Your search keyword '"Key-Recovery Attack"' showing total 261 results

1. Quantum Attacks on MIBS Block Cipher Based on Bernstein–Vazirani Algorithm.

Author

Xie, Huiqin, Zhao, Zhangmei, Wang, Ke, Li, Yanjun, and Xin, Hongcai

Subjects

*TIME complexity, *QUANTUM computing, *CRYPTOGRAPHY, *QUBITS, *CIPHERS, *BLOCK ciphers

Abstract

Because of the substantial progress in quantum computing technology, the safety of traditional cryptologic schemes is facing serious challenges. In this study, we explore the quantum safety of the lightweight cipher MIBS and propose quantum key-recovery attacks on the MIBS cipher by utilizing Grover's algorithm and Bernstein–Vazirani algorithm. We first construct linear-structure functions based on the 5-round MIBS cipher according to the characteristics of the linear transformations, and then we obtain a quantum distinguisher of the 5-round MIBS cipher by applying Bernstein–Vazirani algorithm to the constructed functions. Finally, utilizing this distinguisher and Grover's algorithm, we realize a 7-round key-recovery attack on the MIBS cipher, and then we expand the attack to more rounds of MIBS based on a similar idea. The quantum attack on the 7-round MIBS requires 156 qubits and has a time complexity of 2 10.5 . An 8-round attack requires 179 qubits and has a time complexity of 2 22 . Compared with existing quantum attacks, our attacks have better time complexity when attacking the same number of rounds. [ABSTRACT FROM AUTHOR]

Published

2024

2. Speeding Up Preimage and Key-Recovery Attacks with Highly Biased Differential-Linear Approximations

Author

Niu, Zhongfeng, Hu, Kai, Sun, Siwei, Zhang, Zhiyu, Wang, Meiqin, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Reyzin, Leonid, editor, and Stebila, Douglas, editor

Published

2024

3. More Balanced Polynomials: Cube Attacks on 810- And 825-Round Trivium with Practical Complexities

Author

Lei, Hao, He, Jiahui, Hu, Kai, Wang, Meiqin, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Carlet, Claude, editor, Mandal, Kalikinkar, editor, and Rijmen, Vincent, editor

Published

2024

4. Truncated Differential Attacks On Symmetric Primitives With Linear Key Schedule: WARP And Orthros.

Author

Hou, Shiqi, Wu, Baofeng, Wang, Shichang, Guo, Hao, and Lin, Dongdai

Abstract

In truncated differential cryptanalysis of symmetric primitives, a generalized framework is to search a distinguisher concerning part of output differences, like truncated differential distribution (TDD) on certain bits (e.g. a nibble) first, and then append several rounds before and after it to recover the secret key. The logarithmic likelihood ratio statistic with respect to the TDD is usually used to distinguish guessed key bits. In this paper, we study how to improve the effect of truncated differential cryptanalysis by considering key schedules of the attacked ciphers. It turns out that for a cipher with a simple key schedule, certain guessed subkey bits may reveal information of the master key, which will help build a stronger TDD distinguisher and reduce the key recovery complexity or attack more rounds. As a result, we explore heuristic techniques to search key-recovery-friendly TDDs and construct automatic search models based on MILP. The refined methods are applied to two recent designs of symmetric primitives, WARP and Orthros, together with peculiarities of their structures as well. For WARP, after making two observations on relations between certain differences with key bits, we propose an algorithm that can find TDDs with low complexities and having potentialities to cover more rounds. Consequently, we launch key recovery attacks on 24 to 27 rounds of WARP. When it comes to Orthros, we present a two-step search algorithm to balance the number of guessed key bits and TDDs, obtaining a key recovery attack on a 7-round variant of it in the weak-key setting. Finally, we perform several verification experiments on round-reduced versions of WARP and Orthros, and the experimental results are consistent with the theoretical distributions and the analysis of generalized key recovery attack framework. [ABSTRACT FROM AUTHOR]

Published

2024

5. Exploiting ROLLO's constant-time implementations with a single-trace analysis.

Author

Cheriere, Agathe, Mortajine, Lina, Richmond, Tania, and El Mrabet, Nadia

Subjects

GAUSSIAN elimination, GAUSSIAN function, TRACE elements, PUBLIC key cryptography, MEDICAL masks, CRYPTOGRAPHY

Abstract

ROLLO, for Rank-Ouroboros, LAKE and LOCKER, was a candidate to the second round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. In the lastest update in April 2020, there was a key-encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose a side-channel attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to recover the private key. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By capturing power measurements during the execution of the Gaussian elimination function, we are able to extract from a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II. Finally, we give countermeasures based on masking and randomization to protect future implementations. We also provide their impact regarding the execution time. [ABSTRACT FROM AUTHOR]

Published

2024

6. Quantum Attacks on MIBS Block Cipher Based on Bernstein–Vazirani Algorithm

Author

Huiqin Xie, Zhangmei Zhao, Ke Wang, Yanjun Li, and Hongcai Xin

Subjects

quantum cryptanalysis, MIBS, key-recovery attack, Bernstein–Vazirani algorithm, Mathematics, QA1-939

Abstract

Because of the substantial progress in quantum computing technology, the safety of traditional cryptologic schemes is facing serious challenges. In this study, we explore the quantum safety of the lightweight cipher MIBS and propose quantum key-recovery attacks on the MIBS cipher by utilizing Grover’s algorithm and Bernstein–Vazirani algorithm. We first construct linear-structure functions based on the 5-round MIBS cipher according to the characteristics of the linear transformations, and then we obtain a quantum distinguisher of the 5-round MIBS cipher by applying Bernstein–Vazirani algorithm to the constructed functions. Finally, utilizing this distinguisher and Grover’s algorithm, we realize a 7-round key-recovery attack on the MIBS cipher, and then we expand the attack to more rounds of MIBS based on a similar idea. The quantum attack on the 7-round MIBS requires 156 qubits and has a time complexity of 210.5. An 8-round attack requires 179 qubits and has a time complexity of 222. Compared with existing quantum attacks, our attacks have better time complexity when attacking the same number of rounds.

