Cryptanalysis of Forkciphers

Bariant, Augustin; David, Nicolas; Leurent, Gaëtan

doi:10.46586/tosc.v2020.i1.233-265

Cited by 6 publications

(10 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“….,ST K 20 , ST K 48 , ST K 49 , ..., ST K 74 . As pointed out in [BDL20], there are some master key differences δs that satisfy δ = LF SR2 15 (δ). So we can get differential characteristics with 6 consecutive inactive subtweakeys ST K 18 , ST K 19 , ST K 20 , ST K 48 , ST K 49 and ST K 50 .…”

Section: Active Cellmentioning

confidence: 99%

“…Lemma 1. [BDL20] For any given SKINNY S-box S and any two non-zero differences δ in and δ out , the equation S i (y) ⊕ S i (y ⊕ δ in ) = δ out has one solution on average. [DKS10], the N dround cipher E is considered asẼ 1 • E m •Ẽ 0 , whereẼ 0 , E m ,Ẽ 1 contain r 0 , r m , r 1 rounds, respectively.…”

Section: The Tradeoff In Rectangle Attack On Ciphers With Linear Key-schedulementioning

confidence: 99%

See 1 more Smart Citation

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

Qin

Dong

Wang

et al. 2021

ToSC

View full text Add to dashboard Cite

Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

show abstract

Section: Active Cellmentioning

confidence: 99%

Section: The Tradeoff In Rectangle Attack On Ciphers With Linear Key-schedulementioning

confidence: 99%

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

Qin

Dong

Wang

et al. 2021

ToSC

View full text Add to dashboard Cite

show abstract

“…The variants of the ForkAE family are listed below. [117] showed that attacks on Skinny can be extended to one extra round for most ForkSkinny variants and up to three rounds for ForkSkinny-128-256. Privacy and authenticity proofs of PAEF and SAEF in the nonce-respecting scenario were provided in [40].…”

Section: Forkaementioning

confidence: 99%

Status report on the second round of the NIST lightweight cryptography standardization process

Turan¹,

McKay²,

Chang³

et al. 2021

View full text Add to dashboard Cite

The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more Authenticated Encryption with Associated Data (AEAD) and hashing schemes suitable for constrained environments. In February 2019, 57 candidates were submitted to NIST for consideration. Among these, 56 were accepted as firstround candidates in April 2019. After four months, NIST selected 32 of the candidates for the second round. In March 2021, NIST announced 10 finalists to move forward to the final round of the selection process. The finalists are ASCON, Elephant, GIFT-COFB, Grain-128AEAD, ISAP, PHOTON-Beetle, Romulus, SPARKLE, TinyJAMBU, and Xoodyak. This report describes the evaluation criteria and selection process, which is based on public feedback and internal review of the second-round candidates.

show abstract

“…Banik et al [5] introduced reflection differential trails and proposed some attacks of ForkAES- * -4-4 ( * is any nonnegative integer). Bariant et al [6] first presented truncated differential attacks on ForkAES- * -5-5 (full ten rounds) in reconstruction queries, but the security of ForkAES in encryption queries needs to be further studied.…”

Section: Introductionmentioning

confidence: 99%

“…Compared with paper [5], we carefully consider the process of recovering the master key, which can reject wrong candidate keys efficiently. Compared with paper [6], we consider the attack scenario in encryption queries, which increases the understanding of ForkAES. To the best of our knowledge, we improve the previous attacks on ForkAES by attacking one more round in encryption queries.…”

Section: Introductionmentioning

confidence: 99%

Multiple Impossible Differential Attacks for ForkAES

Jiang

Jin

2022

Security and Communication Networks

View full text Add to dashboard Cite

To yield a highly efficient authentication encryption design for very short messages, the tweakable forkcipher is proposed, which is a tweakable block cipher that uses forking construction to produce two output blocks. The designers also presented ForkAES, a forkcipher that is based on the round function of AES and the tweakable variant of KIASU. Therefore, the security of ForkAES is found on the block ciphers AES and KIASU. However, from the perspective of new forking construction, attackers may obtain some unique properties. Impossible differential attacks are widely used on block ciphers. This paper studies the security of ForkAES against multiple impossible differential cryptanalysis. Based on the property of the forking construction, two types of impossible differential distinguishers have been constructed. We first use the tweak with different truncated differences to build more attack trails. Then, we first propose the multiple impossible differential attack for ForkAES- ∗ -5-4. Thus, only a single round would remain as a security margin. Utilizing multiple attack trails, our attack scenario obtains more subkey bytes and enhances the subkey’s sieving efficiency without increasing complexity. Furthermore, we carefully consider the process of recovering the master key, which can efficiently reject wrong candidate keys. In reconstruction queries, our attack reaches the longest number of rounds for ForkAES in impossible differential analysis, with 2 100.8 lookups, 2 85.8 chosen ciphertexts, and 2 92.7 memory blocks to store AES states. In encryption queries, we improve the previous attacks on ForkAES by attacking one more round (i.e., ForkAES- ∗ -5-4), with 2 118.2 lookups, 2 111.4 plaintexts, and 2 92.7 memory blocks to store AES states.

show abstract

Cryptanalysis of Forkciphers

Cited by 6 publications

References 4 publications

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

Status report on the second round of the NIST lightweight cryptography standardization process

Multiple Impossible Differential Attacks for ForkAES

Contact Info

Product

Resources

About