Zero-Sum Partitions of PHOTON Permutations

Wang, Qingju; Grassi, Lorenzo; Rechberger, Christian

doi:10.1007/978-3-319-76953-0_15

Cited by 17 publications

(16 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The Mixed Integer Linear Programming (MILP) approach has been extensively used to probe the structure of Boolean functions in previous works such as [30,21,25,27,28,29,9]. In this work, we also employ the MILP-based approach to search for the monomials of f .…”

Section: Compute Exact Algebraic Degree Of a Boolean Functionmentioning

confidence: 99%

An Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums

Sun

Wang

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Section: Compute Exact Algebraic Degree Of a Boolean Functionmentioning

confidence: 99%

An Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums

Sun

Wang

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

“…The zero-sum partition problem has been largely used in the literature in order to set up partition zero-sum known-key distinguishers on Keccakf [2,7,12] and on other permutations like PHOTON [33]. Note that the shortcut player can use the same strategy proposed before for the zero-sum problem in order to solve this partition zero-sum problem: it is indeed sufficient to consider all possible disjoint coset of X ⊕ Y .…”

Section: Propositionmentioning

confidence: 99%

Revisiting Gilbert’s known-key distinguisher

Grassi

Rechberger

2020

Des. Codes Cryptogr.

Self Cite

View full text Add to dashboard Cite

Known-key distinguishers have been introduced by Knudsen and Rijmen in 2007 to better understand the security of block ciphers in situations where the key can not be considered to be secret, i.e. the "thing between secret-key model and hash function use-cases". Trying to find a rigorous model to fit this intuition is still ongoing. The most recent advance by Gilbert (Asiacrypt 2014) describes a new model that-even if it is well justified-seemingly does not match this intuition. AES is often considered as a target of such analyses, simply because AES or its building blocks are used in many settings that go beyond classical encryption. Consider AES-128. Results in the secret-key model cover up to 6 rounds, while results in the chosen-key model reach up to 9 rounds. Gilbert however showed a result in the knownkey model that goes even further, covering 10 rounds. Does it mean that the use cases corresponding to the cryptanalysis of hash-function use-cases are inherently less efficient, or is it rather an artifact of the new model? In this paper we give strong evidence for the latter. In Gilbert's work, two types of arguments or rather conjectures are put forward suggesting that the new model is meaningful. Firstly that the number of "extension rounds" due to the new model is limited to two. And secondly that only a distinguisher that exploits the uniform distribution property can be extended in such way. We disprove both conjectures and arrive at the following results: First, we are also able to show that more than two extension rounds are possible. As a result of this, we describe the first known-key distinguishers on 12 rounds of AES that fit into Gilbert's model. The second conjecture is disproven by showing that the technique proposed by Gilbert can also be used to extend a known-key distinguisher based on another property: truncated differentials. A potential conclusion of this work would be that the counter-intuitive gap between Gilbert's known-key model and the chosen-key model is wider than initially thought. We however conclude that results in Gilbert's model are due to an artifact in the model. To remedy this situation, we propose a refinement of the known-key model which restores its original intent to fit the original intuition. Communicated by T. Iwata.

show abstract

“…The 128-bit key is loaded to the first register b, and the 96-bit IV is loaded to 3,5,7,9,11,13,15,17,19,21,23,25,27,30,32,34,37,39,41,43,45,47,49,51,53,55,58,60,62,64,66,68,70,73,75,77,79,81,83,85,87,89,91,93,95,97,99,101,103,105,108,110,112,114,116,118,120,123, 125, 127} ‡: I = {1, 2, 3, 4, 5,…”

Section: B1 Specification Of Grain-128amentioning

confidence: 99%

“…With this method, they are able to give integral characteristics for block ciphers with block sizes much larger than 32 bits. Xiang et al's method has now been applied to many other ciphers for improved integral attacks [20,21,22,23].…”

Section: Introductionmentioning

confidence: 99%

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly

Hao

Isobe

Jiao³

et al. 2019

IEEE Trans. Comput.

Self Cite

View full text Add to dashboard Cite

The cube attack is an important technique for the cryptanalysis of symmetric key primitives, especially for stream ciphers. Aiming at recovering some secret key bits, the adversary reconstructs a superpoly with the secret key bits involved, by summing over a set of the plaintexts/IV which is called a cube. Traditional cube attack only exploits linear/quadratic superpolies. Moreover, for a long time after its proposal, the size of the cubes has been largely confined to an experimental range, e.g., typically 40. These limits were first overcome by the division property based cube attacks proposed by Todo et al. at CRYPTO 2017. Based on MILP modelled division property, for a cube (index set) I, they identify the small (index) subset J of the secret key bits involved in the resultant superpoly. During the precomputation phase which dominates the complexity of the cube attacks, 2 |I|+|J| encryptions are required to recover the superpoly. Therefore, their attacks can only be available when the restriction |I| + |J| < n is met. In this paper, we introduced several techniques to improve the division property based cube attacks by exploiting various algebraic properties of the superpoly. 1. We propose the "flag" technique to enhance the preciseness of MILP models so that the proper non-cube IV assignments can be identified to obtain a non-constant superpoly. 2. A degree evaluation algorithm is presented to upper bound the degree of the superpoly. With the knowledge of its degree, the superpoly can be recovered without constructing its whole truth table. This enables us to explore larger cubes I's even if |I| + |J| ≥ n. Corresponding authors. 3. We provide a term enumeration algorithm for finding the monomials of the superpoly, so that the complexity of many attacks can be further reduced. As an illustration, we apply our techniques to attack the initialization of several ciphers. To be specific, our key recovery attacks have mounted to 839-round Trivium, 891-round Kreyvium, 184-round Grain-128a and 750-round Acorn respectively.

show abstract

Zero-Sum Partitions of PHOTON Permutations

Cited by 17 publications

References 24 publications

An Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums

An Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums

Revisiting Gilbert’s known-key distinguisher

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly

Contact Info

Product

Resources

About