Published

2024

7. Cryptanalysis of Ivanov–Krouk–Zyablov Cryptosystem

Author

Vedenev, Kirill, Kosolapov, Yury, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Deneuville, Jean-Christophe, editor

Published

2023

8. Improved Differential Attack on Round-Reduced LEA

Author

Zhang, Yuhan, Wu, Wenling, Zhang, Lei, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Nguyen, Khoa, editor, Yang, Guomin, editor, Guo, Fuchun, editor, and Susilo, Willy, editor

Published

2022

9. Improved key-recovery attacks on reduced-round WEM-8.

Author

Liu, Jun, Wang, Dachao, Hu, Yupu, Chen, Jie, and Wang, Baocang

Subjects

BLOCK ciphers, DIGITAL rights management, MOBILE commerce

Abstract

Proposed in CT-RSA'2017, WEM is a family of white-box block ciphers based on the Even-Mansour structure and AES. Due to its elegant structure and impressive performance, WEM is a prominent primitive in white-box cryptography-oriented scenarios like digital rights management (DRM) and mobile payment. In this paper, we focus on the black-box key-recovery security of reduced-round WEM-8, one of the main instances in the WEM family, with the aim of gaining an intensive understanding of the security of WEM. Potential weaknesses of WEM-8 are explored, and a new approach to improving the efficiency of integral attacks is introduced, which constructs equations from the constant property, instead of the balance property. Aided by these observations, new competitive key-recovery attacks with lower time/data/memory complexity on reduced-round WEM-8 are proposed. In particular, the improved attack on 4-round WEM-8 requires only 2 8 adaptively chosen ciphertexts, whereas the current best attack has the data complexity of 2 40 chosen plaintexts. The results in this work show the effectiveness of the constant property in enhancing integral attacks and can inspire novel techniques in key-recovery attacks against other (white-box) block ciphers. [ABSTRACT FROM AUTHOR]

Published

2022

10. Probabilistic Mixture Differential Cryptanalysis on Round-Reduced AES

Author

Grassi, Lorenzo, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Paterson, Kenneth G., editor, and Stebila, Douglas, editor

Published

2020

11. Lattice Attacks on NTRU Revisited

Author

Jingguo Bi and Lidong Han

Subjects

Dimension reduction, key-recovery attack, lattice attack, NTRU, short vector, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

NTRU cryptosystem was proposed by J. Hoffstein, J.Pipher and J.H. Silverman in 1996, whose security is related to the hardness of finding sufficient short vectors in NTRU lattice with dimension $2N$ . Many researchers conjecture that the private key vector is indeed the shortest vector in the lattice in most cases. However, no formal proof has been provided in the literature before to the best of our knowledge. In this paper, we revisit the lattice attack on NTRU and present a new dimension reduction attack on NTRU without considering the pattern of private polynomials. More precisely, we show that one can recover a group of equivalent private keys by solving shortest vector problem in a new dimension-reduced lattice with dimension $N+k, k < N$ , where $k$ is related to the specific parameters selected. As a corollary of our attack, we prove that the private key vector and its rotations are the shortest vectors of the original NTRU lattice with an overwhelming probability, which confirms the conjecture of the length of the shortest vector of the original NTRU lattice.

Published

2021

12. A Key-Recovery Attack on 855-round Trivium

Author

Fu, Ximing, Wang, Xiaoyun, Dong, Xiaoyang, Meier, Willi, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Shacham, Hovav, editor, and Boldyreva, Alexandra, editor

Published

2018

13. MixColumns Properties and Attacks on (Round-Reduced) AES with a Single Secret S-Box

Author

Grassi, Lorenzo, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, and Smart, Nigel P., editor

Published

2018

14. Improved Meet-in-the-Middle Attacks on Generic Feistel Constructions

Author

Shibin Zhao, Xiaohan Duan, Yuanhao Deng, Zhiniang Peng, and Junhu Zhu

Subjects

Meet-in-the-middle, key-recovery attack, 7-round Feistel constructions, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In this paper, we present improved meet-in-the-middle key-recovery attacks on six-round and seven-round Feistel constructions separately. The attacks are based on Guo et al.'s work which appends one round to the five-round distinguisher to attack the six-round Feistel construction through the meet-in-the-middle method. The proposed method stores only target sequences instead of all the possible sequences, which reduces the memory complexity from 2(3/4)n blocks to 2(n/2) blocks. A new key-recovery attack method on the seven-round Feistel construction is proposed by appending one another round after a five-round distinguisher. What is more, is that we propose a new method called the impossible-differential pairs sieve technique which reduces the data complexity from 2n chosen plaintexts to 3×2n-2 chosen plaintexts so that the attack complexity is lower than the exhaustive attack. The time complexity is equivalent to about 3×2n-2 encryptions, and the memory complexity is optimized to 2(3/4)n blocks of 2(n/2) bits. To the best of our knowledge, it is the first known generic key-recovery attack on the seven-round Feistel construction with a lower attack complexity when compared with the exhaustive attack.

Published

2019

15. Applications of Simon's algorithm in quantum attacks on Feistel variants.

Author

Cui, Jingyi, Guo, Jiansheng, and Ding, Shuzhen

Subjects

*PERIODIC functions, *ALGORITHMS, *QUANTUM computing, *CRYPTOGRAPHY

Abstract

Simon's algorithm is a well-known quantum algorithm which can achieve an exponential acceleration over classical algorithm. It has been widely used in quantum cryptanalysis of many cryptographic primitives. This paper concentrates on studying the applications of Simon's algorithm in analyzing the security of Feistel variants, several well-known cryptographic structures derived from the Feistel structure. First, we propose a definition of weakly periodic function to relax the original strong Simon's promise. Based on this definition, we define and analyze several extensions of Simon's problem which expand the application of Simon's algorithm. Furthermore, based on one extended Simon's problem, we show new polynomial-time quantum distinguishing attacks on several Feistel variants: MISTY L/R, CAST256-like, CLEFIA-like, MARS-like, SMS4-like and Skipjack-A/B-like schemes. These new results show that classically secure schemes may be no longer secure in the Q2 model. Finally, based on the quantum distinguishers introduced above, we extend several rounds forward or backward to propose corresponding quantum all subkeys recovery attacks that can recover all subkeys in the Q2 model with lower query complexities than those in the Q1 model by using Grover's algorithm. [ABSTRACT FROM AUTHOR]

Published

2021

16. Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES

Author

Lorenzo Grassi

Subjects

AES, Secret-Key Distinguisher, Key-Recovery Attack, Mixture Differential Cryptanalysis, Truncated Differential, Subspace Trail Cryptanalysis, Computer engineering. Computer hardware, TK7885-7895

Abstract

At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES - based on the “multiple-of-8” property - has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher. In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher - which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) - can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the distinguisher and of the attack.

