New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions

Song, Ling; Guo, Jian; Shi, Danping; Ling, San

doi:10.1007/978-3-030-03329-3_3

Cited by 23 publications

(43 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the resulting algebraic degree after 24 − rounds is well below 130, then Friet may be vulnerable to cube attacks. Here accounts for the 1 or possibly 2 rounds that may be skipped by carefully choosing the cube variables as in [31]. This is what happened in our previous design and was exploited in [19] and [25].…”

Section: Algebraic Degreementioning

confidence: 99%

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection

Simon

Batina

Daemen

et al. 2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

In this work we present a duplex-based authenticated encryption scheme Friet based on a new permutation called Friet-P. We designed Friet-P with a novel approach for cryptographic permutations and block ciphers that takes fault-attack resistance into account and that we introduce in this paper. In this method, we build a permutation fC to be embedded in a larger one, f. First, we define f as a sequence of steps that all abide a chosen error-correcting code C, i.e., that map C-codewords to C-codewords. Then, we embed fC in f by first encoding its input to an element of C, applying f and then decoding back from C. This last step detects a fault when the output of f is not in C. We motivate the design of the permutation we use in Friet and report on performance in soft-and hardware. We evaluate the fault-detection capabilities of the software and simulated hardware implementations with attacks. Finally, we perform a leakage evaluation.

show abstract

Section: Algebraic Degreementioning

confidence: 99%

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection

Simon

Batina

Daemen

et al. 2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

show abstract

“…Based on the difference path, an 11-round difference attack is provided with data complexity of 2 61.2 and computational complexity of 2 100. 26 .…”

Section: A Our Contributionsmentioning

confidence: 99%

“…The MILP model has been used in cube attacks [25] and [28]. Later, a new MILP model for searching better or even optimal choices of conditional cubes was proposed in [26]. Cui et al search impossible differentials and zero-correlation linear approximations by a MILP model [27].…”

Section: Introductionmentioning

confidence: 99%

MILP-Based Differential Cryptanalysis on Round-Reduced Midori64

et al. 2020

View full text Add to dashboard Cite

Mixed integer linear programming (MILP) model was presented by Sun et al. at Asiacrypt 2014 to search for differential characteristics of block ciphers. Based on this model, it is easy to assess block ciphers against differential attack. In this paper, the MILP model is improved to search for differential trails of Midori64 which is a family of lightweight block ciphers provided by Banik et al. at Asiacrypt 2015. We find the best 5-round differential characteristics of Midori64 with MILP-based model, and the probabilities are 2 −52 and 2 −58 respectively. Based on these distinguishers, we give key recovery attacks on the 11-round reduced Midori64 with data complexities of 2 55.6 and 2 61.2 , and time complexities of 2 109.35 and 2 100.26. INDEX TERMS Midori, differential distinguisher, mixed integer linear programming, differential cryptanalysis.

show abstract

“…Then they select ordinary cube variables that do not multiply together in the first round, and do not multiply with v 0 in the first two rounds. As shown in previous works [LBDW17,SGSL18,DLWQ17], it is hard to find enough ordinary cube variables that do not multiply with v 0 in the first two rounds for Keccak versions with few degrees of freedom. A natural idea to improve the previous works is to reduce the bit positions occupied by v 0 .…”

Section: Introductionmentioning

confidence: 96%

“…At ASIACRYPT 2017, Li et al for the first time introduced a MILP model based method to improve the conditional cube attack, [LBDW17]. Later, the MILP model was improved by Song et al [SGSL18] at ASIACRYPT 2018. However, as shown in previous works [LBDW17,SGSL18,DLWQ17], for some Keccak based versions with very few degrees of freedom, one could not find enough ordinary cube variables, which weakens or even invalidates the conditional cube attack.…”

Section: Introductionmentioning

confidence: 99%

New Conditional Cube Attack on Keccak Keyed Modes

Li¹,

Dong²,

Bi³

et al. 2019

ToSC

View full text Add to dashboard Cite

The conditional cube attack on round-reduced Keccak keyed modes was proposed by Huang et al. at EUROCRYPT 2017. In their attack, a conditional cube variable was introduced, whose diffusion was significantly reduced by certain key bit conditions. The attack requires a set of cube variables which are not multiplied in the first round while the conditional cube variable is not multiplied with other cube variables (called ordinary cube variables) in the first two rounds. This has an impact on the degree of the output of Keccak and hence gives a distinguisher. Later, the MILP method was applied to find ordinary cube variables. However, for some Keccak based versions with few degrees of freedom, one could not find enough ordinary cube variables, which weakens or even invalidates the conditional cube attack.In this paper, a new conditional cube attack on Keccak is proposed. We remove the limitation that no cube variables multiply with each other in the first round. As a result, some quadratic terms may appear in the first round. We make use of some new bit conditions to prevent the quadratic terms from multiplying with other cube variables in the second round, so that there will be no cubic terms in the first two rounds. Furthermore, we introduce the kernel quadratic term and construct a 6-2-2 pattern to reduce the diffusion of quadratic terms significantly, where the Θ operation even in the second round becomes an identity transformation (CP-kernel property) for the kernel quadratic term. Previous conditional cube attacks on Keccak only explored the CP-kernel property of Θ operation in the first round. Therefore, more degrees of freedom are available for ordinary cube variables and fewer bit conditions are used to remove the cubic terms in the second round, which plays a key role in the conditional cube attack on versions with very few degrees of freedom. We also use the MILP method in the search of cube variables and give key-recovery attacks on round-reduced Keccak keyed modes.As a result, we reduce the time complexity of key-recovery attacks on 7-round Keccak-MAC-512 and 7-round Ketje Sr v2 from 2111, 299 to 272, 277, respectively. Additionally, we have reduced the time complexity of attacks on 9-round KMAC256 and 7-round Ketje Sr v1. Besides, practical attacks on 6-round Ketje Sr v1 and v2 are also given in this paper for the first time.

show abstract

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions

Cited by 23 publications

References 20 publications

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection

MILP-Based Differential Cryptanalysis on Round-Reduced Midori64

New Conditional Cube Attack on Keccak Keyed Modes

Contact Info

Product

Resources

About