MILP-Aided Related-Tweak/Key Impossible Differential Attack and its Applications to QARMA, Joltik-BC

Zong, Rui; Dong, Xiaoyang

doi:10.1109/access.2019.2946638

Cited by 8 publications

(14 citation statements)

References 20 publications

(165 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…5.2. Since its proposal, there have been several attacks such as meet-in-the-middle attacks [LJ18,ZD16] and impossible differential attacks [YQC18,ZDW18]. In [YQC18], Yang et al proposed single-key single-tweak impossible differential attacks on 10/11-round QARMA-64 and -128.…”

Section: Related-tweak Statistical Saturationmentioning

confidence: 99%

See 1 more Smart Citation

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA

Wang

2019

ToSC

View full text Add to dashboard Cite

Statistical saturation attack takes advantage of a set of plaintext with some bits fixed while the others vary randomly, and then track the evolution of a non-uniform plaintext distribution through the cipher. Previous statistical saturation attacks are all implemented under single-key setting, and there is no public attack models under related-key/tweak setting. In this paper, we propose a new cryptanalytic method which can be seen as related-key/tweak statistical saturation attack by revealing the link between the related-key/tweak statistical saturation distinguishers and KDIB (Key Difference Invariant Bias) / TDIB (Tweak Difference Invariant Bias) ones. KDIB cryptanalysis was proposed by Bogdanov et al. at ASIACRYPT’13 and utilizes the property that there can exist linear trails such that their biases are deterministically invariant under key difference. And this method can be easily extended to TDIB distinguishers if the tweak is also alternated. The link between them provides a new and more efficient way to find related-key/tweak statistical saturation distinguishers in ciphers. Thereafter, an automatic searching algorithm for KDIB/TDIB distinguishers is also given in this paper, which can be implemented to find word-level KDIB distinguishers for S-box based key-alternating ciphers. We apply this algorithm to QARMA-64 and give related-tweak statistical saturation attack for 10-round QARMA-64 with outer whitening key. Besides, an 11-round attack on QARMA-128 is also given based on the TDIB technique. Compared with previous public attacks on QARMA including outer whitening key, all attacks presented in this paper are the best ones in terms of the number of rounds.

show abstract

Section: Related-tweak Statistical Saturationmentioning

confidence: 99%

“…2), separately. Besides, attacks proposed in [ZD16] and [ZDW18] didn't consider outer whitening key. According to the number of rounds, the best known valid attack considering outer whitening key can work on 9-round QARMA-64 and 10-round QARMA-128 [LJ18].…”

Section: Related-tweak Statistical Saturationmentioning

confidence: 99%

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA

Wang

2019

ToSC

View full text Add to dashboard Cite

show abstract

“…But they could not attack a lot of rounds because of high memory requirements. In 2018, Zong et al gave an impossible differential attack on 11 rounds of QARMA-64 with 2 61 chosen plaintexts, 2 64.4 encryptions and 2 64 blocks [31]. However, they only gave the time complexity to retrieve 48-bit round subkeys of QARMA-64.…”

Section: Introductionmentioning

confidence: 99%

“…Since they selected two cells as the ordered sequence, their attack required more time and memory complexities. Clearly, papers [31], [32] and [33] are the previously best known results on QARMA-64/128. For the previous best result on QARMA-64 [31], they only recover 48 bits of round subkeys in the key recovery phase.…”

Section: Introductionmentioning

confidence: 99%

“…Clearly, papers [31], [32] and [33] are the previously best known results on QARMA-64/128. For the previous best result on QARMA-64 [31], they only recover 48 bits of round subkeys in the key recovery phase. Therefore, we try to construct other attacking paths such that more related round subkeys can be retrieved in the key recovery phase in order to improve the cryptanalytic results.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improved Cryptanalysis of Reduced-Version QARMA-64/128

Liu

Zang

et al. 2020

IEEE Access

View full text Add to dashboard Cite

QARMA is a new tweakable block cipher used for memory encryption, the generation of short tags and the construction of the keyed hash functions in future. It adopts a three-round Even-Mansour scheme and supports 64 and 128 bits of block size, denoted by QARMA-64 and QARMA-128, respectively. Their tweak lengths equal the block sizes and their keys are twice as long as the blocks. In this paper, we improve the security analysis of reduced-version QARMA against impossible differential and meet-in-the-middle attacks. Specifically, first exploit some properties of its linear operations and the redundancy of key schedule. Based on them, we propose impossible differential attacks on 11-round QARMA-64/128, and meet-in-themiddle attacks on 10-round symmetric QARMA-128 and the last 12 rounds of asymmetric QARMA-128. Compared with the previously best known results on QARMA-64, our attack can recover 16 more bits of master key with the almost complexities. Compared with the previously best known results on symmetric QARMA-128, the memory complexity of our attack in Section IV is reduced by a factor of 2 48. Moreover, the meet-in-the-middle attack on 12-round QARMA-128 is the best known attack on QARMA-128 in terms of the number of rounds. INDEX TERMS Tweakable block ciphers, QARMA, meet-in-the-middle attacks, impossible differential cryptanalysis, tweaks.

show abstract