Dey, Sabyasachi,Leander, Gregor,Sharma, Nitin Kumar

DOI: https://doi.org/10.1007/s10623-024-01522-7

IF: 1.4

2024-11-10

Designs Codes and Cryptography

Abstract:In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of the 128-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of the 256-bit key version of Salsa20 and the 7-round of the 128-bit key version of Salsa20.

mathematics, applied,computer science, theory & methods

Hirendra Kumar Garai Sabyasachi Dey Hirendra Kumar Garai earned his Master of Science (M.Sc.) in Mathematics from Visva-Bharati University,India in 2018. Presently,he is in his fourth year as a doctoral student at BITS Pilani,Hyderabad Campus,India. His research primarily centers on symmetric key cryptanalysis.Sabyasachi Dey got his Ph.D. in mathematics from the Indian Institute of Technology Madras in Chennai,India,in 2018. Presently,he is an Assistant Professor at the Birla Institute of Technology and Science (BITS) in Pilani,India. Symmetric key cryptology is one of his main research interests.

DOI: https://doi.org/10.1080/01611194.2024.2342918

2024-06-11

Cryptologia

Abstract:This paper develops a significantly enhanced attack on the ciphers Salsa and ChaCha. The existing attacks against these ciphers are mainly differential attacks. In this work, we produce an attack on 7.5-round Salsa and 6.5-round ChaCha20. These are the maiden key-recovery attacks on those versions of the two ciphers, in which we recover the key in multiple steps using several distinguishers. In comparison to the previous best-known attack against 7-round Salsa, the new attack method offers an improvement of 27.5 times, while on 7.5-round Salsa20 and 6.5-round ChaCha20 our attack is the only existing one.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Nitin Kumar Sharma,Sabyasachi Dey

DOI: https://doi.org/10.1109/access.2024.3372857

IF: 3.9

2024-03-15

IEEE Access

Abstract:The stream cipher ChaCha has been subjected to differential linear cryptanalysis since 2008. Aumasson et al. (2008) laid the groundwork for this attack, employing the concept of probabilistically neutral bits for key recovery. Subsequently, various enhancements have been made to this attack over the last few decades. These improvements are essentially refinements to the probabilistically neutral bit-based attack approach. Despite the proposed modifications in these improvements, which increase attack complexity, the consequential changes in the associated probability of key recovery have not been thoroughly examined. A comprehensive analysis of the probability of key recovery is lacking in all attacks within this domain. No systematic process is available in the existing works for analyzing the probability of key recovery. This paper addresses this gap by proposing a method for estimating the probability of key recovery in these attacks. Employing this method, we calculate an estimated interval for the probability of key recovery for both the original idea presented by Aumasson et al. (2008) and the subsequent modifications to this idea. This analysis allows us to understand the variations in probability associated with these modifications.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shichang Wang,Meicheng Liu,Shiqi Hou,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-031-38548-3_10

2023-01-01

Abstract:The stream cipher ChaCha is one of the most widely used ciphers in the real world, such as in TLS, SSH and so on. In this paper, we study the security of ChaCha via differential cryptanalysis based on probabilistic neutrality bits (PNBs). We introduce the syncopation technique for the PNB-based approximation in the backward direction, which significantly amplifies its correlation by utilizing the property of ARX structure. In virtue of this technique, we present a new and efficient method for finding a good set of PNBs. A refined framework of key-recovery attack is then formalized for round-reduced ChaCha. The new techniques allow us to break 7.5 rounds of ChaCha without the last XOR and rotation, as well as to bring faster attacks on 6 rounds and 7 rounds of ChaCha.

Xiutao Feng,Fan Zhang,Hui Wang

2014-01-01

Abstract:PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs about 132 pairs of known plaintext/ciphertext. Based on the above attack, we further deduce a forgery attack against PANDA-s. Our results show that PANDA-s is far from the goal of its security design (128-bit level).

Jiangshan Long,Changhai Ou,Zhu Wang,Shihui Zheng,Fei Yan,Fan Zhang,Siew-Kei Lam

2022-01-01

Abstract:The performance of Side-Channel Attacks (SCAs) decays rapidly when considering more sub-keys, making the full-key recovery a very challenging problem. Limited to independent collision information utilization, collision attacks establish the relationship among sub-keys but do not significantly slow down this trend. To solve it, we first exploit the samples from the previously attacked S-boxes to assist attacks on the targeted S-box under an assumption that similar leakage occurs in program loop or code reuse scenarios. The later considered S-boxes are easier to be recovered since more samples participate in this assist attack, which results in the “snowball” effect. We name this scheme as Snowball, which significantly slows down the attenuation rate of attack performance. We further introduce confusion coefficient into the collision attack to construct collision confusion coefficient, and deduce its relationship with correlation coefficient. Based on this relationship, we give two optimizations on our Snowball exploiting the “values” information and “rankings” information of collision correlation coefficients named Least Deviation from Pearson correlation coefficient (PLD) and Least Deviation from confusion coefficient (CLD). Experiments show that the above optimizations significantly improve the performance of our Snowball.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao

