Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.

Maria Eichlseder,Lorenzo Grassi,Reinhard Lüftenegger,Morten Øygarden,Christian Rechberger,Markus Schofnegger,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_16

2020-01-01

Abstract:Algebraically simple PRFs, ciphers, or cryptographic hash functions are becoming increasingly popular, for example due to their attractive properties for MPC and new proof systems (SNARKs, STARKs, among many others). In this paper, we focus on the algebraically simple construction MiMC, which became an attractive cryptanalytic target due to its simplicity, but also due to its use as a baseline in a competition for more recent algorithms exploring this design space. For the first time, we are able to describe key-recovery attacks on all full-round versions of MiMC over $${\mathbb {F}}_{2^n}$$ , requiring half the code book. In the chosen-ciphertext scenario, recovering the key from this data for the n-bit full version of MiMC takes the equivalent of less than $$2^{n-\log _2(n) +1}$$ calls to MiMC and negligible amounts of memory. The attack procedure is a generalization of higher-order differential cryptanalysis, and it is based on two main ingredients. First, we present a higher-order distinguisher which exploits the fact that the algebraic degree of MiMC grows significantly slower than originally believed. Secondly, we describe an approach to turn this distinguisher into a key-recovery attack without guessing the full subkey. Finally, we show that approximately $$\lceil \log _3(2\cdot R)\rceil $$ more rounds (where $$R = \lceil n \cdot \log _3(2)\rceil $$ is the current number of rounds of MiMC-n/n) can be necessary and sufficient to restore the security against the key-recovery attack presented here. The attack has been practically verified on toy versions of MiMC. Note that our attack does not affect the security of MiMC over prime fields.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Ming Duan,Xuejia Lai

DOI: https://doi.org/10.1109/icist.2011.5765256

2011-01-01

Abstract:In this paper, we introduce a higher order differential cryptanalysis framework based on higher order derivatives. We show the previous attacks, higher order differential attack (HODA), algebraic IV differential attack (AIDA), Cube Attack, Cube Tester and bitwise higher order differential attack (BHODA) are all theoretically based on higher order derivatives and can be generalized in the cryptanalysis framework. Inspiring from the framework, we show some properties of higher order derivatives and discuss their applications. We also propose a practical higher order differential cryptanalysis technique and an algorithm based on it, additionally.

Jintai Ding,Bo-Yin Yang,Chen-Mou Cheng,Chia-Hsin Owen Chen,Vivien Dubois

2007-01-01

Abstract:sflash had recently been broken by Dubois, Stern, Shamir, etc., using a differential attack on the public key. The C∗− signature schemes are hence no longer practical. In this paper, we will study the new attack from the point view of symmetry, then (1) present a simple concept (projection) to modify several multivariate schemes to resist the new attacks; (2) demonstrate with practical examples that this simple method could work well; and (3) show that the same discussion of attack-and-defence applies to other big-field multivariates. The speed of encryption schemes is not affected, and we can still have a big-field multivariate signatures resisting the new differential attacks with speeds comparable to sflash.

Qingyuan Yu,Xiaoyang Dong,Lingyue Qin,Yongze Kang,Keting Jia,Xiaoyun Wang,Guoyan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i4.1-31

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao,Wei He,Lumin Xu,Yunfei Ma

DOI: https://doi.org/10.1155/2017/8051728

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:HIGHT is a lightweight block cipher which has been adopted as a standard block cipher. In this paper, we present a bit-level algebraic fault analysis (AFA) of HIGHT, where the faults are perturbed by a stealthy HT. The fault model in our attack assumes that the adversary is able to insert a HT that flips a specific bit of a certain intermediate word of the cipher once the HT is activated. The HT is realized by merely 4 registers and with an extremely low activation rate of about 0.000025. We show that the optimal location for inserting the designed HT can be efficiently determined by AFA in advance. Finally, a method is proposed to represent the cipher and the injected faults with a merged set of algebraic equations and the master key can be recovered by solving the merged equation system with an SAT solver. Our attack, which fully recovers the secret master key of the cipher in 12572.26 seconds, requires three times of activation on the designed HT. To the best of our knowledge, this is the first Trojan attack on HIGHT.