Published

2018

17. Security analysis of secure kNN and ranked keyword search over encrypted data.

Author

Ogata, Wakaha and Otemori, Takaaki

Subjects

*KEYWORD searching, *K-nearest neighbor classification, *DATA

Abstract

Wong et al. proposed a novel symmetric encryption scheme in which we can find the k-nearest neighbors from encrypted data and an encrypted query. Their scheme uses a pair of encryption functions that has an inner-product preserving property. Because of this property, the pair of encryption functions has been used in several encryption schemes involving ranked multi-keyword search as applications. On the other hand, Yao et al. pointed out that the pair of encryption functions is insecure when the attacker can get plaintext–ciphertext pairs. To prevent this attack, some countermeasures are given in the applications, e.g., randomizing plaintexts before encrypted. In this paper, we reanalyze the security of the inner-product preserving encryption functions. We first discuss the countermeasures against Yao et al.'s attack used in the applications. In particular, we show that one of them is ineffective. Next, we show that the first encryption function is breakable by the known plaintext attack by showing a concrete key-recovery procedure. Unlike Yao et al.'s attack, our attack does not use the second encryption function. [ABSTRACT FROM AUTHOR]

Published

2020

18. A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Author

Guo, Qian, Johansson, Thomas, Stankovski, Paul, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Cheon, Jung Hee, editor, and Takagi, Tsuyoshi, editor

Published

2016

19. On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Author

Dobraunig, Christoph, Eichlseder, Maria, Mangard, Stefan, Mendel, Florian, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Joye, Marc, editor, and Moradi, Amir, editor

Published

2015

20. Subspace Trail Cryptanalysis and its Applications to AES

Author

Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom

Subjects

AES, Invariant Subspace, Subspace Trail, Secret-Key Distinguisher, Key-Recovery Attack, Truncated Differential, Impossible Differential, Integral, Secret S-Box, Computer engineering. Computer hardware, TK7885-7895

Abstract

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Published

2017

21. Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis

Author

Céline Blondeau and Kaisa Nyberg

Subjects

block cipher, linear cryptanalysis, key-recovery attack, multidimensional linear attack, multiple linear attack, key-dependency, correlation, capacity, known plaintext, distinct known plaintext, statistical model, Computer engineering. Computer hardware, TK7885-7895

Abstract

Statistical attacks form an important class of attacks against block ciphers. By analyzing the distribution of the statistics involved in the attack, cryptanalysts aim at providing a good estimate of the data complexity of the attack. Recently multiple papers have drawn attention to how to improve the accuracy of the estimated success probability of linear key-recovery attacks. In particular, the effect of the key on the distribution of the sample correlation and capacity has been investigated and new statistical models developed. The major problem that remains open is how to obtain accurate estimates of the mean and variance of the correlation and capacity. In this paper, we start by presenting a solution for a linear approximation which has a linear hull comprising a number of strong linear characteristics. Then we generalize this approach to multiple and multidimensional linear cryptanalysis and derive estimates of the variance of the test statistic. Our simplest estimate can be computed given the number of the strong linear approximations involved in the offline analysis and the resulting estimate of the capacity. The results tested experimentally on SMALLPRESENT-[4] show the accuracy of the estimated variance is significantly improved. As an application we give more realistic estimates of the success probability of the multidimensional linear attack of Cho on 26 rounds of PRESENT.

Published

2017

22. A Key Recovery Reaction Attack on QC-MDPC.

Author

Guo, Qian, Johansson, Thomas, and Stankovski Wagner, Paul

Subjects

*ALGORITHMS, *ENCRYPTION protocols, *DECODING algorithms, *NUMERICAL analysis, *SPECTRUM analysis

Abstract

Algorithms for secure encryption in a post-quantum world are currently receiving a lot of attention in the research community. One of the most promising such algorithms is the code-based scheme called QC-MDPC, which has excellent performance and a small public key size. In this paper, we present a very efficient key recovery attack on the QC-MDPC scheme using the fact that decryption uses an iterative decoding step, and this can fail with some small probability. We identify a dependence between the secret key and the failure in decoding. This can be used to build what we refer to as a distance spectrum for the secret key, which is the set of all distances between any two ones in the secret key. In a reconstruction step, we then determine the secret key from the distance spectrum. The attack has been implemented and tested on a proposed instance of QC-MDPC for 80-bit security. It successfully recovers the secret key in minutes. A slightly modified version of the attack can be applied on proposed versions of the QC-MDPC scheme that provides IND-CCA security. The attack is a bit more complex in this case, but still very much below the security level. The reason why we can break schemes with proved CCA security is that the model for these proofs typically does not include the decoding error possibility. At last, we present several algorithms for key reconstruction from an empirical distance spectrum. We first improve the naïve algorithm for key reconstruction by a factor of about 3 0000, when the parameters for 80-bit security are implemented. We further develop the algorithm to deal with errors in the distance spectrum. This ultimately reduces the requirement on the number of ciphertexts that need to be collected for a successful key recovery. [ABSTRACT FROM AUTHOR]

Published

2019

23. Truncated Differential Analysis of Reduced-Round LBlock

Author

Emami, Sareh, McDonald, Cameron, Pieprzyk, Josef, Steinfeld, Ron, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Abdalla, Michel, editor, Nita-Rotaru, Cristina, editor, and Dahab, Ricardo, editor

Published

2013

24. A Simple Key-Recovery Attack on McOE-X

Author

Mendel, Florian, Mennink, Bart, Rijmen, Vincent, Tischhauser, Elmar, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Pieprzyk, Josef, editor, Sadeghi, Ahmad-Reza, editor, and Manulis, Mark, editor

Published

2012

25. New Truncated Differential Cryptanalysis on 3D Block Cipher

Author

Koyama, Takuma, Wang, Lei, Sasaki, Yu, Sakiyama, Kazuo, Ohta, Kazuo, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Ryan, Mark D., editor, Smyth, Ben, editor, and Wang, Guilin, editor

Published

2012

26. The 7-Round Subspace Trail-Based Impossible Differential Distinguisher of Midori-64

Author

Wenhao Liu and Yang Yang

Subjects

Key-recovery attack, Science (General), Article Subject, Computational complexity theory, Computer Networks and Communications, Computer science, Data complexity, Linear subspace, Upper and lower bounds, Q1-390, T1-995, Differential (infinitesimal), Hamming code, Algorithm, Technology (General), Subspace topology, Information Systems

Abstract

This paper analyzes the subspace trail of Midori-64 and uses the propagation law and mutual relationship of the subspaces of Midori-64 to provide a 6-round Midori-64 subspace trail-based impossible differential key recovery attack. The data complexity of the attack is 2 54.6 chosen plaintexts, and the computational complexity is 2 58.2 lookup operations. Its overall complexity is less than that of the known 6-round truncated impossible differential distinguisher. This distinguisher is also applicable to Midori-128 with a secret S -box. Additionally, utilizing the properties of subspaces, we prove that a subspace trail-based impossible differential distinguisher of Midori-64 contains at most 7 rounds. This is 1 more than the upper bound of Midori-64’s truncated impossible differential distinguisher which is 6. According to the Hamming weights of the starting and ending subspaces, we classify all 7-round Midori-64 subspace trail-based impossible differential distinguishers into two types and they need 2 59.6 and 2 51.4 chosen plaintexts, respectively.

