DOCSLIB.ORG

PEIGEN – a Platform for Evaluation, Implementation, and Generation of S‑Boxes

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
PEIGEN – a Platform for Evaluation, Implementation, and Generation of S‑Boxes This document is downloaded from DR‑NTU (https://dr.ntu.edu.sg) Nanyang Technological University, Singapore. PEIGEN – a platform for evaluation, implementation, and generation of S‑boxes Sasaki, Yu; Ling, San; Guo, Jian; Bao, Zhenzhen 2019 Bao, Z., Guo, J., Ling, S., & Sasaki, Y. (2019). PEIGEN – a platform for evaluation, implementation, and generation of S‑boxes. IACR Transactions on Symmetric Cryptology, 2019(1), 330‑394. doi:10.13154/tosc.v2019.i1.330‑394 https://hdl.handle.net/10356/90012 © 2019 The Author(s) (Published by Ruhr University Bochum). Licensed under Creative Commons License CC‑BY 4.0 Downloaded on 27 Sep 2021 17:45:19 SGT Peigen – a Platform for Evaluation, Implementation, and Generation of S-boxes Zhenzhen Bao1,2, Jian Guo1, San Ling1 and Yu Sasaki3 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. {zzbao,guojian,lingsan}@ntu.edu.sg 2 Strategic Centre for Research in Privacy-Preserving Technologies and Systems, Nanyang Technological University, Singapore 3 NTT Secure Platform Laboratories, 3-9-11, Midori-cho Musashino-shi, Tokyo 180-8585, Japan. [email protected] Abstract. In this paper, a platform named Peigen is presented to evaluate security, find efficient software/hardware implementations, and generate cryptographic S-boxes. Continuously developed for decades, S-boxes are constantly evolving in terms of the design criteria for both security requirements and software/hardware performances. Peigen is aimed to be a platform covering a comprehensive check-list of design criteria of S-boxes appearing in the literature. To do so, the security requirements are first intensively surveyed, existing tools of S-boxes are then comprehensively compared, and finally our platform Peigen is presented. The survey part is aimed to be a systematic reference for the theoretical study of S-boxes. The platform is aimed to be an assistant tool for the experimental study and practical use of S-boxes. Peigen not only integrates most of the features in existing tools, but also equips with functionalities to evaluate new security-related properties, improves the efficiency of the search algorithms for optimized implementations in several aspects. With the help of this powerful platform, many interesting observations are made in-between the security notations, as well as on the S-boxes used in the existing symmetric- key cryptographic primitives. Peigen will become an open platform and welcomes contributions from all parties to help the community to facilitate the research and use of S-boxes. Keywords: S-box · Survey · Design criteria · Implementation criteria · New platform 1 Introduction The substitution-box, or S-box for short, is commonly used in the design of symmetric cryptography primitives to offer non-linearity. In general, an S-box is a nonlinear mapping n m defined on F2 → F2 , which takes as input a value of n bits and outputs a value of m bits. For instance, the data encryption standard (DES) S-boxes are mappings with (n = 6, m = 4) and the advanced encryption standard (AES) S-box is a permutation with (n = m = 8). S-boxes have two key aspects: the security strength and the performance in software/hardware. In many cases, the two merits conflict, and hence trade-offs are made to fit the overall design’s priorities. The security requirements for S-boxes, depending on the design strategy of the overall primitive, evolve over time. Each security requirement corresponds to a goal of resisting some cryptographic attacks, e.g., the high algebraic degree of an S-box can be used as arguments against algebraic attacks such as integral attacks. As new attacks are devised, new properties are added into the pool of S-box security requirements, e.g., invariant Licensed under Creative Commons License CC-BY 4.0. IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2019, No. 1, pp. 330–394 DOI:10.13154/tosc.v2019.i1.330-394 Zhenzhen Bao, Jian Guo, San Ling and Yu Sasaki 331 subspace attacks [LAAZ11, GJN+16] against PRINTcipher [KLPR10] and Midori [BBI+15] triggered research/constraints on the combination of S-boxes and round constants, which did not exist before 2011. Meanwhile, not all security requirements have to be fulfilled by every design, since some attacks can be resisted by other design components, e.g., round constants can be used to break symmetry and to resist slide attacks. Thus, there is a trade-off between the subset of the required security properties for S-boxes and the complexity of other components of the overall primitive. The implementation aspects of S-boxes cover both software and hardware. There are several ways to implement S-boxes in software depending on the platform and resources available. One common method is the table-lookup, which pre-computes a Look-Up Table (LUT) by exhausting all possible input values and storing the outputs in a table. The S-box is subsequently performed by accessing the