Qingyuan Yu,Lingyue Qin,Xiaoyang Dong,Keting Jia

DOI: https://doi.org/10.1093/comjnl/bxad071

2024-01-01

Abstract:GIFT is a lightweight cipher proposed by Banik et al. at CHES'17, motivated by the design strategy of PRESENT. GIFT-64[2021] is a variant of GIFT proposed by Sun et al. at EUROCRYPT'22 to achieve better resistance against differential attack while maintaining a similar security level against linear attack. At EUROCRYPT'22, Dong et al. proposed a new rectangle framework considering the key guessing strategies for linear key-schedule ciphers, and established a uniform automatic search model for the whole rectangle attack. In this paper, we extend it to be applicable to bit-oriented ciphers, and construct an automatic search model involved in the distinguisher and key-recovery phase for GIFT. Moreover, we utilize the key relations of the linear key-schedule to the model, and find some new distinguishers both for GIFT-64 and GIFT-64[2021]. To evaluate the probability more accurately, we propose a method to calculate the probability of the 2-round middle part which connects the boomerang distinguisher for GIFT, and apply it with the SAT method to evaluate the probability of the whole distinguishers. As a result, we search out a new 20-round related-key boomerang distinguisher for GIFT-64, and achieve a 26-round attack with better time complexity than the best previous attack. For GIFT-64[2021], we find a 20-round boomerang distinguisher and give the first 26-round rectangle attack under related-key scenario.

Boxin Zhao,Xiaoyang Dong,Willi Meier,Keting Jia,Gaoli Wang

DOI: https://doi.org/10.1007/s10623-020-00730-1

2020-01-01

Abstract:This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST. For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from 2 331 to 2 294 . In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the candidate LWC SKINNY AEAD M1, we conduct a 24-round related-tweakey rectangle attack with a time complexity of 2 123 and a data complexity of 2 123 chosen plaintexts. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity 2 91.58 , while the best previous attack on GIFT-64 only reaches 23 rounds at most.

Baoyu Zhu,Xiaoyang Dong,Hongbo Yu

DOI: https://doi.org/10.1007/978-3-030-12612-4_19

2019-01-01

Abstract:At Asiacrypt 2014, Sun et al. proposed a MILP model [20] to search for differential characteristics of bit-oriented block ciphers. In this paper, we improve this model to search for differential characteristics of GIFT [2], a new lightweight block cipher proposed at CHES 2017. GIFT has two versions, namely GIFT-64 and GIFT-128. For GIFT-64, we find the best 12-round differential characteristic and a number of iterative 4-round differential characteristics with our MILP-based model. We give a key-recovery attack on 19-round GIFT-64. For GIFT-128, we find a 18-round differential characteristic and give the first attack on 23-round GIFT-128.

Xiaoyang Dong,Lingyue Qin,Siwei Sun,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-07082-2_1

2022-01-01

Abstract:When generating quartets for the rectangle attacks on ciphers with linear key-schedule, we find the right quartets which may suggest key candidates have to satisfy some nonlinear relations. However, some quartets generated always violate these relations, so that they will never suggest any key candidates. Inspired by previous rectangle frameworks, we find that guessing certain key cells before generating quartets may reduce the number of invalid quartets. However, guessing a lot of key cells at once may lose the benefit from the early abort technique, which may lead to a higher overall complexity. To get better tradeoff, we build a new rectangle framework on ciphers with linear key-schedule with the purpose of reducing overall complexity or attacking more rounds. In the tradeoff model, there are many parameters affecting the overall complexity, especially for the choices of the number and positions of key guessing cells before generating quartets. To identify optimal parameters, we build a uniform automatic tool on SKINNY as an example, which includes the optimal rectangle distinguishers for key-recovery phase, the number and positions of key guessing cells before generating quartets, the size of key counters to build that affecting the exhaustive search step, etc. Based on the automatic tool, we identify a 32-round key-recovery attack on SKINNY-128-384 in the related-key setting, which extends the best previous attack by 2 rounds. For other versions with n-2n or n-3n, we also achieve one more round than before. In addition, using the previous rectangle distinguishers, we achieve better attacks on round-reduced ForkSkinny, Deoxys-BC-384 and GIFT-64. At last, we discuss the conversion of our rectangle framework from related-key setting into single-key setting and give new single-key rectangle attack on 10-round Serpent.