Published

2021

27. A theoretical investigation on the distinguishers of Salsa and ChaCha

Author

Sabyasachi Dey and Santanu Sarkar

Subjects

Key-recovery attack, business.industry, Applied Mathematics, RC4, Mathematical proof, Encryption, law.invention, Cipher, law, Discrete Mathematics and Combinatorics, Arithmetic, business, Cryptanalysis, Stream cipher, Mathematics

Abstract

Salsa and ChaCha are two of the most well-known stream ciphers in last two decades. These two ciphers came into the picture when a massively used cipher RC4 was going through severe cryptanalysis and a significant number of observed weaknesses of it showed the requirement of new stream ciphers in the market. Later, ChaCha was adopted by Google as their encryption algorithm, which further increased the importance of research work on these two ciphers. Salsa and ChaCha have gone through differential key recovery attack up to the 8-th and 7-th round respectively. Initially, this attack used an experimentally observed distinguisher by observing a single bit position up to the 4th round for Salsa and 3rd round for ChaCha. Later, Maitra (2016) improved the attack complexity by minimizing the propagation of the difference after the first round using properly chosen IV values. Also, using this distinguisher, Choudhuri et al. (FSE 2016) provided a technique to construct a distinguisher for the next round of both the ciphers by observing multiple bits. Among all these attacks which were mostly based on experimental observations, theoretical works did not get much importance for these two ciphers. In this paper, we aim to theoretically investigate the reason behind these experimentally observed distinguishers for these chosen IV distinguishers, where the difference propagation is minimized up to the first round. We provide a mathematical proof of the observed probabilities for the distinguishers of both the ciphers in the single and multiple bits.

Published

2021

28. Cryptanalysis of a Code-Based Signature Scheme Based on the Schnorr-Lyubashevsky Framework

Author

Paolo Santini, Marco Baldi, Jean-Christophe Deneuville, and Edoardo Persichetti

Subjects

Key-recovery attack, Computer science, business.industry, Hamming distance, Encryption, Signature (logic), Computer Science Applications, law.invention, law, Modeling and Simulation, Computer Science::Multimedia, Key (cryptography), Electrical and Electronic Engineering, Elliptic curve cryptography, business, Hamming weight, Cryptanalysis, Algorithm, Computer Science::Cryptography and Security

Abstract

We propose an attack on the recent attempt by Li, Xing and Yeo to produce a code-based signature scheme using the Schnorr-Lyubashevsky approach in the Hamming metric, and verify its effectiveness through numerical simulations. Differently from other (unsuccessful) proposals, this new scheme exploits rejection sampling along with dense noise vectors to hide the secret key structure in produced signatures. We show that these measures, besides yielding very slow signing times and rather long signatures, do not succeed in protecting the secret key. We are indeed able to prove the existence of a strong correlation between produced signatures, which ultimately leaks information about the secret key. To support this claim, we use both theoretical arguments and numerical evidences. Finally, we employ such a weakness to mount a full key recovery attack, which is able to recover the secret key after the observation of a bunch of signatures. Our results show that the considered scheme may be secure only for one-time usage.

Published

2021

29. Cryptanalysis of Achterbahn-128/80 with a New Keystream Limitation

Author

Naya-Plasencia, María, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Lucks, Stefan, editor, Sadeghi, Ahmad-Reza, editor, and Wolf, Christopher, editor

Published

2008

30. Cryptanalysis of Achterbahn-128/80

Author

Naya-Plasencia, María, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, and Biryukov, Alex, editor

Published

2007

31. Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128

Author

Yiyuan Luo, Si Wang, Rui Zong, Zheng Li, Xiaoyang Dong, and Huaifeng Chen

Subjects

Key-recovery attack, lcsh:Computer engineering. Computer hardware, Computer science, Applied Mathematics, Linear Trail, Differential Trail, lcsh:TK7885-7895, GIFT, Computer security, computer.software_genre, SUNDAE-GIFT, Computer Science Applications, Distinguisher Search Strategy, Computational Mathematics, GIFT-COFB, computer, Software

Abstract

When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.

Published

2021

32. SMT‐based cube attack on round‐reduced Simeck32/64

Author

Babak Sadeghiyan and Mojtaba Zaheri

Subjects

Key-recovery attack, Computer Networks and Communications, Computer science, business.industry, 020206 networking & telecommunications, Cryptography, Plaintext, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, law.invention, Cipher, 010201 computation theory & mathematics, law, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Cube attack, Arithmetic, Cryptanalysis, business, Software, Information Systems, Block cipher

Abstract

In this study, the authors take advantage of feeding the SMT solver by extra information provided through middle state cube characteristics to introduce a new method which they call SMT-based cube attack, and apply it to improve the success of the solver in attacking reduced-round versions of Simeck32/64 lightweight block cipher. The key idea is to search for and utilise all found middle state characteristics of a cube at one round of attack. They first propose a new algorithm to find cubes with most number of middle state characteristics. Then, they apply these obtained cubes and their characteristics as extra information in the SMT definition of the cryptanalysis problem, to evaluate its effectiveness. Their cryptanalysis results in a full key recovery attack by 64 plaintext/ciphertext pairs on 12 rounds of the cipher in just 122.17 s. This is the first algebraic attack so far presented against the reduced-round versions of Simeck32/64, and also with practical complexities. They also conduct the cube attack on the Simeck32/64 to compare with the SMT-based cube attack. The results indicate that the proposed attack is more powerful than the cube attack.

