CryptoDB
Haoyang Wang
Publications
Year
Venue
Title
2024
TOSC
Impossible Boomerang Attacks Revisited: Applications to Deoxys-BC, Joltik-BC and SKINNY
Abstract
The impossible boomerang (IB) attack was first introduced by Lu in his doctoral thesis and subsequently published at DCC in 2011. The IB attack is a variant of the impossible differential (ID) attack by incorporating the idea of the boomerang attack. In this paper, we revisit the IB attack, and introduce the incompatibility of two characteristics in boomerang to the construction of an IB distinguisher. With our methodology, all the constructions of IB distinguisher are represented in a unified manner. Moreover, we show that the related-(twea)key IB distinguishers possess more freedom than the ones of ID so that it can cover more rounds.We also propose a new tool based on Mixed-Integer Quadratically-Constrained Programming (MIQCP) to search for IB attacks. To illustrate the power of the IB attack, we mount attacks against three tweakable block ciphers: Deoxys-BC, Joltik-BC and SKINNY. For Deoxys-BC, we propose a related-tweakey IB attack on 14-round Deoxys-BC-384, which improves the best previous related-tweakey ID attack by 2 rounds, and we improve the data complexity of the best previous related-tweakey ID attack on 10-round Deoxys-BC-256. For Joltik-BC, we propose the best attacks against 10-round Joltik-BC-128 and 14-round Joltik-BC-192 with related-tweakey B attack. For SKINNY-n-3n, we propose a 27-round related-tweakey IB attack, which improves both the time and the memory complexities of the best previous ID attack. We also propose the first related-tweakey IB attack on 28-round SKINNY-n-3n, which improves the previous best ID attack by one round.
2020
TOSC
Improved Meet-in-the-Middle Preimage Attacks against AES Hashing Modes
📺
Abstract
Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011, introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key-schedules are not taken into account. Hence, the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from the key, extra degree of freedom is gained, which is utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2120 to 2104, 296, and 296 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from the key to cancel those from the state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2112 and 296. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the complexity and extend the attack to one more round. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.
2020
CRYPTO
The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers
📺
Abstract
Inserting backdoors in encryption algorithms has long seemed like a very interesting, yet difficult problem. Most attempts have been unsuccessful for symmetric-key primitives so far and it remains an open problem of how to build such ciphers.
In this work, we propose the MALICIOUS framework, a new method to build tweakable block ciphers that have a backdoor hidden, which allows to retrieve the secret key. Our backdoor is differential in nature: a specific related-tweak differential path with high probability is hidden during design phase of the cipher. We explain how the backdoor can be used to practically recover the secret key of a user for any entity knowing the backdoor and we also argue why even knowing the presence of the backdoor and the workings of the cipher will not permit to retrieve the backdoor for an external user. We analyze the security of our construction in the classical black-box model and we show that retrieving the backdoor (the hidden high-probability differential path) is very difficult.
We instantiate our framework by proposing the LowMC-M construction, a new family of tweakable block ciphers based on instances of the LowMC cipher, which allow such backdoor embedding. Generating LowMC-M instances is trivial and the LowMC-M family has basically the same efficiency as the LowMC instances it is based on.
2019
TOSC
Boomerang Switch in Multiple Rounds. Application to AES Variants and Deoxys
📺
Abstract
The boomerang attack is a cryptanalysis technique that allows an attacker to concatenate two short differential characteristics. Several research results (ladder switch, S-box switch, sandwich attack, Boomerang Connectivity Table (BCT), ...) showed that the dependency between these two characteristics at the switching round can have a significant impact on the complexity of the attack, or even potentially invalidate it. In this paper, we revisit the issue of boomerang switching effect, and exploit it in the case where multiple rounds are involved. To support our analysis, we propose a tool called Boomerang Difference Table (BDT), which can be seen as an improvement of the BCT and allows a systematic evaluation of the boomerang switch through multiple rounds. In order to illustrate the power of this technique, we propose a new related-key attack on 10-round AES-256 which requires only 2 simple related-keys and 275 computations. This is a much more realistic scenario than the state-of-the-art 10-round AES-256 attacks, where subkey oracles, or several related-keys and high computational power is needed. Furthermore, we also provide improved attacks against full AES-192 and reduced-round Deoxys.
2018
TOSC
Cryptanalysis of AES-PRF and Its Dual
📺
Abstract
A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security.
Coauthors
- Zhenzhen Bao (1)
- Patrick Derbez (1)
- Lin Ding (1)
- Jian Guo (1)
- Tetsu Iwata (1)
- Thomas Peyrin (2)
- Ling Sun (1)
- Siwei Sun (1)
- Deng Tang (1)
- Yosuke Todo (1)
- Haoyang Wang (5)
- Meiqin Wang (1)
- Wenying Zhang (1)
- Jianing Zhang (1)