References of "IACR Transactions on Symmetric Cryptology"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailLightweight AEAD and Hashing using the Sparkle Permutation Family
Beierle, Christof UL; Biryukov, Alex UL; Cardoso Dos Santos, Luan UL et al

in IACR Transactions on Symmetric Cryptology (2020), 2020(S1), 208-261

We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ... [more ▼]

We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ranging from 120 to 250 bits. We also use them to build new sponge-based hash functions, Esch256 and Esch384. Our permutations are among those with the lowest footprint in software, without sacrificing throughput. These properties are allowed by our use of an ARX component (the Alzette S-box) as well as a carefully chosen number of rounds. The corresponding analysis is enabled by the long trail strategy which gives us the tools we need to efficiently bound the probability of all the differential and linear trails for an arbitrary number of rounds. We also present a new application of this approach where the only trails considered are those mapping the rate to the outer part of the internal state, such trails being the only relevant trails for instance in a differential collision attack. To further decrease the number of rounds without compromising security, we modify the message injection in the classical sponge construction to break the alignment between the rate and our S-box layer. [less ▲]

Detailed reference viewed: 143 (15 UL)
Full Text
Peer Reviewed
See detailFinding Bit-Based Division Property for Ciphers with Complex Linear Layers
Hu, Kai; Wang, Qingju UL; Wang, Meiqin

in IACR Transactions on Symmetric Cryptology (2020), (1),

Detailed reference viewed: 64 (0 UL)
Full Text
Peer Reviewed
See detailLinks between Division Property and Other Cube Attack Variants
Hao, Yonglin; Jiao, Lin; Li, Chaoyun et al

in IACR Transactions on Symmetric Cryptology (2020), (1),

Detailed reference viewed: 183 (4 UL)
Full Text
Peer Reviewed
See detailCryptanalysis of the Legendre PRF and generalizations
Beullens, Ward; Beyne, Tim; Udovenko, Aleksei UL et al

in IACR Transactions on Symmetric Cryptology (2020), 2020(1),

The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an ... [more ▼]

The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Legendre PRF is being considered for usage in the Ethereum 2.0 blockchain. This paper improves previous attacks on the Legendre PRF and its higher-degree variant due to Khovratovich by reducing the time complexity from O(plogp/M) to O(plog^2p/M2) Legendre symbol evaluations when M≤p√4 queries are available. The practical relevance of our improved attack is demonstrated by breaking two concrete instances of the PRF proposed by the Ethereum foundation. Furthermore, we generalize our attack in a nontrivial way to the higher-degree variant of the Legendre PRF and we point out a large class of weak keys for this construction. Lastly, we provide the first security analysis of two additional generalizations of the Legendre PRF originally proposed by Damgård in the PRG setting, namely the Jacobi PRF and the power residue PRF. [less ▲]

Detailed reference viewed: 95 (10 UL)
Full Text
Peer Reviewed
See detailCRAFT: Lightweight Tweakable Block Cipher with Efficient Protection Against DFA Attacks
Beierle, Christof UL; Leander, Gregor; Moradi, Amir et al

in IACR Transactions on Symmetric Cryptology (2019), 2019(1), 5-45

Traditionally, countermeasures against physical attacks are integrated into the implementation of cryptographic primitives after the algorithms have been designed for achieving a certain level of ... [more ▼]

Traditionally, countermeasures against physical attacks are integrated into the implementation of cryptographic primitives after the algorithms have been designed for achieving a certain level of cryptanalytic security. This picture has been changed by the introduction of PICARO, ZORRO, and FIDES, where efficient protection against Side-Channel Analysis (SCA) attacks has been considered in their design. In this work we present the tweakable block cipher CRAFT: the efficient protection of its implementations against Differential Fault Analysis (DFA) attacks has been one of the main design criteria, while we provide strong bounds for its security in the related-tweak model. Considering the area footprint of round-based hardware implementations, CRAFT outperforms the other lightweight ciphers with the same state and key size. This holds not only for unprotected implementations but also when fault-detection facilities, side-channel protection, and their combination are integrated into the implementation. In addition to supporting a 64-bit tweak, CRAFT has the additional property that the circuit realizing the encryption can support the decryption functionality as well with very little area overhead. [less ▲]

Detailed reference viewed: 546 (6 UL)
Full Text
Peer Reviewed
See detailNonlinear Approximations in Cryptanalysis Revisited
Beierle, Christof UL; Canteaut, Anne; Leander, Gregor

in IACR Transactions on Symmetric Cryptology (2018), 2018(4), 80-101

This work studies deterministic and non-deterministic nonlinear approximations for cryptanalysis of block ciphers and cryptographic permutations and embeds it into the well-understood framework of linear ... [more ▼]

