Yunwen Liu,Qingju Wang,Vincent Rijmen

DOI: https://doi.org/10.1007/978-3-319-39555-5_26

2016-01-01

Abstract:In this paper, we study linear cryptanalysis of the ARX structure by means of automatic search. To evaluate the security of ARX designs against linear cryptanalysis, it is crucial to find (round-reduced) linear trails with maximum correlation. We model the problem of finding optimal linear trails by the boolean satisfiability problem (SAT), translate the propagation of masks through ARX operations into bitwise expressions and constraints, and then solve the problem using a SAT solver. We apply the method to find optimal linear trails for round-reduced versions of the block cipher SPECK and the MAC algorithm Chaskey. For SPECK with block size 32/48/64/96/128, we can find optimal linear trails for 22/11/13/9/9 rounds respectively, which largely improves previous results, especially on larger versions. A 3-round optimal linear trail of Chaskey is presented for the first time as far as we know. In addition, our method can be used to enumerate the trails in a linear hull, and we present two linear hulls with the distributions of trails for round-reduced SPECK32. Our work provides designers with more accurate evaluation against linear cryptanalysis on ARX designs, especially for primitives with large block sizes and many rounds.

Haiwen Qin,Baofeng Wu

DOI: https://doi.org/10.48550/arXiv.2203.09741

2022-03-18

Abstract:ARX-based ciphers, constructed by the modular addition, rotation and XOR operations, have been receiving a lot of attention in the design of lightweight symmetric ciphers. For their differential cryptanalysis, most automatic search methods of differential trails adopt the assumption of independence of modulo additions. However, this assumption does not necessarily hold when the trail includes consecutive modular additions (CMAs). It has already been found that in this case some differential trails searched by automatic methods before are actually impossible, but the study is not in depth yet, for example, few effort has been paid to exploiting the root causes of non-independence between CMAs and accurate calculation of probabilities of the valid trails. In this paper, we devote to solving these two problems. By examing the differential equations of single and consecutive modular additions, we find that the influence of non-independence can be described by relationships between constraints on the intermediate state of two additions. Specifically, constraints of the first addition can make some of its output bits non-uniform, and when they meet the constraints of the second addition, the differential probability of the whole CMA may be different from the value calculated under the independence assumption. As a result, we can build SAT models to verify the validity of a given differential trail of ARX ciphers and #SAT models to calculate the exact probabilities of the differential propagation through CMAs in the trail, promising a more accurate evaluation of probability of the trail. Our automic methods and searching tools are applied to search related-key differential trails of SPECK and Chaskey including CMAs in the key schedule and the round function respectively.

Cryptography and Security

Huina Li,Haochen Zhang,Kai Hu,Guozhen Liu,Weidong Qiu

DOI: https://doi.org/10.1007/978-981-97-5025-2_23

2024-01-01

Abstract:A good differential is a start for a successful differential attack. However, a differential might be invalid, i.e., there is no right pair following the differential due to some contradictions in the conditions imposed by the differential. In this paper, we present a new automatic model for verifying differential trails from an algebraic perspective. From this algebraic perspective, exact Boolean expressions for differentials over a cryptographic primitive can be conveniently established, allowing the creation of a simpler SAT model. By invoking a SAT solver, the differential trails are verified in full automatically. Compared with the previous MILP models proposed by Liu et al. at CRYPTO 2020, our tool is more concise and direct, for there is no need to analyze any differential properties of components of the targets manually. Thus, it is less error-prone and more friendly for programming, significantly improving the efficiency of verifying a given differential trail. To demonstrate the powerfulness of our new tool, we apply it to Gimli, Keccak-f, and Ascon. For Gimli, our tool takes about one minute to find a semi-free-start collision pair that costs 264 attempts in a random search. Note that Liu et al. ’s model could not find any results in practical time. For Keccak-f, it is interesting to note that for large-state-size permutations such as Keccak-f[1600], our approach still shows excellent performance. We verify two 4-round differential trails presented at ASIACRYPT 2022 and confirm that both are valid. For Ascon, we check several differential trails reported at FSE 2021. Specifically, we find that a 4-round differential used in the forgery attack on Ascon-128’s iteration phase is invalid. Thus, the corresponding forgery attack is also invalid.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Zhenzhen Bao,Wentao Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-16745-9_15