Matthias Johann Steiner

DOI: https://doi.org/10.46586/tosc.v2024.i1.357-411

2024-03-04

Abstract:For Arithmetization-Oriented ciphers and hash functions Gröbner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gröbner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gröbner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gröbner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

Cryptography and Security,Commutative Algebra

Xinjie Zhao,Fan Zhang,Shize Guo,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji

DOI: https://doi.org/10.1007/978-3-642-29912-4_17

2012-01-01

Abstract:Algebraic side-channel attack (ASCA) is a powerful cryptanalysis technique different from conventional side-channel attacks. This paper studies ASCA from three aspects: enhancement, analysis and application. To enhance ASCA, we propose a generic method, called Multiple Deductions-based ASCA (MDASCA), to cope the multiple deductions caused by inaccurate measurements or interferences. For the first time, we show that ASCA can exploit cache leakage models. We analyze the attacks and estimate the minimal amount of leakages required for a successful ASCA on AES under different leakage models. In addition, we apply MDASCA to attack AES on an 8-bit microcontroller under Hamming weight leakage model, on two typical microprocessors under access driven cache leakage model, and on a 32-bit ARM microprocessor under trace driven cache leakage model. Many better results are achieved compared to the previous work. The results are also consistent with the theoretical analysis. Our work shows that MDASCA poses great threats with its excellence in error tolerance and new leakage model exploitation.

Jintai Ding,Bo-Yin Yang,Chia-Hsin Owen Chen,Ming-Shing Chen,Chen-Mou Cheng

DOI: https://doi.org/10.1007/978-3-540-68914-0_15

2008-01-01

Abstract:A recently proposed class of multivariate Public-Key Cryptosystems, the Rainbow-Like Digital Signature Schemes, in which successive sets of central variables are obtained from previous ones by solving linear equations, seem to lead to efficient schemes (TTS, TRMS, and Rainbow) that perform well on systems of low computational resources. Recently SFLASH (C*-) was broken by Dubois, Fouque, Shamir, and Stern via a differential attack. In this paper, we exhibit similar algebraic and diffential attacks, that will reduce published Rainbow-like schemes below their security levels. We will also discuss how parameters for Rainbow and TTS schemes should be chosen for practical applications.

Kexin Qiao,Zhiyu Zhang,Zhongfeng Niu,Liehuang Zhu,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2023.00.008

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Recent results show that the differential properties within quadruples boom as a new inspiration in cryptanalysis of Advanced Encryption Standard (AES)-like constructions. These methods include the exchange attack proposed in Asiacrypt'19, the mixture differential attack proposed in ToSC'18, etc., where the essential properties are obtained by manually scrutinizing the structures of the AES-like constructions. This paper presents a novel framework and an automatic tool based on mixed integer linear programming to search for mixture differential distinguishers for general constructions. This framework considers what equality patterns among quadruples can make a distinguisher and traces how the patterns propagate through cipher components with accurate probability estimation. With this tool, a 5-round AES distinguishing attack with lower complexity and more 6-round distinguishing attacks in the chosen plaintext scenarios are deduced. We prove that no exchange-type or mixture differential distinguisher exists for 7 and above rounds AES if the details of the Sbox and MixColumns matrix are not taken into account.

engineering, electrical & electronic

Zhenzhen Bao,Xiaoyang Dong,Jian Guo,Zheng Li,Danping Shi,Siwei Sun,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-030-77870-5_27