table, usually indexed by the input values. The LUT method is subject to cache-timing attacks [Ber05]. To resist them, there are (close to) constant-time implementation methods such as algebraic implementations and bitsliced implementations. Both express the S-box by its algebraic form, and hence the execution time is independent of the input value. The difference is that bitsliced implementations usually take multiple parallel inputs and process all simultaneously by utilizing long registers such as streaming SIMD extensions (SSE) registers, by which the relative performance per input can be significantly improved. Depending on the target use, the most commonly known Integrated Circuits (ICs) are Application Specific IC (ASIC) and Field Programmable Gate Array (FPGA). The implementation and performance of S-boxes on either IC can be very different. On both types of IC, there are also different ways of optimization, which will result in very different performance. For example, on ASIC and FPGA, there is the so-called serialized implementation aiming for smallest area occupied, and the depth optimized implementation usually taking a relatively larger area but resulting in higher frequency and throughput. To make a better trade-off between the security and performance, there is a line of research developing tools for finding the optimal implementations. Given an S-box, Osvik [Osv00] tried to find the software implementation optimized in terms of CPU cycles. Given an S-box, Guo et al. [GJN+16] proposed a method to find an implementation in ASIC optimized in terms of circuit depth. Given an S-box and the cost of each unit operation, Jean et al. [JPST17] built a tool named LIGHTER to find implementations with small area in ASIC or with small number of instructions in Software. More related works are listed in Table5. Our contributions. Constant efforts are made by our community to research S-boxes, in the hope of providing the best design choices to yield ciphers that are not only strong enough to resist attacks but also efficient to be of practical use. Such efforts include those made to remedy the situation after occasional bursts of striking attacks, and those made to seek the best possible instances to enrich the portfolio of design candidates. In this paper, we combine results achieved by these efforts. We first follow the line of research in developing design criteria for S-boxes. Rich results have been obtained by our community in this line. Some earlier results turned out to be fundamental theories, while some newly proposed notions need to be further developed. We try to provide a comprehensive exhibit. The main line of our exhibition follows the line of attacks. Many known results proposed or implied criteria for avoiding each type of attack. Some criteria can generally apply to any S-box based designs whereas others assume a particular type of round function structure. Both types are taken into account in this paper to form a comprehensive check list for designers. Besides the security, we consider the S-box criteria to be efficiently implemented. One aspect we also considered are equivalent classes for the S-box and the link between different classes. These will help the designers to identify the search space of the S-box that satisfies certain criteria. A huge amount of previous research on S-boxes makes our 332 Peigen – a Platform for Evaluation, Implementation, and Generation of S-boxes exhibit quite long. However, integration of the many criteria appearing in the long history of S-box design will be useful for future S-box designers and researchers. In the later part of this paper, we follow the line of research in developing tools for evaluating and implementing S-box. We start by comprehensively surveying the state-of- the-art in tool development. We found that different tools are written in different languages with different interfaces. Some of them are not publicly accessible. Each tool focuses on its target criteria, thus we need to use/implement multiple tools to evaluate multiple criteria, which is already non-trivial. In particular, security and implementation aspects are hard to consider simultaneously. This motivates us to present a platform named Peigen for evaluating the security properties, finding optimal implementations for given S-boxes, and generating all suitable S-boxes when the security and performance requirements are given. Peigen is built upon existing tools. After making a comprehensive comparison, we decide to build Peigen using the implementation model of LIGHTER proposed by Jean et al. [JPST17]. More explicitly, Peigen was built on the basis of a sub-module of LIGHTER which is for finding software/hardware implementations that are good in terms of Bitslice Gate Complexity (BGC), Gate Equivalent Complexity (GEC), and Multiplicative Complexity (MC), for 4-bit bijective S-boxes. Peigen inherits all functionalities provided by LIGHTER, and at the same time, improves the search efficiency using algorithmic-level optimizations, e.g., the composition and concatenation method and the pre-computation mechanism.