DOI: https://doi.org/10.13245/j.hust.170214

2017-01-01

Abstract:The SOSEMANUK stream cipher is a member of the finalists of the eSTREAM proj ect.In this paper,the previous known attacks against SOSEMANUK was presented and discussed.Firstly, SOSEMANUK was described as a set of equations involving the public and key variables at bit level. Secondly,the attacker was assumed to be able to fault a random inner state word and the faults were described as a set of equations by analyzing the propagation of faults.Thirdly,the CryptoMinisat sol-ver was adapted to recover the secret inner state by guessing certain inner state words and solving the combined equations.The results show that the first round attack recovers the secret internal states, requires 20 faults and the computational complexity is dramatically reduced to O(296 ).The first two rounds attack recovers the whole states,requires 10 faults without guessing any inner state word, which is better than the previous known cryptanalytic results.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Cathy Li,Jana Sotáková,Emily Wenger,Mohamed Malhou,Evrard Garcelon,Francois Charton,Kristin Lauter

2023-11-01

Abstract:Learning with Errors (LWE) is a hard math problem underpinning many proposed post-quantum cryptographic (PQC) systems. The only PQC Key Exchange Mechanism (KEM) standardized by NIST is based on module~LWE, and current publicly available PQ Homomorphic Encryption (HE) libraries are based on ring LWE. The security of LWE-based PQ cryptosystems is critical, but certain implementation choices could weaken them. One such choice is sparse binary secrets, desirable for PQ HE schemes for efficiency reasons. Prior work, SALSA, demonstrated a machine learning-based attack on LWE with sparse binary secrets in small dimensions ($n \le 128$) and low Hamming weights ($h \le 4$). However, this attack assumes access to millions of eavesdropped LWE samples and fails at higher Hamming weights or dimensions. We present PICANTE, an enhanced machine learning attack on LWE with sparse binary secrets, which recovers secrets in much larger dimensions (up to $n=350$) and with larger Hamming weights (roughly $n/10$, and up to $h=60$ for $n=350$). We achieve this dramatic improvement via a novel preprocessing step, which allows us to generate training data from a linear number of eavesdropped LWE samples ($4n$) and changes the distribution of the data to improve transformer training. We also improve the secret recovery methods of SALSA and introduce a novel cross-attention recovery mechanism allowing us to read off the secret directly from the trained models. While PICANTE does not threaten NIST's proposed LWE standards, it demonstrates significant improvement over SALSA and could scale further, highlighting the need for future investigation into machine learning attacks on LWE with sparse binary secrets.

Cryptography and Security,Machine Learning

Mostafizar Rahman,Dhiman Saha,Goutam Paul

DOI: https://doi.org/10.46586/tosc.v2021.i3.137-169

2021-09-17

IACR Transactions on Symmetric Cryptology

Abstract:This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

Lin Ding,Dawu Gu,Lei Wang

DOI: https://doi.org/10.1007/978-981-15-0818-9_16

2019-01-01

Abstract:The well-known MICKEY 2.0 stream cipher, designed by Babbage and Dodd in 2006, is one of the seven finalists of the eSTREAM project. In this paper, new key recovery attack on the MICKEY family of stream ciphers in the single key setting is proposed. We prove that for a given variant of the MICKEY family of stream ciphers with a key size of n(>= 80) bits and a IV size of m bits, 0 < m < n, there certainly exists a key recovery attack in the single key setting, whose online time, memory, data and offline time complexities are all smaller than 2n. Take MICKEY 2.0 with a 64-bit IV as an example. The new attack recovers all 80 key bits with an online time complexity of 278, an offline time complexity of 279 and a memory complexity of 245, requiring only 80 keystream bits. To the best of our knowledge, this paper presents the first cryptanalytic result of the MICKEY family of stream ciphers better than exhaustive key search.

Cathy Yuanchen Li,Emily Wenger,Zeyuan Allen-Zhu,Francois Charton,Kristin Lauter

2023-10-27

Abstract:Learning with Errors (LWE) is a hard math problem used in post-quantum cryptography. Homomorphic Encryption (HE) schemes rely on the hardness of the LWE problem for their security, and two LWE-based cryptosystems were recently standardized by NIST for digital signatures and key exchange (KEM). Thus, it is critical to continue assessing the security of LWE and specific parameter choices. For example, HE uses secrets with small entries, and the HE community has considered standardizing small sparse secrets to improve efficiency and functionality. However, prior work, SALSA and PICANTE, showed that ML attacks can recover sparse binary secrets. Building on these, we propose VERDE, an improved ML attack that can recover sparse binary, ternary, and narrow Gaussian secrets. Using improved preprocessing and secret recovery techniques, VERDE can attack LWE with larger dimensions ($n=512$) and smaller moduli ($\log_2 q=12$ for $n=256$), using less time and power. We propose novel architectures for scaling. Finally, we develop a theory that explains the success of ML LWE attacks.