This work studies deterministic and non-deterministic nonlinear approximations for cryptanalysis of block ciphers and cryptographic permutations and embeds it into the well-understood framework of linear cryptanalysis. For a deterministic (i.e., with correlation ±1) nonlinear approximation we show that in many cases, such a nonlinear approximation implies the existence of a highly-biased linear approximation. For non-deterministic nonlinear approximations, by transforming the cipher under consideration by conjugating each keyed instance with a fixed permutation, we are able to transfer many methods from linear cryptanalysis to the nonlinear case. Using this framework we in particular show that there exist ciphers for which some transformed versions are significantly weaker with regard to linear cryptanalysis than their original counterparts. [less ▲]

Detailed reference viewed: 86 (2 UL)
Full Text
Peer Reviewed
See detailExponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog
Perrin, Léo Paul UL; Udovenko, Aleksei UL

in IACR Transactions on Symmetric Cryptology (2017), 2016(2), 99-124

The block cipher Kuznyechik and the hash function Streebog were recently standardized by the Russian Federation. These primitives use a common 8-bit S-Box, denoted 𝜋, which is given only as a look-up ... [more ▼]

The block cipher Kuznyechik and the hash function Streebog were recently standardized by the Russian Federation. These primitives use a common 8-bit S-Box, denoted 𝜋, which is given only as a look-up table. The rationale behind its design is, for all practical purposes, kept secret by its authors. In a paper presented at Eurocrypt 2016, Biryukov et al. reverse-engineered this S-Box and recovered an unusual Feistel-like structure relying on finite field multiplications. In this paper, we provide a new decomposition of this S-Box and describe how we obtained it. The first step was the analysis of the 8-bit S-Box of the current standard block cipher of Belarus, BelT. This S-Box is a variant of a so-called exponential substitution, a concept we generalize into pseudo-exponential substitution. We derive distinguishers for such permutations based on properties of their linear approximation tables and notice that 𝜋 shares some of them. We then show that 𝜋 indeed has a decomposition based on a pseudo-exponential substitution. More precisely, we obtain a simpler structure based on an 8-bit finite field exponentiation, one 4-bit S-Box, a linear layer and a few modular arithmetic operations. We also make several observations which may help cryptanalysts attempting to reverse-engineer other S-Boxes. For example, the visual pattern used in the previous work as a starting point to decompose 𝜋 is mathematically formalized and the use of differential patterns involving operations other than exclusive-or is explored. [less ▲]

Detailed reference viewed: 263 (9 UL)
Full Text
Peer Reviewed
See detailNew Constructions of MACs from (Tweakable) Block Ciphers
Cogliati, Benoît-Michel UL; Lee, Jooyoung; Seurin, Yannick

in IACR Transactions on Symmetric Cryptology (2017)

We propose new constructions of Message Authentication Codes (MACs) from tweakable or conventional block ciphers. Our new schemes are either stateless and deterministic, nonce-based, or randomized, and ... [more ▼]

We propose new constructions of Message Authentication Codes (MACs) from tweakable or conventional block ciphers. Our new schemes are either stateless and deterministic, nonce-based, or randomized, and provably secure either in the standard model for tweakable block cipher-based ones, or in the ideal cipher model for block cipher-based ones. All our constructions are very efficient, requiring only one call to the underlying (tweakable) block cipher in addition to universally hashing the message. Moreover, the security bounds we obtain are quite strong: they are beyond the birthday bound, and nonce-based/randomized variants provide graceful security degradation in case of misuse, i.e., the security bound degrades linearly with the maximal number of repetitions of nonces/random values. [less ▲]

Detailed reference viewed: 59 (1 UL)
Full Text
Peer Reviewed
See detailMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Biryukov, Alex UL; Khovratovich, Dmitry UL; Perrin, Léo Paul UL

in IACR Transactions on Symmetric Cryptology (2016), 2016(2), 226-247

We devise the first closed formula for the number of rounds of a blockcipher with secret components so that these components can be revealed using multiset, algebraic-degree, or division-integral ... [more ▼]

We devise the first closed formula for the number of rounds of a blockcipher with secret components so that these components can be revealed using multiset, algebraic-degree, or division-integral properties, which in this case are equivalent. Using the new result, we attack 7 (out of 9) rounds of Kuznyechik, the recent Russian blockcipher standard, thus halving its security margin. With the same technique we attack 6 (out of 8) rounds of Khazad, the legacy 64-bit blockcipher. Finally, we show how to cryptanalyze and find a decomposition of generic SPN construction for which the inner-components are secret. All the attacks are the best to date. [less ▲]

Detailed reference viewed: 271 (9 UL)