Qingju Wang,Zhiqiang Liu,Deniz Toz,Kerem Varici,Dawu Gu

DOI: https://doi.org/10.1049/iet-ifs.2014.0380

2015-01-01

IET Information Security

Abstract:In this study, the authors present the first related-key rectangle cryptanalysis of Rijndael-160/160 and Rijndael-192/192. The author's attack on Rijndael-160/160 covers eight rounds. The attack complexities are 2(126.5) chosen plaintexts, 2(129.28) 8-round Rijndael-160/160 encryptions and 2(132.82) bytes. Their attack on Rijndael-192/192 covers ten rounds. It requires 2(179) chosen plaintexts, 2(181.09) 10-round Rijndael-192/192 encryptions and 2(185.59) bytes memory. These are the currently best cryptanalytic results on Rijndael-160/160 and Rijndael-192/192 in terms of the number of attacked rounds. Furthermore, their results show that the slow diffusion in the key schedule of Rijndael makes it a target for this type of analysis.

Shichang Wang,Meicheng Liu,Shiqi Hou,Dongdai Lin

DOI: https://doi.org/10.62056/a6n5txol7

2024-01-01

Abstract:At CHES 2017, Banik et al. proposed a lightweight block cipher GIFT consisting of two versions GIFT-64 and GIFT-128. Recently, there are lots of authenticated encryption schemes that adopt GIFT-128 as their underlying primitive, such as GIFT-COFB and HyENA. To promote a comprehensive perception of the soundness of the designs, we evaluate their security against differential-linear cryptanalysis. For this, automatic tools have been developed to search differential-linear approximation for the ciphers based on S-boxes. With the assistance of the automatic tools, we find 13-round differential-linear approximations for GIFT-COFB and HyENA. Based on the distinguishers, 18-round key-recovery attacks are given for the message processing phase and initialization phase of both ciphers. Moreover, the resistance of GIFT-64/128 against differential-linear cryptanalysis is also evaluated. The 12-round and 17-round differential-linear approximations are found for GIFT-64 and GIFT-128 respectively, which lead to 18-round and 19-round key-recovery attacks respectively. Here, we stress that our attacks do not threaten the security of these ciphers.

Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1109/access.2019.2946638

IF: 3.9

2019-01-01

IEEE Access

Abstract:In this paper, we study the relation of related-tweak/key impossible differentials with single-key ones. Following a heuristic strategy, we can derive longer related-tweak/key impossible differentials from single-key ones. We implement this strategy with the MILP technique and apply it to search related-tweak/key impossible differentials of two tweakable block ciphers: QARMA-64 and Joltik-BC-128. For QARMA-64, we find several 7-round related-tweak impossible differential distinguishers and use them to mount a 10-round key recovery attack including the outer whitening key; for Joltik-BC-128, we find two 6-round related-tweakey impossible differential distinguishers and use them attack 9-round and 10-round Joltik-BC-128 respectively.

Rui Zong,Xiaoyang Dong,Huaifeng Chen,Yiyuan Luo,Si Wang,Zheng Li

DOI: https://doi.org/10.46586/tosc.v2021.i1.156-184

2021-01-01

Abstract:When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Huaifeng Chen,Rui Zong,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-030-41579-2_26

2019-01-01

Abstract:GIFT is a new lightweight PRESENT-like block cipher, proposed by Banik et al. at CHES 2017. There are two versions, i.e., GIFT-64 and GIFT-128, with block size 64 and 128 respectively. Both versions have a 128-bit key. The Sbox and the linear layer of GIFT are chosen carefully to avoid single difference bit or linear mask bit path in 2 consecutive rounds. This improves the security of GIFT against differential, linear and linear hull attacks. In this paper, we implement a new automatic search algorithm of differential characteristics on GIFT-64. Considering the situations that some characteristics have the same input and output difference, we find a few of improved differentials with longer rounds or higher probabilities. Among them, the best probability for 12-round differential is 2(-56.5737), while that for 13-round differential is 2(-61.)(3135). In addition, we find 52 13-round differentials with the same output differences. Based on them, we mount a multiple differential attack on 20-round GIFT-64 with 2(62) chosen plaintexts, which attacks one more round than the best previous result. Also, we can attack 21-round GIFT-64 with the full codebook, using one differential with probability 2(-)(62)(.)(0634). This is the longest attack as far as we know.