Published

2020

33. White-Box Implementation of Shamir’s Identity-Based Signature Scheme

Author

Debiao He, Qi Feng, Huaqun Wang, Neeraj Kumar, and Kim-Kwang Raymond Choo

Subjects

Key-recovery attack, 021103 operations research, Computer Networks and Communications, business.industry, Computer science, Distributed computing, 0211 other engineering and technologies, 02 engineering and technology, Encryption, Signature (logic), Computer Science Applications, Random oracle, Public-key cryptography, Digital signature, Control and Systems Engineering, Electrical and Electronic Engineering, White box, business, Implementation, Information Systems

Abstract

Digital signature schemes have been extensively studied in the literature, where a large number of such schemes with different properties have been designed for different applications. For example, identity-based signature (IBS) schemes can efficiently map a user’s digital public key to his/her real-world identity (e.g., e-mail address). However, existing implementations of IBS schemes are not generally designed for white-box security (WBS), particularly concerning the protection of the private key when special attackers have full access to the execution environment. Therefore, in this paper, we propose the first white-box implementation for the classical Shamir’s IBS scheme. The basic idea is to utilize a mathematical transformation for embedding private key into some special tables, such that the original private key could be “invisible” during the execution process. We then analyze the security requirements achieved in our implementation, including the conventional black-box security under the random oracle model and WBS (e.g., key recovery attack resilience). This is the first IBS scheme implementation that satisfies WBS. It is also shown from the simulation that the implementation incurs a constant computational cost, which is realistic in deployments where a high security level is required.

Published

2020

34. Proving the biases of Salsa and ChaCha in differential attack

Author

Santanu Sarkar and Sabyasachi Dey

Subjects

Key-recovery attack, Theoretical computer science, business.industry, Applied Mathematics, Key recovery, 020206 networking & telecommunications, Cryptography, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Computer Science Applications, Cipher, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Differential (infinitesimal), business, computer, Stream cipher, SALSA, computer.programming_language, Mathematics

Abstract

Salsa and ChaCha are two of the most famous stream ciphers in recent times. Most of the attacks available so far against these two ciphers are differential attacks, where a difference is given as an input in the initial state of the cipher and in the output some correlation is investigated. This correlation works as a distinguisher. All the key recovery attacks against these ciphers are based on these observed distinguishers. However, the distinguisher in the differential attack was purely an experimental observation, and the reason for this bias was unknown so far. In this paper, we provide a full theoretical proof of both the observed distinguishers for Salsa and ChaCha. In the key recovery attack, the idea of probabilistically neutral bit also plays a vital role. Here, we also theoretically explain the reason of a particular key bit of Salsa to be probabilistically neutral. This is the first attempt to provide a theoretical justification of the idea of differential key recovery attack against these two ciphers.

Published

2020

35. An Efficient MQ-Signature Scheme Based on Sparse Polynomials

Author

Namhun Koo, Cheol-Min Park, and Kyung-Ah Shim

Subjects

Scheme (programming language), Key-recovery attack, Theoretical computer science, multivariate-quadratic problem, General Computer Science, Equivalent key, business.industry, Computer science, General Engineering, Byte, Cryptography, sparse polynomial, key recovery attack, Signature (logic), isomorphism of polynomials problem, Public-key cryptography, Key (cryptography), General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, good key, computer, lcsh:TK1-9971, computer.programming_language

Abstract

Multivariate quadratic (MQ) equations-based cryptography is one of the most promising alternatives for currently used public-key cryptographic algorithms in the post-quantum era. It is important to design practical public-key signature schemes on embedded processors and resource-constrained devices for emerging applications in Internet of Things. The MQ-signature schemes are suitable for low-cost constrained devices since they require only modest computational resources. In this paper, we propose an efficient MQ-signature scheme, SOV, using sparse polynomials with a shorter secret key and give its security analysis against known algebraic attacks. Compared to Rainbow, the secret key of SOV has reduced by a factor of 90% without increasing the public key size. In particular, SOV requires signatures of 52 bytes, while ECDSA-256 requires signatures of 64 bytes.

Published

2020

36. On the security of subspace subcodes of Reed-Solomon codes for public key encryption

Author

Matthieu Lequesne, Alain Couvreur, Geometry, arithmetic, algorithms, codes and encryption (GRACE), Inria Saclay - Ile de France, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Laboratoire d'informatique de l'École polytechnique [Palaiseau] (LIX), École polytechnique (X)-Centre National de la Recherche Scientifique (CNRS)-École polytechnique (X)-Centre National de la Recherche Scientifique (CNRS), Cryptologie symétrique, cryptologie fondée sur les codes et information quantique (COSMIQ), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Sorbonne Université (SU), Centrum Wiskunde & Informatica, Amsterdam (CWI), The Netherlands, Laboratoire d'informatique de l'École polytechnique [Palaiseau] (LIX), and École polytechnique (X)-Centre National de la Recherche Scientifique (CNRS)-École polytechnique (X)-Centre National de la Recherche Scientifique (CNRS)-Inria Saclay - Ile de France

Subjects

FOS: Computer and information sciences, Security analysis, Theoretical computer science, Computer Science - Cryptography and Security, Computer science, Computer Science - Information Theory, Encryption, 02 engineering and technology, Library and Information Sciences, GRScodes, Expansion of codes, Codes, Public-key cryptography, GRS codes, Key recovery attack, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Dimension (vector space), NIST, Square product of codes, Reed–Solomon error correction, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Proposals, [MATH]Mathematics [math], Subspace subcodes, Computer Science::Cryptography and Security, Computer Science::Information Theory, Key-recovery attack, Reed-Solomon codes, business.industry, Information Theory (cs.IT), Public key, [MATH.MATH-IT]Mathematics [math]/Information Theory [math.IT], 020206 networking & telecommunications, Code-based cryptography, Computer Science Applications, Generators, McEliece encryption scheme, business, Cryptography and Security (cs.CR), Subspace topology, Information Systems

Abstract

International audience; This article discusses the security of McEliece-like encryption schemes using subspace subcodes of Reed-Solomon codes, i.e. subcodes of Reed-Solomon codes over $\mathbb{F}_{q^m}$ whose entries lie in a fixed collection of $\mathbb{F}_q$-subspaces of $\mathbb{F}_{q^m}$. These codes appear to be a natural generalisation of Goppa and alternant codes and provide a broader flexibility in designing code based encryption schemes. For the security analysis, we introduce a new operation on codes called the twisted product which yields a polynomial time distinguisher on such subspace subcodes as soon as the chosen $\mathbb{F}_q$-subspaces have dimension larger than $m/2$. From this distinguisher, we build an efficient attack which in particular breaks some parameters of a recent proposal due to Khathuria, Rosenthal and Weger.