2015-01-01

Abstract:For judging the resistance of a block cipher to differential cryptanalysis or linear cryptanalysis it is necessary to establish an upper bound on the probability of the best differential or the bias of the best linear approximation. However, getting a tight upper bound is not a trivial problem. We attempt it by searching for the best differential and the best linear trails, which is a challenging task in itself. Based on some previous works, new strategies are proposed to speed up the search algorithm, which are called starting from the narrowest point, concretizing and grouping search patterns, and trialling in minimal changes order strategies. The efficiency of the resulting improved algorithms allows us to state that the probability (bias) of the best 4-round differential (linear) trail in NOEKEON is 2(-51) (2(-25)) and the probability (bias) of the best 10-round (11-round) differential (linear) trail is at most 2(-131) (2(-71)). For SPONGENT, the best differential trails for certain number of rounds in the permutation functions with width b is an element of {88, 136, 176, 240} are found. That allows us to update some results presented by its designers.

Kai-Hao Chen,Xiaoming Tang,Peng Xu,Man Guo,Weidong Qiu,Zheng Gong

DOI: https://doi.org/10.6633/ijns.201607.18(4).05

2016-01-01

Abstract:TEA (Tiny Encryption Algorithm) is a block cipher with simple ARX (addition, rotation, exclusive-OR) based Feistel network, designed for both hardware and software scenario. Inspired by the auto search algorithm for ARX cipher introduced by Biryukov and Velichkov in 2014, we proposed an improved version of auto search algorithm for ARX cipher and verified in block cipher TEA. By introducing a sorted partial diffierence distribution table (sorted pDDT), our algorithm can eliminate lots of branches in advance during diffierential trail search phase. As time of the search algorithm increase exponentially with the rounds increasing, our algorithm make a great improvement in the search performance.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1109/tit.2022.3218186

IF: 2.5

2023-01-01

IEEE Transactions on Information Theory

Abstract:In this paper, a security evaluation framework for AND-RX ciphers against rotational-XOR differential cryptanalysis is proposed. This framework first models the structure of all the possible rotational-XOR differential (abbreviated to “RXD”) trails and introduces a method to calculate this structure round by round. Based on this approach, an automatic method is proposed for searching RXD trails. In this method, four strategies are proposed to derive better result and improve the efficiency. Unlike previous automations, the time complexity for this framework can be pre-computed, which is bounded by ${\mathcal{ O}}\left ({{c\cdot n\cdot R^{2}\cdot C_{n}^{n_{1}}} }\right)$ (where $n$ is the block size, $n_{1}$ is the number of active bits for the starting point of automatic method, $R$ is the length of the targeted rounds and $c$ is a fixed constant). Under the given strategies and searching subspaces, the derived RXD trails are guaranteed to be optimal. To prove the correctness and efficiency, this framework is applied to all the ten variants for SIMON and three variants for Simeck. When compared with previous RXD trails, the best improvement is up to three rounds. To validate the correctness of the derived rotational-XOR differential trails, a concrete experiment on Simeck32 is conducted and the experimental result complies with the theoretical analysis. As far as we know, for all the variants of Simeck, current longest distinguishers over all the cryptanalytic methods are obtained in this paper.