Load more

Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • International Journal of Computer Engineering and Applications, Volume XII, Special Issue, May 18, ISSN 2321-3469
    International Journal of Computer Engineering and Applications, Volume XII, Special Issue, May 18, www.ijcea.com ISSN 2321-3469 PROVIDING RESTRICTIONS AGAINST ATTACK AND CONGESTION CONTROL IN PUBLICINFRASTRUCTURE CLOUD Nousheen R1, Shanmugapriya M2, Sujatha P3,Dhinakaran D4 Student, Computer Science and Engineering, Peri Institute of Technology, Chennai, India 1,2,3 Assistant professor, Computer Science and Engineering, Peri Institute of Technology, Chennai, India 4 ABSTRACT: Cloud computing is current trend in market .It reduce the cost and complexity of service providers by the means of capital and operational cost.It allows users to access application remotely. This construct directs cloud service provider to handle cost of servers, software updates,etc. If the session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. To focusing on session hijacking and broken authenticationOTP is generated it will send user mail.Once the user is authenticatedthey will be split into virtual machine it is initiate to the upload process into the cloud.Thecloud user files are uploaded and stored in domain based .Also in our proposed system encryption keys are maintained outside of the IaaS domain.For encryption, we proposed RSA algorithm .For data owner file encryption, we use camellia algorithm. Finally the files are stored in the public cloud named CloudMe. Keywords: Cloud computing, session hijacking, OTP, Virtual machine, Iaas, CloudMe [1] INTRODUCTION Cloud computing is an information technology(IT) standard that enables universal access to share group of configurable system resource and higher-level services that can be quickly provisioned with minimal management effort, often over the internet.
    [Show full text]
  • Rotational Rebound Attacks on Reduced Skein
    Rotational Rebound Attacks on Reduced Skein Dmitry Khovratovich1;2, Ivica Nikoli´c1, and Christian Rechberger3 1: University of Luxembourg; 2: Microsoft Research Redmond, USA; 3: Katholieke Universiteit Leuven, ESAT/COSIC, and IBBT, Belgium [email protected], [email protected], [email protected] Abstract. In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different construc- tions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 com- pression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function. The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers. Keywords: Skein, SHA-3, hash function, compression function, cipher, rotational cryptanalysis, rebound attack, distinguisher. 1 Introduction Rotational cryptanalysis and the rebound attack proved to be very effective in the analysis of SHA-3 candidates and related primitives.
    [Show full text]
  • Minalpher V1.1
    Minalpher v1.1 Designers Yu Sasaki, Yosuke Todo, Kazumaro Aoki, Yusuke Naito, Takeshi Sugawara, Yumiko Murakami, Mitsuru Matsui, Shoichi Hirose Submitters NTT Secure Platform Laboratories, Mitsubishi Electric Corporation, University of Fukui Contact [email protected] Version 1.1: 29 August 2015 Changes From v1.0 to v1.1 { Clarified the handling of illegal input length, specially, when a ciphertext length is not a multiple of a block. { Updated the numbers for software implementation on x86 64. { Added references which are found after the submission of v1.0. { Corrected typos. 2 1 Specification Section 1.1 specifies the mode of operation of Minalpher. Section 1.2 shows the exact parameters in our design. Section 1.3 defines the maximum input message length to Minalpher. Section 1.4 specifies the underlying primitive in Minalpher. 1.1 Mode of Operation Minalpher supports two functionalities: authenticated encryption with associated data (AEAD) and mes- sage authentication code (MAC). In this section, we specify these modes of operation. Subsection 1.1.1 gives notations used in the modes of operation. Subsection 1.1.2 specifies a padding rule used in the modes of operation. Subsection 1.1.3 specifies a primitive which we call tweakable Even- Mansour. The construction dates back to Kurosawa [27, 28], who builds a tweakable block-cipher from a permutation-based block-cipher proposed by Even and Mansour [18]. Tweakable block-ciphers are originated by Liskov, Rivest and Wagner [33]. Subsection 1.1.4 specifies the AEAD mode of operation. Subsection 1.1.5 specifies the MAC mode of operation.
