Searching for Subspace Trails and Truncated Differentials

Leander, Gregor; Tezcan, Cihangir; Wiemer, Friedrich

doi:10.46586/tosc.v2018.i1.74-100

Cited by 14 publications

(17 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…From now on, we only work with S-boxes that do not have any nontrivial linear structures. That is, for an S-box S over F, we assume that it is not possible to find nontrivial subspaces U, V ⊂ F (that is, U, V = {0}, F) such that for each u ∈ F there exists v ∈ F such that S(U + u) = V + v. If the S-box has no nontrivial linear structures, there are only two essential subspace trails ({0} → {0} and F → F) when working at word level, as was shown in [LTW18]. Under this assumption, one can work independently of the details of the S-box.…”

Section: Infinitely Long Subspace Trails For P-spn Schemes (Active S-boxes)mentioning

confidence: 94%

“…Subspace Trails. Subspace trails were first defined in [GRR16a], and they are strictly related to truncated differential attacks, as shown in [LTW18]. Definition 1 (Subspace Trail).…”

Section: Invariant Subspaces and Subspace Trailsmentioning

confidence: 99%

“…In particular, note that two texts x, y ∈ F t are in the same coset of a given subspace (i.e., there exists v ∈ F t such that x, y ∈ V + v) if and only if their difference belongs to such a subspace (i.e., x − y ∈ V). The relation between truncated differential trails and subspace trails has been studied in details in [LTW18,BLN17].…”

Section: Infinitely Long Iterative Subspace Trails With Active S-boxesmentioning

confidence: 99%

See 2 more Smart Citations

Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Grassi¹,

Rechberger

Schofnegger

2021

ToSC

View full text Add to dashboard Cite

Designing cryptographic permutations and block ciphers using a substitutionpermutation network (SPN) approach where the nonlinear part does not cover the entire state has recently gained attention due to favorable implementation characteristics in various scenarios.For word-oriented partial SPN (P-SPN) schemes with a fixed linear layer, our goal is to better understand how the details of the linear layer affect the security of the construction. In this paper, we derive conditions that allow us to either set up or prevent attacks based on infinitely long truncated differentials with probability 1. Our analysis is rather broad compared to earlier independent work on this problem since we consider (1) both invariant and non-invariant/iterative trails, and (2) trails with and without active S-boxes.For these cases, we provide rigorous sufficient and necessary conditions for the matrix that defines the linear layer to prevent the analyzed attacks. On the practical side, we present a tool that can determine whether a given linear layer is vulnerable based on these results. Furthermore, we propose a sufficient condition for the linear layer that, if satisfied, ensures that no infinitely long truncated differential exists. This condition is related to the degree and the irreducibility of the minimal polynomial of the matrix that defines the linear layer. Besides P-SPN schemes, our observations may also have a crucial impact on the Hades design strategy, which mixes rounds with full S-box layers and rounds with partial S-box layers.

show abstract

Section: Infinitely Long Subspace Trails For P-spn Schemes (Active S-boxes)mentioning

confidence: 94%

“…Subspace Trails. Subspace trails were first defined in [GRR16a], and they are strictly related to truncated differential attacks, as shown in [LTW18]. Definition 1 (Subspace Trail).…”

Section: Invariant Subspaces and Subspace Trailsmentioning

confidence: 99%

Section: Infinitely Long Iterative Subspace Trails With Active S-boxesmentioning

confidence: 99%

See 1 more Smart Citation

Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Grassi¹,

Rechberger

Schofnegger

2021

ToSC

View full text Add to dashboard Cite

show abstract

“…Göloglu et al [58] list the division properties of Ascon's S-box S and conclude that these values are optimal with respect to the degree (Table 18a). Subspace Trails Leander et al [69] analyze the existence of subspace trails. For Ascon's permutation, they show that the longest subspace trails using 1-linear structures cover 3 rounds (dimension 298) or 1 inverse round (dimension 125).…”

Section: Linearization and Initial Structuresmentioning

confidence: 99%

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

et al. 2021

View full text Add to dashboard Cite

Authenticated encryption satisfies the basic need for authenticity and confidentiality in our information infrastructure. In this paper, we provide the specification of Ascon-128 and Ascon-128a. Both authenticated encryption algorithms provide efficient authenticated encryption on resource-constrained devices and on high-end CPUs. Furthermore, they have been selected as the “primary choice” for lightweight authenticated encryption in the final portfolio of the CAESAR competition. In addition, we specify the hash function Ascon-Hash, and the extendable output function Ascon-Xof. Moreover, we complement the specification by providing a detailed overview of existing cryptanalysis and implementation results.

show abstract

“…Apart from the self-analysis provided by the designers [DEMS16], Ascon has gone through substantial third-party cryptanalysis. First of all, without considering the AEAD context, the security of the underlying permutation of Ascon was evaluated with respect to (impossible) differential cryptanalysis [Tez16], (zero-correlation) linear cryptanalysis [DEM15], differential-linear cryptanalysis [DEMS15,BDKW19], integral (based on division properties) or zero-sum distinguishing attacks [YLW + 19, DEMS15, GRW16, Tod15], and subspace trail cryptanalysis [LTW18]. While these works do provide a deeper understanding of the security of Ascon permutation, generally they do not directly translate into meaningful attacks in the AEAD setting.…”

Section: Introductionmentioning

confidence: 99%

Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

Rohit

Sarkar³

et al. 2021

ToSC

View full text Add to dashboard Cite

Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to 7 (out of 12) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 264 blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2d-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2123 7-round Ascon permutations and requires 264 data and 2101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.

show abstract

Searching for Subspace Trails and Truncated Differentials

Cited by 14 publications

References 28 publications

Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon

Contact Info

Product

Resources

About