Qianqian Yang,Ling Song,Nana Zhang,Danping Shi,Libo Wang,Jiahao Zhao,Lei Hu,Jian Weng

DOI: https://doi.org/10.1007/s00145-024-09499-1

2024-04-12

Journal of Cryptology

Abstract:The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Not only does it encompass the four existing rectangle key recovery algorithms, but it also reveals five new types of attacks that were previously overlooked. Further, we put forward a counterpart for boomerang key recovery attacks, which supports any possible attacking parameters as well. Along with these new key recovery algorithms, we propose a framework to automatically determine the best parameters for the attack. To demonstrate the efficiency of the new key recovery algorithms, we apply them to Serpent , AES -192, CRAFT , SKINNY , and Deoxys-BC -256 based on existing distinguishers, yielding a series of improved attacks.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Chenmeng Li,Baofeng Wu,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-031-26553-2_11

2022-01-01

Abstract:Boomerang connectivity table (BCT), an essential tool in boomerang attack, gives a unified description of the probability in the middle round of a boomerang distinguisher. However, it suffers the drawback that the asymmetric relationship between the upper and lower differentials in the middle round is ignored. To make up for this deficiency, we propose the generalized boomerang connectivity table (GBCT), which characterizes all combinations of upper and lower differentials to provide a more precise probability in the middle round. We first study the cryptographic properties of GBCT and introduce its variants applied in multiple rounds and Feistel structure. Then, we provide an automatic search algorithm to increase the probability of the boomerang distinguisher by adding thorough considerations that more trails can be included, which is applicable to all S-box based ciphers. Finally, we increase the probabilities of the 20-round GIFT-64 distinguisher from to and the 19-round GIFT-128 distinguisher from to , both of which are the highest so far. Applying the key recovery attack proposed by Dong et al. at Eurocrypt 2022 on the new distinguisher, we achieve the lowest complexities of the attack on GIFT-64 and the best rectangle attack on GIFT-128.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

JIA Ke-ting

2010-01-01

Abstract:The related key rectangle-like sandwich attack is used to improve cryptanalysis on 44-round SHACAL-2. With the combination of modular difference and XOR difference and substituting a single difference with more differences, the probability of the differential path is improved and a 35-round related key rectangle-like sandwich distinguis-her with probability 2-430 is given. Applying the distinguisher, the key recovery attack on 44-round SHACAL-2 with related keys is introduced, with 2217 chosen plaintexts, 2476.92 44-round encryptions and 2222 bytes of memory.

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Keting Jia,Jiazhe Chen,Meiqin Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-28496-0_11

2011-01-01

Abstract:Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen et al. as an alternative to the IDEA block cipher. In this paper, we give a practical sandwich attack on MMB with adaptively chosen plaintexts and ciphertexts. By constructing a 5-round sandwich distinguisher of the full 6-round MMB with probability 1, we recover the main key of MMB with text complexity 240 and time complexity 240 MMB encryptions. We also present a chosen plaintexts attack on the full MMB by employing the rectangle-like sandwich attack, which the complexity is 266.5 texts, 266.5 MMB encryptions and 270.5 bytes of memory. In addition, we introduce an improved differential attack on MMB with 296 chosen plaintexts, 296 encryptions and 266 bytes of memory. Especially, even if MMB is extended to 7 rounds, the improved differential attack is applicable with the same complexity as that of the full MMB.

Hailun Yan,Yiyuan Luo,Mo Chen,Xuejia Lai

DOI: https://doi.org/10.1007/s11432-018-9527-8

2019-01-01

Science China Information Sciences

Abstract:We evaluate the security of RECTANGLE from the perspective of actual key information(AKI).Insufficient AKI permits the attackers to deduce some subkey bits from some other subkey bits, thereby lowering the overall attack complexity or getting more attacked rounds. By considering the interaction between the key schedule’s diffusion and the round function’s diffusion, we find there exists AKI insufficiency in 4 consecutive rounds for RECTANGLE-80 and 6 consecutive rounds for RECTANGLE-128, although the master key bits achieve complete diffusion in 2 and 4 rounds, respectively. With such weakness of the key schedule, we give a generic meet-in-the-middle attack on 12-round reduced RECTANGLE-128 with only 8 known plaintexts. Moreover, we calculate AKI of variants of RECTANGLE as well as PRESENT.Surprisingly we find that both RECTANGLE-128 and PRESENT-128 with no key schedule involve more AKI than the original one. Based on this finding, we slightly modify the key schedule of RECTANGLE-128.Compared with the original one, this new key schedule matches better with the round function in terms of maximizing AKI. Our work adds more insight to the design of block ciphers’ key schedule.