2021-01-01

Abstract:The Meet-in-the-Middle (MITM) preimage attack is highly effective in breaking the preimage resistance of many hash functions, including but not limited to the full MD5, HAVAL, and Tiger, and reduced SHA-0/1/2. It was also shown to be a threat to hash functions built on block ciphers like AES by Sasaki in 2011. Recently, such attacks on AES hashing modes evolved from merely using the freedom of choosing the internal state to also exploiting the freedom of choosing the message state. However, detecting such attacks especially those evolved variants is difficult. In previous works, the search space of the configurations of such attacks is limited, such that manual analysis is practical, which results in sub-optimal solutions. In this paper, we remove artificial limitations in previous works, formulate the essential ideas of the construction of the attack in well-defined ways, and translate the problem of searching for the best attacks into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. The MILP models capture a large solution space of valid attacks; and the objectives of the MILP models are attack configurations with the minimized computational complexity. With such MILP models and using the off-the-shelf solver, it is efficient to search for the best attacks exhaustively. As a result, we obtain the first attacks against the full (5-round) and an extended (5.5-round) version of Haraka-512 v2, and 8-round AES-128 hashing modes, as well as improved attacks covering more rounds of Haraka-256 v2 and other members of AES and Rijndael hashing modes.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1007/s10623-023-01226-4

IF: 1.4

2023-01-01

Designs Codes and Cryptography

Abstract:Computer aided cryptanalysis has been popular for recent several years, however, most of these automations are semi-automations which leave cryptographers to complete the remaining parts of the attack. This paper proposes an automatic framework towards optimal meet-in-the-middle attack with splice-and-cut technique(MITM-SCT). Compared with other automations on MITM attack, our framework is fully automatic which can take all the procedures of the attack into consideration. Firstly, with a newly introduced matrix-based method, a general framework is proposed to calculate the correlated states and illustrate the differential diffusion property in a MITM attack. Alongside, all the procedures of a typical MITM-SCT attack are reduced to three types of matrices. These matrices can be uniquely determined by the round function and the construction methods are presented. Secondly, based on the framework, a fully automatic searching method on MITM-SCT attack is proposed. Thirdly, an optimal searching strategy on MITM-SCT attack is proposed and the bound for the time complexity is illustrated. Based on our method, if the computing capability is large enough, we can search all the possible attack scenarios and the least upper bound for the target block cipher against MITM-SCT attack can be derived. That is to say, we cannot only find some better attack scenarios, but also try all the possible attack scenarios simultaneously to find the optimal ones for some cases. Finally, we apply our method to HIGHT, CHAM, WARP and derive some currently best-known MITM attacks on these ciphers. For HIGHT, we exhaustively search about 2.1 billion attack scenarios and derive 76.8 thousand 23-round MITM attacks on HIGHT, which is 4 rounds more than the current best MITM attack. For the CHAM family ciphers, some MITM attacks are proposed on 30-round, 19-round, 30-round CHAM-64/128, CHAM-128/128 and CHAM-128/256 respectively. These results can exceed most of the attacks in the single key setting proposed by the designers. For WARP, a concrete 19-round MITM attack is proposed. Our automatic method is proposed on solving the problem of MITM attacks on ARX ciphers, however, the successful attack on WARP indicates that our method can also be applied to Sbox-based block ciphers.

Lele Chen,Gaoli Wang,GuoYan Zhang

DOI: https://doi.org/10.1093/comjnl/bxz076

2019-10-15

The Computer Journal

Abstract:Abstract The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before.

Vahid Amin Ghafari,Honggang Hu

DOI: https://doi.org/10.1007/s12652-018-0897-x

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:We propose a new attack framework based upon cube testers and d-monomial test. The d-monomial test is a general framework for comparing the ANF of the symmetric cipher’s output with ANF of a random Boolean function. In the d-monomial test, the focus is on the frequency of the special monomial in the ANF of Boolean functions, but in the proposed framework, the focus is on the truth table. We attack ACORN-v3 and Grain-128a and demonstrate the efficiency of our framework. We show how it is possible to apply a distinguishing attack for up to 670 initialization rounds of ACORN-v3 and 171 initialization rounds of Grain-128a using our framework. The attack on ACORN-v3 is the best practical attack (and better results can be obtained by using more computing power such as cube attacks). One can apply distinguishing attacks to black box symmetric ciphers by the proposed framework, and we suggest some guidelines to make it possible to improve the attack by analyzing the internal structure of ciphers. The framework is applicable to all symmetric ciphers and hash functions. We discuss how it can reveal weaknesses that are not possible to find by other statistical tests. The attacks were practically implemented and verified.