    [Show full text]
  • Rebound Attacks on Stribog
    Rebound Attacks on Stribog B Riham AlTawy( ), Aleksandar Kircanski, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal, QC H4B 1R6, Canada r [email protected] Abstract. In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11–2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 28 and 240, respectively. Finally, the compression function is analyzed and a 7.75 round semi free- start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 50 out of 64 bytes near colliding message pair. Keywords: Cryptanalysis · Hash functions · Meet in the middle · Rebound attack · GOST R 34.11-2012 · Stribog 1 Introduction Wang et al. attacks on MD5 [21] and SHA-1 [20] followed by the SHA-3 compe- tition [3] have led to a flurry in the area of hash function cryptanalysis where different design concepts and various attack strategies were introduced. Many of the proposed attacks were not only targeting basic properties but they also stud- ied any non-ideal behaviour of the hash function, compression function, internal cipher, or the used domain extender.
    [Show full text]
  • CRYPTREC Report 2009 暗号方式委員会報告書
    CRYPTREC Report 2009 平成22年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号方式委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号方式委員会 ················································· 8 1.3 電子政府推奨暗号リスト ········································· 9 1.4 活動の方針 ····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 12 2.3.1 公募の概要 ·············································· 12 2.3.2 2009 年度公募カテゴリ ···································· 12 2.3.3 公募期間 ················································ 13 2.3.4 評価スケジュール ········································ 13 2.3.5 評価項目 ················································ 14 2.3.6 応募暗号技術 ············································ 14 2.3.7 事務局選出技術 ·········································· 15 2.3.8 CRYPTREC シンポジウムの開催 ······························ 15 2.4 CRYPTREC シンポジウム 2010―応募暗号説明会―について ··········· 16 2.4.1 開催目的 ················································ 16 2.4.2 プログラムの概要 ········································ 16 2.4.3 意見・コメントの概要 ····································
    [Show full text]
  • CRYPTREC Report 2008 暗号技術監視委員会報告書
    CRYPTREC Report 2008 平成21年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号技術監視委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号技術監視委員会············································· 8 1.3 電子政府推奨暗号リスト········································· 9 1.4 活動の方針····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リストの改訂に関する骨子······················ 11 2.3.1 現リストの構成の見直し ·································· 12 2.3.2 暗号技術公募の基本方針 ·································· 14 2.3.3 2009 年度公募カテゴリ ···································· 14 2.3.4 今後のスケジュール ······································ 15 2.4 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 15 2.4.1 公募の概要 ·············································· 16 2.4.2 2009 年度公募カテゴリ ···································· 16 2.4.3 提出書類 ················································ 17 2.4.4 評価スケジュール(予定) ·································· 17 2.4.5 評価項目 ················································ 18 2.4.6 応募暗号説明会の開催 ···································· 19 2.4.7 ワークショップの開催 ···································· 19 2.5
    [Show full text]
  • Efficient Large-State Tweakable Block Ciphers from the AES Round Function
    Pholkos – Efficient Large-state Tweakable Block Ciphers from the AES Round Function Jannis Bossert, Eik List, Stefan Lucks and Sebastian Schmitz Bauhaus-Universität Weimar, Weimar Germany <firstname>.<lastname>(at)uni-weimar.de Abstract. With the dawn of quantum computers, higher security than 128 bits has become desirable for primitives and modes. During the past decade, highly secure hash functions, MACs, and encryption schemes have been built primarily on top of keyless permutations, which simplified their analyses and implementation due to the absence of a key schedule. However, the security of these modes is most often limited to the birthday bound of the state size, and their analysis may require a different security model than the easier-to-handle secret-permutation setting. Yet, larger state and key sizes are desirable not only for permutations but also for other primitives such as block ciphers. Using the additional public input of tweakable block ciphers for domain separation allows for exceptionally high security or performance as recently proposed modes have shown. Therefore, it appears natural to ask for such designs. While security is fundamental for cryptographic primitives, performance is of similar relevance. Since 2009, processor-integrated instructions have allowed high throughput for the AES round function, which already motivated various constructions based on it. Moreover, the four-fold vectorization of the AES instruction sets in Intel’s Ice Lake architecture is yet another leap in terms of performance and gives rise to exploit the AES round function for even more efficient designs. This work tries to combine all aspects above into a primitive and to build upon years of existing analysis on its components.
