48550/arXiv.1901.10999

2019-01-17

Abstract:In EUROCRYPT 2018, Cid et al. \cite{BCT2018} introduced a new concept on the cryptographic property of S-boxes: Boomerang Connectivity Table (BCT for short) for evaluating the subtleties of boomerang-style attacks. Very recently, BCT and the boomerang uniformity, the maximum value in BCT, were further studied by Boura and Canteaut \cite{BC2018}. Aiming at providing new insights, we show some new results about BCT and the boomerang uniformity of permutations in terms of theory and experiment in this paper. Firstly, we present an equivalent technique to compute BCT and the boomerang uniformity, which seems to be much simpler than the original definition from \cite{BCT2018}. Secondly, thanks to Carlet's idea \cite{Carlet2018}, we give a characterization of functions $f$ from $\mathbb{F}_{2}^n$ to itself with boomerang uniformity $\delta_{f}$ by means of the Walsh transform. Thirdly, by our method, we consider boomerang uniformities of some specific permutations, mainly the ones with low differential uniformity. Finally, we obtain another class of $4$-uniform BCT permutation polynomials over $\mathbb{F}_{2^n}$, which is the first binomial.

Cryptography and Security

Lele Chen,Gaoli Wang,GuoYan Zhang

DOI: https://doi.org/10.1093/comjnl/bxz076

2019-10-15

The Computer Journal

Abstract:Abstract The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before.

Sihem Mesnager,Chunming Tang,Maosheng Xiong

DOI: https://doi.org/10.48550/arXiv.1903.00501

2019-03-02

Abstract:At Eurocrypt'18, Cid, Huang, Peyrin, Sasaki, and Song introduced a new tool called Boomerang Connectivity Table (BCT) for measuring the resistance of a block cipher against the boomerang attack (which is an important cryptanalysis technique introduced by Wagner in 1999 against block ciphers). Next, Boura and Canteaut introduced an important parameter (related to the BCT) for cryptographic Sboxes called boomerang uniformity. In this context, we present a brief state-of-the-art on the notion of boomerang uniformity of vectorial functions (or Sboxes) and provide new results. More specifically, we present a slightly different (and more convenient) formulation of the boomerang uniformity and show that the row sum and the column sum of the boomerang connectivity table can be expressed in terms of the zeros of the second-order derivative of the permutation or its inverse. Most importantly, we specialize our study of boomerang uniformity to quadratic permutations in even dimension and generalize the previous results on quadratic permutation with optimal BCT (optimal means that the maximal value in the Boomerang Connectivity Table equals the lowest known differential uniformity). As a consequence of our general result, we prove that the boomerang uniformity of the binomial differentially $4$-uniform permutations presented by Bracken, Tan, and Tan equals $4$. This result gives rise to a new family of optimal Sboxes.

Cryptography and Security

Qianqian Yang,Ling Song,Nana Zhang,Danping Shi,Libo Wang,Jiahao Zhao,Lei Hu,Jian Weng

DOI: https://doi.org/10.1007/s00145-024-09499-1

2024-04-12

Journal of Cryptology

Abstract:The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Not only does it encompass the four existing rectangle key recovery algorithms, but it also reveals five new types of attacks that were previously overlooked. Further, we put forward a counterpart for boomerang key recovery attacks, which supports any possible attacking parameters as well. Along with these new key recovery algorithms, we propose a framework to automatically determine the best parameters for the attack. To demonstrate the efficiency of the new key recovery algorithms, we apply them to Serpent , AES -192, CRAFT , SKINNY , and Deoxys-BC -256 based on existing distinguishers, yielding a series of improved attacks.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Yuying Man,Nian Li,Zhen Liu,Xiangyong Zeng

2024-04-18

Abstract:Substitution boxes (S-boxes) play a significant role in ensuring the resistance of block ciphers against various attacks. The Upper Boomerang Connectivity Table (UBCT), the Lower Boomerang Connectivity Table (LBCT) and the Double Boomerang Connectivity Table (DBCT) of a given S-box are crucial tools to analyze its security concerning specific attacks. However, there are currently no related results for this research. The inverse function is crucial for constructing S-boxes of block ciphers with good cryptographic properties in symmetric cryptography. Therefore, extensive research has been conducted on the inverse function, exploring various properties related to standard attacks. Thanks to the recent advancements in boomerang cryptanalysis, particularly the introduction of concepts such as UBCT, LBCT, and DBCT, this paper aims to further investigate the properties of the inverse function $F(x)=x^{2^n-2}$ over $\gf_{2^n}$ for arbitrary $n$. As a consequence, by carrying out certain finer manipulations of solving specific equations over $\gf_{2^n}$, we give all entries of the UBCT, LBCT of $F(x)$ over $\gf_{2^n}$ for arbitrary $n$. Besides, based on the results of the UBCT and LBCT for the inverse function, we determine that $F(x)$ is hard when $n$ is odd. Furthermore, we completely compute all entries of the DBCT of $F(x)$ over $\gf_{2^n}$ for arbitrary $n$. Additionally, we provide the precise number of elements with a given entry by means of the values of some Kloosterman sums. Further, we determine the double boomerang uniformity of $F(x)$ over $\gf_{2^n}$ for arbitrary $n$. Our in-depth analysis of the DBCT of $F(x)$ contributes to a better evaluation of the S-box's resistance against boomerang attacks.