Yi Chen,Zhenzhen Bao,Hongbo Yu

DOI: https://doi.org/10.1007/978-981-99-8727-6_8

2023-01-01

Abstract:The differential-linear attack is one of the most effective attacks against ARX ciphers. However, two technical problems are preventing it from being more effective and having more applications: (1) there is no efficient method to search for good differential-linear approximations. Existing methods either have many constraints or are currently inefficient. (2) partitioning technique has great potential to reduce the time complexity of the key-recovery attack, but there is no general tool to construct partitions for ARX ciphers. In this work, we step forward in solving the two problems. First, we propose a novel idea for generating new good differential-linear approximations from known ones, based on which new searching algorithms are designed. Second, we propose a general tool named partition tree, for constructing partitions for ARX ciphers. Based on these new techniques, we present better attacks for two ISO/IEC standards, i.e., LEA and Speck. For LEA, we present the first 17-round distinguisher which is 1 round longer than the previous best distinguisher. Furthermore, we present the first key recovery attacks on 17-round LEA-128, 18-round LEA-192, and 18-round LEA-256, which attack 3, 4, and 3 rounds more than the previous best attacks. For Speck, we find better differential-linear distinguishers for Speck48 and Speck64. The first differential-linear distinguishers for Speck96 and Speck128 are also presented.

Xuzi Wang,Baofeng Wu,Lin Hou,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-99136-8_7

2018-01-01

Abstract:In this paper, we revisit the relationship between the probability of differential trails and the input difference of each round for SIMON-like block ciphers. The key observation is that not only the Hamming weight but also the positions of active bits of the input difference have effect on the probability. Based on this, our contributions are mainly twofold. Firstly, we rebuild the MILP model for SIMON-like block ciphers without quadratic constraints. Accordingly, we give the accurate objective function and reduce its degree to one by adding auxiliary variants to make the model easy to solve. Secondly, we search for optimal differential trails for SIMON and SIMECK based on this model. To the best of our knowledge, this is the first time that related-key differential trails have been obtained. Besides, we not only recover the single-key results in [11], but also obtain impossible differentials through this method.

Lingyue Qin,Xiaoyang Dong,Xiaoyun Wang,Keting Jia,Yunwen Liu

DOI: https://doi.org/10.46586/tosc.v2021.i2.249-291

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Lingyue Qin,Xiaoyang Dong,Xiaoyun Wang,Keting Jia,Yunwen Liu

DOI: https://doi.org/10.46586/tosc.v2021.i2.249-291

2021-01-01

IACR Transactions on Symmetric Cryptology

Abstract:Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model. Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Zhichao Xu,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1016/j.jisa.2024.103773

IF: 4.96

2024-04-19

Journal of Information Security and Applications

Abstract:SPECK and SPARX are two kinds of block ciphers with an ARX structure. In this paper, we use the SAT-based automatic search tool to search for linear approximations of these two ARX ciphers. As a result, we find a linear approximation for 17-round SPECK128, which covers one more round than previous work. Based on this linear approximation, we propose improved linear cryptanalysis for 19-round SPECK128/192 and 20-round SPECK128/256, which cover one more round than previous work. For ARX cipher SPARX, we find an optimal linear approximation for 13-round SPARX-64, which covers three more rounds than previous work. We also find an optimal linear approximation for 10-round SPARX-128, which covers two more rounds than previous work. Furthermore, we find a linear approximation for 14-round SPARX-128 by splicing two short linear approximations, which covers four more rounds than previous work. Based on these linear approximations, we propose linear cryptanalysis for 15-round SPARX-64/128, 15-round SPARX-128/128 and 16-round SPARX-128/256.

computer science, information systems

Xu, Zhichao,Xu, Hong,Tan, Lin,Qi, Wenfeng

DOI: https://doi.org/10.1007/s12095-024-00708-z

2024-04-02

Cryptography and Communications

Abstract:Differential-linear cryptanalysis is an efficient cryptanalysis method to attack ARX ciphers, which have been used to present the best attacks on many ARX primitives such as Chaskey and Chacha. In this paper, we present the differential-linear cryptanalysis of another ARX-based block cipher SPARX-64/128. We first construct multiple 6-round differential-linear distinguishers based on the structure of SPARX-64/128, and then extend them into 14-round differential-linear distinguishers by adding a 7-round differential characteristic before and a one-round linear approximation after the distinguishers. Then we introduce a new linear approximation of modular addition, and use it to extend one more round after the 14-round differential-linear distinguishers. With the 15-round differential-linear distinguishers, we present a differential-linear attack on 18-round SPARX-64/128.

