Cryptanalysis of ARMADILLO2

Abdelraheem, Mohamed Ahmed; Blondeau, Céline; Naya-Plasencia, Maŕıa; Zenner, Erik

doi:10.1007/978-3-642-25385-0_17

Cited by 13 publications

(10 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that we have not been able to include all recent proposals and we have restricted ourselves to block ciphers for our comparison. Other techniques such as hummingbird [19] and armadillo [5] are of some interest in the literature, though attacks on early versions have lead to some redesign [45,1,20]. As can be seen from Table 2, the block cipher LED is the smallest when compared to other block ciphers with similar key and block size.…”

Section: Hardware Implementationmentioning

confidence: 99%

The LED Block Cipher

Guo

Peyrin

Pöschmann

et al. 2011

Cryptographic Hardware and Embedded Systems – CHES 2011

602

384

View full text Add to dashboard Cite

Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related-or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

show abstract

Section: Hardware Implementationmentioning

confidence: 99%

The LED Block Cipher

Guo

Peyrin

Pöschmann

et al. 2011

Cryptographic Hardware and Embedded Systems – CHES 2011

602

384

View full text Add to dashboard Cite

show abstract

“…We denote X[i] the i-th bit of the word X, and HAM(X) the hamming weight of the word X. We recall from [1] that for two random k-bit words A and B of hamming weight a and b respectively, the probability that HAM(A ∧ B) = i (where ∧ stands for the bitwise AND function) is given by the formula…”

Section: A Evaluating B Xormentioning

confidence: 99%

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128

Fouque

Jean²,

Peyrin

2013

Advances in Cryptology – CRYPTO 2013

View full text Add to dashboard Cite

Abstract. While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction. Using a structural analysis, we show that the full AES-128 cannot be proven secure unless the exact coefficients of the MDS matrix and the S-Box differential properties are taken into account since its structure is vulnerable to a related-key differential attack. We then exhibit a chosen-key distinguisher for AES-128 reduced to 9 rounds, which solves an open problem of the symmetric community. We obtain these results by revisiting algorithmic theory and graph-based ideas to compute all the best differential characteristics in SPN ciphers, with a special focus on AES-like ciphers subject to related-keys. We use a variant of Dijkstra's algorithm to efficiently find the most efficient related-key attacks on SPN ciphers with an algorithm linear in the number of rounds.

show abstract

“…Although we did not find an attack on AR-MADILLO2, we have illustrated that the non-linearity based on data-dependent permutations in both ARMADILLO1 and ARMADILLO2 is not sufficient. The results do not immediately apply on ARMADILLO2 but they allow for better understanding the design and they might be used to improve the attack in [1].…”

Section: Resultsmentioning

confidence: 93%

“…In [1] the authors found an attack against ARMADILLO2 based on parallel matching. The key recovery attack against FIL-MAC application of ARMADILLO2-A and AR-MADILLO2-E using single challenge-response pair is 2 7 and 2 18 times faster than exhaustive search respectively.…”

Section: Related Workmentioning

confidence: 99%

Fast Key Recovery Attack on ARMADILLO1 and Variants

Sepehrdad

Sušil

Vaudenay

2011

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

Abstract. The ARMADILLO cryptographic primitive is a multi-purpose cryptographic primitive for RFID devices proposed at CHES'10. The main purpose of the primitive is to provide a secure authentication in a challenge-response protocol. It has two versions, named ARMADILLO (subsequently denoted by AR-MADILLO1) and ARMADILLO2. However, we found a fatal weakness in the design which allows a passive attacker to recover the secret key in polynomial time, of ARMADILLO1 and some generalizations. We introduce some intermediate designs which try to prevent the attack and link ARMADILLO1 to ARMADILLO2. Considering the fact that the attack against ARMADILLO1 is polynomial, this brings about some concerns into the security of the second version ARMADILLO2, although it remains unbroken so far.

show abstract

Cryptanalysis of ARMADILLO2

Cited by 13 publications

References 5 publications

The LED Block Cipher

The LED Block Cipher

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128

Fast Key Recovery Attack on ARMADILLO1 and Variants

Contact Info

Product

Resources

About