Published

2021

37. Towards advance encryption based on a Generalized Suzuki 2-groups

Author

Yevgen Kotukh, Dmitry Tsyplakov, Svitlana Khalimova, Gennady Khalimov, Andrii Vlasov, Oleksandr Sievierinov, and Oleksandr Marukhnenko

Subjects

Key-recovery attack, Discrete mathematics, Cipher, Computer science, Group (mathematics), business.industry, Ciphertext, Cryptosystem, Suzuki groups, Encryption, business, Group representation, Computer Science::Cryptography and Security

Abstract

The article shows the method on how to improve encryption algorithm in MST3 cryptosystem for the generalized Suzuki 2 - groups. The well-known MST cryptosystem based on Suzuki groups is built on a logarithmic signature (LS) at the center of the group, resulting in a large array of logarithmic signatures. An encryption scheme based on multi-parameter noncommutative groups is proposed. The multi-parameter generalized Suzuki 2 - groups are chosen as one of the group constructions. In this case, the logarithmic signature is established for the entire group, and the secrecy of the cipher depends on the order in the group. This design allows encryption to be built that is optimized for implementation costs, which are determined by the size of the logarithmic signature and secrecy, which is dependent on the size of the keys and the final field of group representation. The main difference between the presented encryption implementation lies in the step-by-step de-encapsulation of the key from the ciphertext and associated keys using logarithmic signatures. The complexity of a key recovery attack for evaluating the secrecy of a cipher is determined by enumerating all keys using an enumeration method.

Published

2021

38. Generalized Matsui Algorithm 1 with Application for the Full DES

Author

Danilo Šijačić, Stef D’haeseleer, Tomer Ashur, Raluca Posteuca, Galdi, Clemente, and Kolesnikov, Vladimir

Subjects

Key-recovery attack, 050101 languages & linguistics, Computer science, 05 social sciences, Linear cryptanalysis, 0202 electrical engineering, electronic engineering, information engineering, Leverage (statistics), 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, 02 engineering and technology, Algorithm

Abstract

In this paper we introduce the strictly zero-correlation attack. We extend the work of Ashur and Posteuca in BalkanCryptSec 2018 and build a 0-correlation key-dependent linear trail covering the full DES. We show how this approximation can be used for a key recovery attack and empirically verify our claims through a series of experiments. To the best of our knowledge, this paper is the first to use this kind of property to leverage a meaningful attack against a symmetric-key algorithm. ispartof: pages:448-467 ispartof: Security and Cryptography for Networks. SCN 2020 vol:12238 pages:448-467 ispartof: Security and Cryptography for Networks. SCN 2020. location:Amalfi, Italy date:14 Sep - 16 Sep 2020 status: published

Published

2021

39. Quantum key recovery attack on SIMON32/64

Author

Li Yang and Hui Liu

Subjects

Quantum cryptanalysis, Computer engineering. Computer hardware, Lightweight block ciphers, Computer Networks and Communications, Computer science, Minor (linear algebra), Quantum amplitude amplification, Brute-force search, 02 engineering and technology, 01 natural sciences, law.invention, TK7885-7895, Key recovery attack, Quantum circuit, Amplitude amplification, Artificial Intelligence, law, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, 010306 general physics, Quantum, Computer Science::Cryptography and Security, Block cipher, Key-recovery attack, TheoryofComputation_GENERAL, Differential cryptanalysis, 020206 networking & telecommunications, QA75.5-76.95, SIMON32/64, ComputerSystemsOrganization_MISCELLANEOUS, Electronic computers. Computer science, Cryptanalysis, Algorithm, Software, Information Systems

Abstract

The quantum security of lightweight block ciphers is receiving more and more attention. However, the existing quantum attacks on lightweight block ciphers only focused on the quantum exhaustive search, while the quantum attacks combined with classical cryptanalysis methods haven’t been well studied. In this paper, we study quantum key recovery attack on SIMON32/64 using Quantum Amplitude Amplification algorithm in Q1 model. At first, we reanalyze the quantum circuit complexity of quantum exhaustive search on SIMON32/64. We estimate the Clifford gates count more accurately and reduce the T gate count. Also, the T-depth and full depth is reduced due to our minor modifications. Then, using four differentials given by Biryukov in FSE 2014 as our distinguisher, we give our quantum key recovery attack on 19-round SIMON32/64. We treat the two phases of key recovery attack as two QAA instances separately, and the first QAA instance consists of four sub-QAA instances. Then, we design the quantum circuit of these two QAA instances and estimate their corresponding quantum circuit complexity. We conclude that the quantum circuit of our quantum key recovery attack is lower than quantum exhaustive search. Our work firstly studies the quantum dedicated attack on SIMON32/64. And this is the first work to study the complexity of quantum dedicated attacks from the perspective of quantum circuit complexity, which is a more fine-grained analysis of quantum dedicated attacks’ complexity.

Published

2021

40. A Key Recovery Reaction Attack on QC-MDPC

Author

Qian Guo, Thomas Johansson, and Paul Stankovski Wagner

Subjects

Key-recovery attack, Post-quantum cryptography, Computer science, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Library and Information Sciences, Encryption, Computer Science Applications, Set (abstract data type), Public-key cryptography, Computer engineering, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Key (cryptography), Security level, business, Decoding methods, Information Systems

Abstract

Algorithms for secure encryption in a post-quantum world are currently receiving a lot of attention in the research community. One of the most promising such algorithms is the code-based scheme called QC-MDPC, which has excellent performance and a small public key size. In this paper, we present a very efficient key recovery attack on the QC-MDPC scheme using the fact that decryption uses an iterative decoding step, and this can fail with some small probability. We identify a dependence between the secret key and the failure in decoding. This can be used to build what we refer to as a distance spectrum for the secret key, which is the set of all distances between any two ones in the secret key. In a reconstruction step, we then determine the secret key from the distance spectrum. The attack has been implemented and tested on a proposed instance of QC-MDPC for 80-bit security. It successfully recovers the secret key in minutes. A slightly modified version of the attack can be applied on proposed versions of the QC-MDPC scheme that provides IND-CCA security. The attack is a bit more complex in this case, but still very much below the security level. The reason why we can break schemes with proved CCA security is that the model for these proofs typically does not include the decoding error possibility. At last, we present several algorithms for key reconstruction from an empirical distance spectrum. We first improve the naive algorithm for key reconstruction by a factor of about 3 0000, when the parameters for 80-bit security are implemented. We further develop the algorithm to deal with errors in the distance spectrum. This ultimately reduces the requirement on the number of ciphertexts that need to be collected for a successful key recovery.