    [Show full text]
  • Rebound Attacks on Stribog
    Rebound attacks on Stribog Riham AlTawy, Aleksandar Kircanski and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montr´eal, Queb´ec, CANADA Abstract. In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11-2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 28 and 240, respectively. Finally, the compression function is analyzed and a 7.75 round semi free-start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 49 out of 64 bytes near colliding message pair. Keywords: Cryptanalysis, Hash functions, Meet in the middle, Rebound attack, GOST R 34.11-2012, Stribog 1 Introduction Wang et al. attacks on MD5 [18] and SHA-1 [17] followed by the SHA-3 com- petition [3] have led to a flurry in the area of hash function cryptanalysis where different design concepts and various attack strategies were introduced. Many of the proposed attacks were not only targeting basic properties but they also stud- ied any non-ideal behaviour of the hash function, compression function, internal cipher, or the used domain extender.
    [Show full text]
  • Stribobr2: “WHIRLBOB”
    STRIBOBr2: “WHIRLBOB” Second Round CAESAR Algorithm Tweak Specification Pricipal Submitter Markku-Juhani O. Saarinen [email protected] Queen’s University Belfast, UK Billy B. Brumley [email protected] Tampere University of Technology, Finland August 28, 2015 For updates and further information: http://www.stribob.com Contents Preface and Introduction 1 1 Specification 2 1.1 Structure of the π Permutation .................................. 2 1.1.1 Substitution S or SubBytes ................................ 2 1.1.2 Permutation P or ShiftColumns ............................. 2 1.1.3 Linear operation L or MixRows .............................. 3 1.1.4 Constants Cr or AddRoundKey ............................... 3 1.1.5 Code for π Computation .................................. 4 1.2 BLNK Sponge Mode and Padding ................................ 5 1.2.1 BLNK Block Operations .................................. 5 1.2.2 The CAESAR encrypt() and decrypt() AEAD API .................... 6 1.3 Test Vectors ............................................. 7 1.3.1 The 12-round π transform ................................. 7 1.3.2 Authenticated Encryption ................................. 8 2 Security Goals 9 2.1 Specific Goals ............................................ 9 2.2 Nonce Re-Use ............................................ 9 2.3 General Goals ............................................ 9 3 Security Analysis 10 3.1 Attacks on the Sponge AEAD Mode BLNK ........................... 10 3.2 The π Permutation ........................................
    [Show full text]
  • A Meet in the Middle Attack on Reduced Round Kuznyechik
    IEICE TRANS. FUNDAMENTALS, VOL.Exx{??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWYya), Member and Amr M. YOUSSEFyb), Nonmember SUMMARY In this letter, we present a meet-in-the-middle from 2192 to 2128. Later on, Derbez et al. [7] improved attack on the 5-round reduced Kuznyechik cipher which has been the attack of Dunkelman et al. by borrowing ideas from recently chosen to be standardized by the Russian federation. the rebound attack [8] which further brought the num- Our attack is based on the differential enumeration approach. However, the application of the exact approach is not success- ber of required parameters to 10 bytes, thus the number ful on Kuznyechik due to its optimal round diffusion properties. of entries of the precomputation table is further reduced Accordingly, we adopt an equivalent representation for the last to 280. Moreover, a 9-round attack on AES-192 using round where we can efficiently filter ciphertext pairs and launch a 5-round truncated differential distinguisher was pre- the attack in the chosen ciphertext setting. We also utilize par- tial sequence matching which further reduces the memory and sented by Li et al. in [9]. Finally, Guo et al. generalized time complexities. For the 5-round reduced cipher, the 256-bit the attack on Feistel structures in [10]. master key is recovered with an online time complexity of 2140:3, In this work, we present a MitM attack on a memory complexity of 2153:3, and a data complexity of 2113.
    [Show full text]