Division cryptanalysis of block ciphers with a binary diffusion layer

Zhang, Wenying; Rijmen, Vincent

doi:10.1049/iet-ifs.2018.5151

Cited by 42 publications

(56 citation statements)

References 20 publications

(70 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One can also investigate the integral property by using the division property. In this context we want to emphasize that in [ZR19] the authors showed that for SKINNY-64, 10 rounds is the upper bound when searching for integral distinguishers based on division property. This analysis has been conducted taking into account the exact properties of both linear and nonlinear layer.…”

Section: Algorithm 1 Finding An Integral Distinguisher Of Maximum Lengthmentioning

confidence: 99%

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

Zhang

Cao

Guo

et al. 2020

ToSC

Self Cite

View full text Add to dashboard Cite

In this paper, a new method for evaluating the integral property, truncated and impossible differentials for substitution-permutation network (SPN) block ciphers is proposed. The main assumption is an explicit description/expression of the internal state words in terms of the plaintext (ciphertext) words. By counting the number of times these words occur in the internal state expression, we can evaluate the resistance of a given block cipher to integral and impossible/truncated differential attacks more accurately than previous methods. More precisely, we explore the cryptographic consequences of uneven frequency of occurrences of plaintext (ciphertext) words appearing in the algebraic expression of the internal state words. This approach gives a new family of distinguishers employing different concepts such as the integral property, impossible/truncated differentials and the so-called zero-sum property. We then provide algorithms to determine the maximum number of rounds of such new types of distinguishers for SPN block ciphers. The potential and efficiency of this relatively simple method is confirmed through applications. For instance, in the case of SKINNY block cipher, several 10-round integral distinguishers, all of the 11-round impossible differentials, and a 7-round truncated differential could be determined. For the last case, using a single pair of plaintexts differing in three words so that (a = b = c) ≠ (a’ = b’ = c’), we are able to distinguish 7-round SKINNY from random permutations. More importantly, exploiting our distinguishers, we give the first practical attack on 11-round SKINNY-128-128 in the single-key setting (a theoretical attack reaches 16 rounds). Finally, using the same ideas, we provide a concise explanation on the existing distinguishers for round-reduced AES.

show abstract

Section: Algorithm 1 Finding An Integral Distinguisher Of Maximum Lengthmentioning

confidence: 99%

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

Zhang

Cao

Guo

et al. 2020

ToSC

Self Cite

View full text Add to dashboard Cite

show abstract

“…SPNs are very well-researched and allow to apply existing cryptanalysis techniques to the security analysis of our forkcipher. A large number of cryptanalytic results [11,12,56,61,67,68] have further been published on round reduced SKINNY showing that the full version of the cipher has comfortable security margins. Unlike other lightweight block ciphers such as Midori [15] and PRINCE [30], the SKINNY design is constructed following the TWEAKEY framework, and in addition supports a number of choices for the tweak size; an important aspect for the choice of SKINNY for our design.…”

Section: Design Rationalementioning

confidence: 99%

“…It is based on the lightweight tweakable block cipher SKINNY [17]. Building ForkSkinny on an existing block cipher enables us to rely on the cryptanalyses result behind SKINNY [11,12,56,61,67,68], and in addition, helps us provide systematic analysis for the necessary forkcipher alterations. We also inherit the cipher's efficiency features and obtain a natural and consistent metric for comparison of the forkcipher performance with that of its underlying block cipher.…”

Section: Introductionmentioning

confidence: 99%

Forkcipher: A New Primitive for Authenticated Encryption of Very Short Messages

Andreeva

Lallemand

Purnal

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Highly efficient encryption and authentication of short messages is an essential requirement for enabling security in constrained scenarios such as the CAN FD in automotive systems (max. message size 64 bytes), massive IoT, critical communication domains of 5G, and Narrowband IoT, to mention a few. In addition, one of the NIST lightweight cryptography project requirements is that AEAD schemes shall be "optimized to be efficient for short messages (e.g., as short as 8 bytes)". In this work we introduce and formalize a novel primitive in symmetric cryptography called a forkcipher. A forkcipher is a keyed function expanding a fixed-length input to a fixed-length output. We define its security as indistinguishability under chosen ciphertext attack. We give a generic construction validation via the new iterate-fork-iterate design paradigm. We then propose ForkSkinny as a concrete forkcipher instance with a public tweak and based on SKINNY: a tweakable lightweight block cipher constructed using the TWEAKEY framework. We conduct extensive cryptanalysis of ForkSkinny against classical and structurespecific attacks. We demonstrate the applicability of forkciphers by designing three new provably-secure, nonce-based AEAD modes which offer performance and security tradeoffs and are optimized for efficiency of very short messages. Considering a reference block size of 16 bytes, and ignoring possible hardware optimizations, our new AEAD schemes beat the best SKINNY-based AEAD modes. More generally, we show forkciphers are suited for lightweight applications dealing with predominantly short messages, while at the same time allowing handling arbitrary messages sizes. Furthermore, our hardware implementation results show that when we exploit the inherent parallelism of ForkSkinny we achieve the best performance when directly compared with the most efficient mode instantiated with the SKINNY block cipher.

show abstract

“…Model Operations. We recall how to model the operations in ciphers to construct the MILP [32] - [33].…”

Section: Model Bit-based Division Property Propagation Of Operations mentioning

confidence: 99%

Zero-Sum Partitions of PHOTON Permutations

Wang

Grassi

Rechberger

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We describe an approach to zero-sum partitions using Todo's division property at EUROCRYPT 2015. It follows the inside-out methodology, and includes MILP-assisted search for the forward and backward trails, and subspace approach to connect those two trails that is less restrictive than commonly done. As an application we choose PHOTON, a family of sponge-like hash function proposals that was recently standardized by ISO. With respect to the security claims made by the designers, we for the first time show zero-sum partitions for almost all of those full 12-round permutation variants that use a 4-bit S-Box. As with essentially any other zero-sum property in the literature, also here the gap between a generic attack and the shortcut is small.

show abstract

Division cryptanalysis of block ciphers with a binary diffusion layer

Cited by 42 publications

References 20 publications

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

Forkcipher: A New Primitive for Authenticated Encryption of Very Short Messages

Zero-Sum Partitions of PHOTON Permutations

Contact Info

Product

Resources

About