Published

2019

41. Unbalanced biclique cryptanalysis of a full round Midori

Author

Jian Lian, Zhaohui Xing, Hongluan Zhao, Wenying Zhang, and Guoyong Han

Subjects

Key-recovery attack, Theoretical computer science, business.industry, Computer science, 020302 automobile design & engineering, 020206 networking & telecommunications, Cryptography, 02 engineering and technology, Man-in-the-middle attack, Encryption, Computer Science Applications, law.invention, 0203 mechanical engineering, law, Biclique attack, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Cryptanalysis, business, Key schedule, Block cipher

Abstract

Midori is a family of lightweight block ciphers presented by Banik et al . at Asiacrypt 2015. Biclique cryptanalysis is a typical key-recovery attack that is proposed to attack the full AES by Bogdanov et al . in ASIACRYPT 2011. The method can attack a great deal of ciphers utilising the main idea of MITM attack and the basic principle of the biclique structure. In this study, the authors first provide an unbalanced biclique attack on full round Midori with partial matching and precomputation. They demonstrate that full round Midori64/128 are not secure against unbalanced biclique attacks. They construct a five-round 4×8 unbalanced biclique on Midori64, with data complexity of 2 36 and time complexity of 2 126.25 by investigating the simple key schedule and the encryption structure. Furthermore, they present a four-round 8×16 unbalanced biclique on Midori128 with data complexity of 2 72 and computational complexity of 2 126.91 . To the best of authors' knowledge, the result is the best single-key cryptanalytic result of Midori.

Published

2019

42. Revisiting the Security of Qian et al.’s Revised Tree-$$\hbox {LSHB}^+$$ Protocol

Author

Zhenfeng Zhang, Jing Xu, and Xinyu Li

Subjects

Key-recovery attack, Authentication, Computer science, Data_MISCELLANEOUS, 020206 networking & telecommunications, 02 engineering and technology, Mutual authentication, Adversary, Computer security, computer.software_genre, Computer Science Applications, Identification (information), Forward secrecy, Authentication protocol, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, Protocol (object-oriented programming), computer

Abstract

Due to the limited computation and memory capabilities of the identification tags, RFID systems are susceptible to various attacks. In 2014, a lightweight mutual authentication RFID protocol that supports key update was proposed by Qian et al., and it was claimed to be secure against several known attacks. In this paper, however, we show that their protocol cannot resist key recovery attack, where an adversary, after interacting with the tag several times, can recover the authentication keys of the system in polynomial time with non-negligible probability. Additionally, we also prove that their protocol cannot provide strong backward security or strong forward security: an adversary who has compromised some continuous authentication keys, can successfully recover all the future authentication keys and some of the previous authentication keys, which completely breaks the security of the authentication protocol. We then propose a new protocol which provides key recovery resilience, both strong backward security and strong forward security, and also resistance against various known types of attacks.

Published

2019

43. MILP-Aided Related-Tweak/Key Impossible Differential Attack and its Applications to QARMA, Joltik-BC

Author

Xiaoyang Dong and Rui Zong

Subjects

Key-recovery attack, Mathematical optimization, General Computer Science, Relation (database), Computer science, Impossible differential attack, General Engineering, 020206 networking & telecommunications, Differential (mechanical device), 0102 computer and information sciences, 02 engineering and technology, tweakable block cipher, 01 natural sciences, QARMA-64, related-tweakey, 010201 computation theory & mathematics, Joltik-BC-128, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, lcsh:TK1-9971, Block cipher

Abstract

In this paper, we study the relation of related-tweak/key impossible differentials with single-key ones. Following a heuristic strategy, we can derive longer related-tweak/key impossible differentials from single-key ones. We implement this strategy with the MILP technique and apply it to search related-tweak/key impossible differentials of two tweakable block ciphers: QARMA-64 and Joltik-BC-128. For QARMA-64, we find several 7-round related-tweak impossible differential distinguishers and use them to mount a 10-round key recovery attack including the outer whitening key; for Joltik-BC-128, we find two 6-round related-tweakey impossible differential distinguishers and use them attack 9-round and 10-round Joltik-BC-128 respectively.

Published

2019

44. Related-Key Differential Cryptanalysis of the Reduced-Round Block Cipher GIFT

Author

Meichun Cao and Wenying Zhang

Subjects

Key-recovery attack, Differential cryptanalysis, GIFT block cipher, mixed integer linear programming (MILP), General Computer Science, Computer science, General Engineering, related-key differential cryptanalysis, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), 020201 artificial intelligence & image processing, General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, Arithmetic, lcsh:TK1-9971, Differential (mathematics), differential cryptanalysis, Block cipher

Abstract

GIFT is a lightweight block cipher that was proposed by Banik et al. at CHES 2017, which is said to be a direct improvement over PRESENT since “that provides a much increased efficiency in all domains (smaller and faster)” and improves the security weaknesses of the latter. At Asiacrypt in 2014, Sun et al. introduced a bit-oriented mixed integer linear programming (MILP) method to search for the differential characteristics of block ciphers. In this paper, we use the differential cryptanalysis method based on this automated tool to analyse GIFT. We propose 12-round and 13-round related-key differential characteristics of GIFT- 64 and 7-round and 10-round related-key differential characteristics of GIFT- 128. By using them as distinguishers, we apply key recovery attacks on the 19-round and 20-round reduced GIFT-64 with data complexities of 247 and 256 plaintexts, respectively, which mean that the data complexities are lower. Furthermore, we improve the GIFT-64 key recovery attack using differential cryptanalysis by one round over the previous differential cryptanalysis.

Published

2019

45. Key recovery attack on Circulant UOV/Rainbow

Author

Yasufumi Hashimoto

Subjects

Key-recovery attack, Combinatorics, Computer science, Rainbow, Circulant matrix

Published

2019

46. Improved Meet-in-the-Middle Attacks on Generic Feistel Constructions

Author

Yuanhao Deng, Xiaohan Duan, Junhu Zhu, Shibin Zhao, and Zhiniang Peng

Subjects

Discrete mathematics, General Computer Science, Sieve (category theory), General Engineering, 020206 networking & telecommunications, 02 engineering and technology, Meet-in-the-middle, Data complexity, key-recovery attack, 7-round Feistel constructions, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, Greedy algorithm, Time complexity, Meet in the middle, lcsh:TK1-9971, Mathematics

Abstract

In this paper, we present improved meet-in-the-middle key-recovery attacks on six-round and seven-round Feistel constructions separately. The attacks are based on Guo et al. ’s work which appends one round to the five-round distinguisher to attack the six-round Feistel construction through the meet-in-the-middle method. The proposed method stores only target sequences instead of all the possible sequences, which reduces the memory complexity from ${2^{({3}/{4})n}}$ blocks to ${2^{({n}/{2})}}$ blocks. A new key-recovery attack method on the seven-round Feistel construction is proposed by appending one another round after a five-round distinguisher. What is more, is that we propose a new method called the impossible-differential pairs sieve technique which reduces the data complexity from ${2^{n}}$ chosen plaintexts to $3\times {2^{n-2}}$ chosen plaintexts so that the attack complexity is lower than the exhaustive attack. The time complexity is equivalent to about $3\times {2^{n-2}}$ encryptions, and the memory complexity is optimized to ${2^{({3}/{4})n}}$ blocks of ${2^{({n}/{2})}}$ bits. To the best of our knowledge, it is the first known generic key-recovery attack on the seven-round Feistel construction with a lower attack complexity when compared with the exhaustive attack.