Cryptography and Security

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-12827-1_1

2010-01-01

Abstract:Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. Skein had been updated after it entered the second round; the only difference between the original and the new version is the rotation constants. In this paper we construct related-key boomerang distinguishers on round-reduced Threefish-512 based on the new rotation constants using the method of modular differential. With these distinguishers, we mount related-key boomerang key recovery attacks on Threefish-512 reduced to 32, 33 and 34 rounds. The attack on 32-round Threefish-512 has time complexity 2195 with memory of 212 bytes. The attacks on Threefish-512 reduced to 33 and 34 rounds have time complexity of 2324.6 and 2474.4 encryptions respectively, and both with negligible memory. The best key recovery attack known before is proposed by Aumasson et al. Their attack, which bases on the old rotation constants, is also a related-key boomerang attack. For 32-round Threefish-512, their attack requires 2312 encryptions and 271 bytes of memory.

Lingyue Qin,Xiaoyang Dong,Xiaoyun Wang,Keting Jia,Yunwen Liu

DOI: https://doi.org/10.46586/tosc.v2021.i2.249-291

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Lingyue Qin,Xiaoyang Dong,Xiaoyun Wang,Keting Jia,Yunwen Liu

DOI: https://doi.org/10.46586/tosc.v2021.i2.249-291

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model. Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Wei Li,Xiaoling Xia,Dawu Gu,Zhiqiang Liu,Juanru Li,Ya Liu

DOI: https://doi.org/10.4304/jcp.6.2.216-223

2011-01-01

Journal of Computers

Abstract:The Substitution-Permutation Network (SPN) is a main type of structure in block ciphers. This paper proposes a new and practical differential fault attack technique on SPN structure. As an instance of SPN cipher , AES-256 can be recovered by 4 faulty ciphertexts. Compared with the previous techniques, our work can recover all subkeys of a n SPN cipher with all key s izes. Therefore , our attacking method on AES not only improves the efficiency of fault injection, but also decreases the number of faulty ciphertexts. It provides a new approach for fault analysis on block ciphers.

GE Shi-jing,GU Da-wu,LIU Zhi-qiang,LIU Ya

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.05.084

2011-01-01

Abstract:This paper studied algebraic attack of PRESENT cipher.Given a new method to generate equations for PRESENT.Then generalized this method for typical SPN cipher with small S-box.In the experiment,reduced round PRESENT was attacked by MiniSAT.It could recover keys of 4-round PRESENT in a minute.And it cost hours to recover keys of 6-round PRESEN.By introducing difference,the attack would be more effective.It could recover keys of 8-rounds PRESEN in reasonable time.

Priyanka Joshi,Bodhisatwa Mazumdar

DOI: https://doi.org/10.1007/s13389-024-00349-1

2024-03-21

Journal of Cryptographic Engineering

Abstract:Persistent fault analysis (PFA) has emerged as a powerful technique that can recover the secret key by influencing ciphertext distribution. Most research work highlights its application for investigating the last round key. This work presents PFA attack methods to recover deeper round keys of SPN ciphers, wherein the last round key alone can not determine the entire master key. We use GIFT and KLEIN ciphers to validate our methods and show the effectiveness of the proposed approach through simulation. We could recover the full master keys of both the GIFT cipher versions by retrieving the round keys up to the depth 2 and 4 for GIFT-128 and GIFT-64, respectively. Our method recovered KLEIN's last round key and penultimate round key in average 75 and 180 ciphertexts, respectively. We also analyzed the success rate of our approach for varying depths and Hamming distances . In GIFT-64, for Hamming distance 1, keys were recovered in approximately 110, 290, and 750 ciphertexts for round numbers 28, 27, and 26, respectively, with a 100% success rate. For round 25, around 2000 ciphertexts were sufficient to recover the round key in 90% of the cases out of 1000 experiments. For 39th round of GIFT-128, the round key can be recovered with a 100% success rate in roughly 380, 575, and 1100 ciphertexts for the Hamming distance 1, 2, and 3, respectively. However, for the same round with Hamming distance of value 4, the success rate is 75% for around 2000 ciphertexts. In addition, we propose a countermeasure to thwart PFA attacks and Intermediate-oriented fault attacks, such as, differential fault analysis.

computer science, theory & methods

Bin Zhang,Zhenqi Li,Dengguo Feng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-43933-3_27

2014-01-01

Abstract:Grain v1 is one of the 7 finalists selected in the final portfolio by the eSTREAM project. It has an elegant and compact structure, especially suitable for a constrained hardware environment. Though a number of potential weaknesses have been identified, no key recovery attack on the original design in the single key model has been found yet. In this paper, we propose a key recovery attack, called near collision attack, on Grain v1. The attack utilizes the compact NFSR-LFSR combined structure of Grain v1 and works even if all of the previous identified weaknesses have been sewed and if a perfect key/IV initialization algorithm is adopted. Our idea is to identify near collisions of the internal states at different time instants and restore the states accordingly. Combined with the BSW sampling and the non-uniform distribution of internal state differences for a fixed keystream difference, our attack has been verified on a reduced version of Grain v1 in experiments. An extrapolation of the results under some assumption indicates an attack on Grain v1 for any fixed IV in 2(71.4) cipher ticks after the pre-computation of 2(73.1) ticks, given 2(62.8)-bit memory and 2(67.8) keystream bits, which is the best key recovery attack against Grain v1 so far. Hopefully, it provides some new insights on such compact stream ciphers.