CryptoDB
Wenfeng Qi
Publications
Year
Venue
Title
2024
TOSC
Differential-Linear Cryptanalysis of Reduced Round ChaCha
Abstract
ChaCha is a well-known stream cipher that has been used in many network protocols and software. In this paper, we study the security of reduced round ChaCha. First, by considering the differential-linear hull effect, we improve the correlation of a four-round differential-linear distinguisher proposed at FSE 2023 by providing other intermediate linear masks. Then, based on the four-round differential-linear distinguisher and the PNB method, by using the assignment 100 ··· 00 for consecutive PNBs, higher backward correlation is obtained and improved key recovery attacks of 7-round and 7.25-round ChaCha are obtained with time complexity 2189.7 and 2223.9, which improve the previously best-known attacks by 217.1 and 214.44, respectively. Finally, we consider the equivalence of the security between (R + 0.25)-round and (R + 0.5)⊕-round ChaCha, and show that (R + 0.25)-round and (R + 0.5)⊕-round ChaCha provide the same security against chosen(known) plaintext attacks. As a result, improved differential-linear cryptanalysis of 7.5⊕-round ChaCha can also be obtained similarly to that of 7.25-round ChaCha, which improves the previously best-known attack by 219.
2024
ASIACRYPT
The Boomerang Chain Distinguishers: New Record for 6-Round AES
Abstract
AES is the most used block cipher, and its round-reduced variants are popular underlying components to design cryptographic schemes. How to effectively distinguish round-reduced AES from random permutations has always been a hot research topic. Currently, the longest rounds of AES can be distinguished is 6 rounds, where the best result is the 6-round exchange distinguisher with the data complexity 2^{84}. In this paper, we extend the classical boomerang distinguisher which uses only one boomerang property to use two or more related boomerangs and the technique of `friend pairs' to enhance the distinguishing effect. We propose the frameworks of the re-boomerang and boomerang chain distinguishers and apply to 6-round AES. The re-boomerang distinguisher uses two related boomerangs sequentially, which have the same upper truncated differential trail in the forward direction. A plaintext pair is called a right pair if it follows this truncated differential trail. By the first boomerang, a target set of plaintext pairs containing one right pair can be obtained. Then for each pair in the target set, construct its `friend pairs' as the input of the second boomerang to distinguish the cipher. Due to the dependence of the two boomerangs, all `friend pairs' of the right pair are right pairs, so the probability of the second boomerang is increased. To further improve the complexity, we insert a new boomerang in the middle of the re-boomerang and repeat it to reduce the target set. Combining the strategies of using more data in each boomerang and repeating the distinguishing process several times, we give a boomerang chain distinguisher on 6-round AES with success probability 60% and complexity 2^{76.57}, reduced by a factor of 172 compared with the previous best result. This is a new record for the secret-key distinguisher on 6-round AES.
Coauthors
- Wenfeng Qi (2)
- Lin Tan (2)
- Zhichao Xu (1)
- Hong Xu (2)
- Xueping Yan (1)