Jintai Ding,Ai Ren,Chengdong Tao

DOI: https://doi.org/10.1007/978-3-642-38519-3_9

2012-01-01

Abstract:Let X = (x 1,.;x n ) and Y = (y 1,.;y m ) be a pair of corresponding plaintext and ciphertext for a cryptosystem. We define an embedded surface of this cryptosystem as any polynomial equation: which is satisfied by all such pairs. In this paper, we present a new attack on the multivariate public key cryptosystems from Diophantine equations developed by Gao and Heindl by using the embedded surfaces associated to this family of multivariate cryptosystems. © 2013 Springer-Verlag Berlin Heidelberg.

Seungjun Baek,Sehee Cho,Jongsung Kim

DOI: https://doi.org/10.1007/s11128-022-03499-5

IF: 1.965

2022-04-27

Quantum Information Processing

Abstract:Recently, Hosoyamada and Sasaki (Eurocrypt'20) proposed dedicated quantum collision attacks on AES-MMO and AES-MP and revealed that a differential trail that is not available in the classical setting due to a low probability can be utilized in the quantum settings. Their works encouraged cryptographers to actively perform security analysis of concrete hash functions in the quantum settings, which had not received much attention before. Xiaoyang Dong et al. (Asiacrypt'20) proposed improved dedicated quantum collision attacks on AES-MMO and AES-MP, and Chauhan et al. (ToSC'21) proposed quantum rebound attacks on the double-block-length hash function Hirose instantiated with 10-round reduced AES-256. In this paper, we propose a quantum collision attack on the Davies–Meyer (DM) hash function instantiated with full-round AES-256. We construct a new chosen-key differential trail for AES-256 based on the trail of Biryukov et al. proposed in 2009 and use it to find collisions of the full AES-256-based DM in a quantum setting. We also present quantum free-start collision attacks on the Hirose and MJH hash functions instantiated with full-round AES-256. These attacks are significant in that they are the first algorithms to find full-round (free-start) collisions. In particular, in the case of Hirose-AES-256, our attacks can cover a larger number of constant c than previously proposed attacks and also cover more rounds.

physics, multidisciplinary,quantum science & technology, mathematical

Bo Zhu,G. Gong,Xuejia Lai,Kefei Chen

2011-01-01

Abstract:This paper introduces a more in-depth cryptanalysis framework for tweakable cryptosystems than Cube Attack, Cube Tester, algebraic IV differential attack (AIDA), and higher order differential cryptanalysis in Boolean algebra. Through the view of the new framework, the differences among these existing analysis methods are clarified. Furthermore, a principle is proposed to design secure systems against such cryptanalyses.

Haomiao Yang,Hyunsung Kim,Dianhua Tang

DOI: https://doi.org/10.1007/978-94-007-6738-6_34

2013-01-01

Abstract:At CDCIEM 2012, Yang et al. proposed a new construction of somewhat homomorphic encryption scheme over integers, which is quite efficient in the perspective of the key size. In this paper, we present an effective lattice reduction attack on Yang et al.’s scheme, where it is easy to recover the plaintext by applying LLL algorithm.

Limin Guo,Lihui Wang,Qing Li,Zhimin Zhang,Dan Liu,Weijun Shan

DOI: https://doi.org/10.2991/iset-15.2015.25

2015-01-01

Abstract:HMAC algorithm is one of the most famous keyed hash functions, and widely utilized. And SM3 is the only standard hash algorithm of China. However, most cryptographic algorithms implementations are vulnerable against side channel attacks. But specific side channel attacks on HMAC-SM3 have not been given so far. This paper presents a first-order DPA attack on HMAC-SM3. HMAC-SM3 hash algorithm is based on the mixing of different algebraic operations, such as XOR and addition modulo 2(32), thus the proposed DPA attack is mainly against these basic group operations. Experimental results are given by attacking an implementation of HMAC-SM3 in a smart card, which demonstrate the practicability of such attacks described in this paper.