Maria Eichlseder,Lorenzo Grassi,Reinhard Lüftenegger,Morten Øygarden,Christian Rechberger,Markus Schofnegger,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_16

2020-01-01

Abstract:Algebraically simple PRFs, ciphers, or cryptographic hash functions are becoming increasingly popular, for example due to their attractive properties for MPC and new proof systems (SNARKs, STARKs, among many others). In this paper, we focus on the algebraically simple construction MiMC, which became an attractive cryptanalytic target due to its simplicity, but also due to its use as a baseline in a competition for more recent algorithms exploring this design space. For the first time, we are able to describe key-recovery attacks on all full-round versions of MiMC over $${\mathbb {F}}_{2^n}$$ , requiring half the code book. In the chosen-ciphertext scenario, recovering the key from this data for the n-bit full version of MiMC takes the equivalent of less than $$2^{n-\log _2(n) +1}$$ calls to MiMC and negligible amounts of memory. The attack procedure is a generalization of higher-order differential cryptanalysis, and it is based on two main ingredients. First, we present a higher-order distinguisher which exploits the fact that the algebraic degree of MiMC grows significantly slower than originally believed. Secondly, we describe an approach to turn this distinguisher into a key-recovery attack without guessing the full subkey. Finally, we show that approximately $$\lceil \log _3(2\cdot R)\rceil $$ more rounds (where $$R = \lceil n \cdot \log _3(2)\rceil $$ is the current number of rounds of MiMC-n/n) can be necessary and sufficient to restore the security against the key-recovery attack presented here. The attack has been practically verified on toy versions of MiMC. Note that our attack does not affect the security of MiMC over prime fields.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1155/2022/3611840

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:LiCi-2 is an ultralightweight block cipher designed for constrained IoT devices. It is a successor of LiCi and has even better performance in both software and hardware implementation. In this paper, based on the idea of related-key multiple impossible differential cryptanalysis, a key recovery attack on full-round LiCi-2 is proposed. First, an interesting property is revealed that, with a single bit difference in the related key, a 10-round differential character with probability of 1 exists on LiCi-2. With an automatic approach, the boundaries of impossible differential distinguishers in terms of single-key setting and related-key setting are explored. Under our construction method, the longest length is 8 rounds for single-key setting and 18 rounds for related-key setting. Finally, based on these 18-round distinguishers, a 25-round key recovery attack is proposed with adding 3 rounds before and 4 rounds after the distinguisher. Our attack needs one related key. The time complexity for our attack is O(2123.44), the memory complexity is O(294), and the data complexity is O(260.68). As far as we know, no full-round attack has previously been reported on LiCi-2.

Shion UTSUMI,Kosei SAKAMOTO,Takanori ISOBE

DOI: https://doi.org/10.1587/transfun.2023eap1149

2024-01-01

Abstract:Lightweight block ciphers have gained attention in recent years due to the increasing demand for sensor nodes, RFID tags, and various applications. In such a situation, lightweight block ciphers Piccolo and TWINE have been proposed. Both Piccolo and TWINE are designed based on the Generalized Feistel Structure. However, it is crucial to address the potential vulnerability of these structures to the impossible differential attack. Therefore, detailed security evaluations against this attack are essential. This paper focuses on conducting bit-level evaluations of Piccolo and TWINE against related-key impossible differential attacks by leveraging SAT-aided approaches. We search for the longest distinguishers under the condition that the Hamming weight of the active bits of the input, which includes plaintext and master key differences, and output differences is set to 1, respectively. Additionally, for Tweakable TWINE, we search for the longest distinguishers under the related-tweak and related-tweak-key settings. The result for Piccolo with a 128-bit key, we identify the longest 16-round distinguishers for the first time. In addition, we also demonstrate the ability to extend these distinguishers to 17 rounds by taking into account the cancellation of the round key and plaintext difference. Regarding evaluations of TWINE with a 128-bit key, we search for the first time and reveal the distinguishers up to 19 rounds. For the search for Tweakable TWINE, we evaluate under the related-tweak-key setting for the first time and reveal the distinguishers up to 18 rounds for 80-bit key and 19 rounds for 128-bit key.

computer science, information systems,engineering, electrical & electronic, hardware & architecture

Yin-Song Xu,Yi-Bo Luo,Zheng Yuan,Xuan Zhou,Qi-di You,Fei Gao,Xiao-Yang Dong

DOI: https://doi.org/10.1007/s10623-024-01526-3

2024-01-01

Abstract:In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.