Cryptography and Security,Information Theory

Boxin Zhao,Xiaoyang Dong,Willi Meier,Keting Jia,Gaoli Wang

DOI: https://doi.org/10.1007/s10623-020-00730-1

2020-01-01

Abstract:This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST. For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from 2 331 to 2 294 . In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the candidate LWC SKINNY AEAD M1, we conduct a 24-round related-tweakey rectangle attack with a time complexity of 2 123 and a data complexity of 2 123 chosen plaintexts. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity 2 91.58 , while the best previous attack on GIFT-64 only reaches 23 rounds at most.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Jiali Shi,Guoqiang Liu,Chao Li,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2022.00.132

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Type-II generalized Feistel network (GFN) has attracted a lot of attention for its simplicity and high parallelism. Impossible differential attack is one of the powerful cryptanalytic approaches for word-oriented block ciphers such as Feistel-like ciphers. We deduce the impossible differential of Type-II GFN by analyzing the Boolean function in the middle round. The main idea is to investigate the expression with the variable representing the plain-text (ciphertext) difference words for the internal state words. By adopting the miss-in-the-middle approach, we can construct the impossible differential of Type-II GFN. As an illustration, we apply this approach to WARP, a lightweight 128-bit block cipher with a 128-bit key which was presented by Banik et al. at SAC 2020. The structure of WARP is a 32-branch Type-II GFN. Therefore, we find two 21-round truncated impossible differentials and implement a 32-round key recovery attack on WARP. For the 32-round key recovery attack on WARP, some observations are used to mount an effective attack. Taking the advantage of the early abort technique, the data, time, and memory complexities are 2125.69 chosen plaintexts, 2126.68 32-round encryptions, and 2100-bit, repectively. To the best of our knowledge, this is the best attack on WARP in the single-key scenario.

engineering, electrical & electronic

Yuying Man,Sihem Mesnager,Nian Li,Xiangyong Zeng,Xiaohu Tang

2023-09-05

Abstract:Substitution boxes (S-boxes) play a significant role in ensuring the resistance of block ciphers against various attacks. The Difference Distribution Table (DDT), the Feistel Boomerang Connectivity Table (FBCT), the Feistel Boomerang Difference Table (FBDT) and the Feistel Boomerang Extended Table (FBET) of a given S-box are crucial tools to analyze its security concerning specific attacks. However, the results on them are rare. In this paper, we investigate the properties of the power function $F(x):=x^{2^{m+1}-1}$ over the finite field $\gf_{2^n}$ of order $2^n$ where $n=2m$ or $n=2m+1$ ($m$ stands for a positive integer). As a consequence, by carrying out certain finer manipulations of solving specific equations over $\gf_{2^n}$, we give explicit values of all entries of the DDT, the FBCT, the FBDT and the FBET of the investigated power functions. From the theoretical point of view, our study pushes further former investigations on differential and Feistel boomerang differential uniformities for a novel power function $F$. From a cryptographic point of view, when considering Feistel block cipher involving $F$, our in-depth analysis helps select $F$ resistant to differential attacks, Feistel differential attacks and Feistel boomerang attacks, respectively.

Information Theory

Guanghui Li,Xiwang Cao

DOI: https://doi.org/10.1007/s40314-024-02956-4

2024-10-11

Computational and Applied Mathematics

Abstract:Permutation polynomials over finite fields have been extensively studied not only for their applications in cryptography, but have also been applied to coding theory and combinatorial design theory. Recently, a new theoretical tool, the Boomerang Connectivity Table (BCT) and the corresponding boomerang uniformity were introduced to evaluate the resistance of a block cipher against boomerang attacks. Inspired by a multiplier differential, Stănică [Investigations on c -boomerang uniformity and perfect nonlinearity, Discret. Appl. Math., 2021] extended the concept of boomerang uniformity to c -boomerang uniformity. In this paper, we investigate two classes of permutation polynomials over with respect to this new concept. We show that these permutations are 1-uniform c -BCT functions.

mathematics, applied

Man, Yuying,Lu, Yuxuan

DOI: https://doi.org/10.1007/s40314-024-02979-x

2024-11-02

Computational and Applied Mathematics

Abstract:Boukerrou et al. (IACR Trans Symmetric Cryptol 2020(1):331–362, 2020) introduced the notion of the Feistel Boomerang Connectivity Table (FBCT), the Feistel counterpart of the Boomerang Connectivity Table (BCT), and the Feistel boomerang uniformity (which is the same as the second-order zero differential uniformity in even characteristic). The FBCT is a crucial table for the analysis of the resistance of block ciphers to power attacks such as differential and boomerang attacks. It is worth noting that the coefficients of the FBCT are related to the second-order zero differential spectra of functions. In this paper, by carrying out certain finer manipulations of solving specific equations over finite fields, we explicitly determine the second-order zero differential spectra of some power functions. Our study further pushes previous investigations on second-order zero differential uniformity and Feistel boomerang uniformity for a power function F .

mathematics, applied