Published

2019

47. Optimizing Fast Near Collision Attack on Grain Using Linear Programming

Author

Yueping Wu, Senshan Pan, and Liangmin Wang

Subjects

Key-recovery attack, General Computer Science, Linear programming, time-memory-data tradeoff attacks, Computer science, General Engineering, Phase (waves), stream ciphers, near collision, Reduction (complexity), Cryptanalysis, Collision attack, General Materials Science, eSTREAM, State (computer science), lcsh:Electrical engineering. Electronics. Nuclear engineering, grain, Algorithm, Time complexity, lcsh:TK1-9971

Abstract

In 2018, an attack named fast-near-collision attack (FNCA) was proposed, which is an improved version of near-collision attack (NCA) on Grain-v1, one of the three hardware-oriented finalists of the eSTREAM project. FNCA is designed as a key recovery attack and takes a divide-and-conquer strategy that needs a merging phase. We propose an improved FNCA where the merging phase is optimized by a linear programming based strategy. It decreases the candidates of the internal state vectors (ISVs) in each step of merging and has a reduction in the overall time complexity. Since the merging phase is vital for a divide-and-conquer strategy, where the most of bits of the full internal state are recovered, other analyses on Grain family with FNCA can get optimized by our method in varying degrees. This paper offers an experiment on a reduced Grain and a theoretical analysis on Grain-v1 to confirm the results. In the case of the reduced Grain of an 80-bit internal state, the time complexity is 237.1096, which has a 27.8% reduction. For Grain-v1, its theoretical time complexity is around 273.4, which is reduced by 79.4% compared with the original one.

Published

2019

48. Improved encryption scheme based on the automorphism group of the Ree function field

Author

Gennady Khalimov, Svitlana Khalimova, and Yevgeniy Kotukh

Subjects

Discrete mathematics, Key-recovery attack, Logarithm, Computer science, Group (mathematics), business.industry, Encryption, Scheme (mathematics), Computer Science::Multimedia, Key (cryptography), Signature (topology), business, Function field, Computer Science::Cryptography and Security

Abstract

The article describes an improved implementation of the encryption scheme based on the automorphism group of Ree function field. Our proposal is to use the Ree function field automorphism group to encrypt the whole group with key bindings. We extended the logarithmic signature to the entire group and got changed the encryption algorithm to protect against a sequential key recovery attack.

Published

2021

49. Applications of Simon’s algorithm in quantum attacks on Feistel variants

Author

Jiansheng Guo, Jingyi Cui, and Shuzhen Ding

Subjects

Key-recovery attack, Cryptographic primitive, Computer science, business.industry, Statistical and Nonlinear Physics, Cryptography, 01 natural sciences, 010305 fluids & plasmas, Theoretical Computer Science, Electronic, Optical and Magnetic Materials, law.invention, law, Modeling and Simulation, 0103 physical sciences, Signal Processing, Quantum algorithm, Electrical and Electronic Engineering, 010306 general physics, business, Cryptanalysis, Algorithm, Distinguishing attack, Quantum, Computer Science::Cryptography and Security, Quantum computer

Abstract

Simon’s algorithm is a well-known quantum algorithm which can achieve an exponential acceleration over classical algorithm. It has been widely used in quantum cryptanalysis of many cryptographic primitives. This paper concentrates on studying the applications of Simon’s algorithm in analyzing the security of Feistel variants, several well-known cryptographic structures derived from the Feistel structure. First, we propose a definition of weakly periodic function to relax the original strong Simon’s promise. Based on this definition, we define and analyze several extensions of Simon’s problem which expand the application of Simon’s algorithm. Furthermore, based on one extended Simon’s problem, we show new polynomial-time quantum distinguishing attacks on several Feistel variants: MISTY L/R, CAST256-like, CLEFIA-like, MARS-like, SMS4-like and Skipjack-A/B-like schemes. These new results show that classically secure schemes may be no longer secure in the Q2 model. Finally, based on the quantum distinguishers introduced above, we extend several rounds forward or backward to propose corresponding quantum all subkeys recovery attacks that can recover all subkeys in the Q2 model with lower query complexities than those in the Q1 model by using Grover’s algorithm.

Published

2021

50. Hybrid Encryption Algorithm for the Data Security of ESP32 based IoT-enabled Robots

Author

Ranjit Kumar Barai and Rakesh Podder

Subjects

Key-recovery attack, Smart grid, Computer science, Network security, business.industry, Hybrid cryptosystem, Data security, The Internet, Cryptographic protocol, business, Encryption, Algorithm

Abstract

The Internet of Things (IoT) is one of the growing digital applications in modern times. With the increase of the application of IoT in the fields of networked mobile robotics, Smart Grid, etc., the concern about the security protocols also rises along with it. Cybersecurity is one of the most important network security protocols for the safety of IoT-enabled devices as all the devices are connected and inter-exchanging various data over the internet. Various encryption algorithms for securing data in cybersecurity management are already in existence. RSA, ECC, and other existing encryption algorithms are frequently used in various fields of IoT applications such, however, they have many shortcomings. Among the existing algorithm, AES is one of the best algorithms because it can provide an excellent level of security and its encryption speed is much faster than others. But AES is vulnerable to Key Recovery Attack. In order to overcome this shortcoming and to provide a more secured security protocol, Hybrid Encryption Algorithm (HEA) has been introduced in this paper and implemented in an ESP32 based IoT-enabled mobile robot. The HEA consist of base64 and AES, which is double-layered encryption for data security. The level of security is much higher than the commonly used encryption algorithm. The complexity and runtime are less than other encryption topology. The proposed technique has been computed in ESP32 and the performance was observed to be much better in terms of security level, complexity, execution time, and power consumption of the device.

Published

2021