computer science, theory & methods,mathematics, applied

Wenya Li,Kai Zhang,Bin Hu

DOI: https://doi.org/10.1049/2024/6164262

2024-06-04

IET Information Security

Abstract:Differential and linear cryptanalysis are two important methods to evaluate the security of block ciphers. Building on these two methods, differential‐linear (DL) cryptanalysis was introduced by Langford and Hellman in 1994. This cryptanalytic method has been not only extensively researched but also proven to be effective. In this paper, a security evaluation framework for AND‐RX ciphers against DL cryptanalysis is proposed, which is denoted as K6. In addition to modeling the structure of all the possible differential trails and linear trails at the bit level, we introduce a method to calculate this structure round by round. Based on this approach, an automatic algorithm is proposed to construct the DL distinguisher. Unlike previous methods, K6 uses a truncated differential and a linear hull instead of a differential characteristic and a linear approximation, which brings the bias of the DL distinguisher close to the experimental value. To validate the effectiveness of the framework, K6 is applied to Simon and Simeck, which are two typical AND‐RX ciphers. With the automatic algorithm, we discover an 11‐round DL distinguisher of Simon32 with bias 2−14.89 and a 12‐round DL distinguisher of Simeck32 with bias 2−14.89. Moreover, the 14‐round DL distinguisher of Simon48 with bias 2−22.30 is longer than the longest DL distinguisher currently known. In addition, the framework K6 shows advantages when analyzing ciphers with large block sizes. As far as we know, for Simon64/96/128 and Simeck48/64, the first DL distinguishers are obtained with our framework. The DL distinguishers are 16, 23, 32, 17, and 22 rounds of Simon64/96/128 and Simeck48/64 with bias 2−24.31, 2−47.57, 2−60.75, 2−22.54, and 2−31.41, respectively. To prove the correctness of distinguishers, experiments on Simon32 and Simeck32 have been performed. The experimental bias are 2−13.76 and 2−14.82, respectively. Comparisons of the theoretical and experimental results show good agreement.

computer science, information systems, theory & methods

Shiqi Hou,Baofeng Wu,Shichang Wang,Hao Guo,Dongdai Lin

DOI: https://doi.org/10.1093/comjnl/bxad075

2024-01-01

Abstract:In truncated differential cryptanalysis of symmetric primitives, a generalized framework is to search a distinguisher concerning part of output differences, like truncated differential distribution (TDD) on certain bits (e.g. a nibble) first, and then append several rounds before and after it to recover the secret key. The logarithmic likelihood ratio statistic with respect to the TDD is usually used to distinguish guessed key bits. In this paper, we study how to improve the effect of truncated differential cryptanalysis by considering key schedules of the attacked ciphers. It turns out that for a cipher with a simple key schedule, certain guessed subkey bits may reveal information of the master key, which will help build a stronger TDD distinguisher and reduce the key recovery complexity or attack more rounds. As a result, we explore heuristic techniques to search key-recovery-friendly TDDs and construct automatic search models based on MILP. The refined methods are applied to two recent designs of symmetric primitives, WARP and Orthros, together with peculiarities of their structures as well. For WARP, after making two observations on relations between certain differences with key bits, we propose an algorithm that can find TDDs with low complexities and having potentialities to cover more rounds. Consequently, we launch key recovery attacks on 24 to 27 rounds of WARP. When it comes to Orthros, we present a two-step search algorithm to balance the number of guessed key bits and TDDs, obtaining a key recovery attack on a 7-round variant of it in the weak-key setting. Finally, we perform several verification experiments on round-reduced versions of WARP and Orthros, and the experimental results are consistent with the theoretical distributions and the analysis of generalized key recovery attack framework.

Yaxin Cui,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1049/2024/5574862

2024-10-01

IET Information Security

Abstract:Reflection structure has a significant advantage that realizing decryption and encryption results in minimum additional costs, and many block ciphers tend to adopt such structure to achieve the requirement of low overhead. PRINCE, MANTIS, QARMA, and PRINCEv2 are lightweight block ciphers with reflection feature proposed in recent years. In this paper, we consider the automatic differential cryptanalysis of reflection block ciphers based on Boolean satisfiability (SAT) method. Since reflection block ciphers have different round functions, we extend forward and backward from the middle structure and achieve to accelerate the search of the optimal differential characteristics for such block ciphers with the Matsui's bounding conditions. As a result, we present the optimal differential characteristics for PRINCE up to 12 rounds (full round), and they are also the optimal characteristics for PRINCEv2. We also find the optimal differential characteristics for MANTIS, QARMA‐64, and QARMA‐128 up to 10, 12, and 8 rounds, respectively. To mount an efficient differential attack on such block ciphers, we present a uniform SAT model by combining the differential characteristic searching process and the key recovery process. With this model, we find two sets of 7‐round differential characteristics for PRINCE with less guessed key bits and use them to present a multiple differential attack against 11‐round PRINCE, which improves the known single‐key attack on PRINCE by one round to our knowledge.

computer science, information systems, theory & methods

Meicheng Liu,Xiaojuan Lu,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-030-84252-9_9

2021-01-01

Abstract:The differential-linear cryptanalysis is an important cryptanalytic tool in cryptography, and has been extensively researched since its discovery by Langford and Hellman in 1994. There are nevertheless very few methods to study the middle part where the differential and linear trail connect. In this paper, we study differential-linear cryptanalysis from an algebraic perspective. We first introduce a technique called Differential Algebraic Transitional Form (DATF) for differential-linear cryptanalysis, then develop a new theory of estimation of the differential-linear bias and techniques for key recovery in differential-linear cryptanalysis. The techniques are applied to the CAESAR and LWC finalist Ascon, the AES finalist Serpent, and the eSTREAM finalist Grain v1. The bias of the differential-linear approximation is estimated for Ascon and Serpent. The theoretical estimates of the bias are more accurate than that obtained by the Differential-Linear Connectivity Table (Bar-On et al., EUROCRYPT 2019), and the techniques can be applied with more rounds. Our general techniques can also be used to estimate the bias of Grain v1 in differential cryptanalysis, and have a markedly better performance than the Differential Engine tool tailor-made for the cipher. The improved key recovery attacks on round-reduced variants of these ciphers are then proposed. To the best of our knowledge, they are thus far the best known cryptanalysis of Serpent, as well as the best differential-linear cryptanalysis of Ascon and the best initialization analysis of Grain v1. The results have been fully verified by experiments. Notably, security analysis of Serpent is one of the most important applications of differential-linear cryptanalysis in the last two decades. The results in this paper update the differential-linear cryptanalysis of Serpent-128 and Serpent-256 with one more round after the work of Biham, Dunkelman and Keller in 2003.

Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.

Wenying Zhang,Zhen Xiao,Mengzhu Li

DOI: https://doi.org/10.1504/ijhpcn.2017.10008233

2017-01-01

International Journal of High Performance Computing and Networking

Abstract:Tiaoxin-346 is a nonce-based authenticated encryption scheme designed by Ivica Nikolić and has been submitted to the CAESAR competition. Tiaoxin-346 uses three parallel structures of T3, T4, T6 as an important part of the algorithm. In this work, we give the differential analysis. The differential trail designed by designer has 30 active S-boxes (a difference goes six times through two AES rounds) and holds with a probability of at most 2−180. On the base of the forgery attack, we add one round after the last round in the original trail and make the inputs to T3 and T4 have the same difference. We assume the difference can be controlled. Therefore, there is no difference for the state T6. The probability of differential trail is 2−174. By the same method, we add one round before the first round. The probability of differential trail is 2−150. Absolutely, the probabilities are much higher than the designer's.

Yaqi Xu,Baofeng Wu,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-030-88052-1_12

2021-01-01

Abstract:In this paper, we formulate a new framework of cryptanalysis called rotational-linear attack on ARX ciphers. We firstly build an efficient distinguisher for the cipher E consisted of the rotational attack and the linear attack together with some intermediate variables. Then a key recovery technique is introduced with which we can recover some bits of the last whitening key in the related-key scenario. To decrease data complexity of our attack, we also apply a new method, called bit flipping, in the rotational cryptanalysis for the first time and the effective partitioning technique to the key-recovery part.