International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Sumanta Sarkar

Publications

Year
Venue
Title
2024
TOSC
Reconstructing S-Boxes from Cryptographic Tables with Milp
Raghvendra Rohit Sumanta Sarkar
Reconstructing an S-box from a cryptographic table such as difference distribution table (DDT), linear approximation table (LAT), differential-linear connectivity table (DLCT) or boomerang connectivity table (BCT) is one of the fundamental problems in symmetric-key cryptography. Till now, there are only very few known methods which can reconstruct an S-box from a given table: guess-and-determine algorithms of Boura et al. (DCC 2019) and Tian et al. (DCC 2020), sign determination algorithm of Dunkelman et al. (ToSC 2019) and STP based approach of Lu et al. (DCC 2022). In this paper we consider the reconstruction problem in an even more challenging setup where one needs to reconstruct S-boxes from a partial cryptographic table. We are able to reconstruct S-boxes when only a few number of rows of a cryptographic table is given. This problem has never been studied in the literature. We apply mixed integer linear programming (MILP) as the key tool for solving this problem. Needless to say that we can solve the reconstruction problem when the full table is given and this is the first ever application of MILP tool in solving such fundamental problems. As a further application of our method, we provide the generic MILP models which can search for S-boxes with a given cryptographic property such as differential uniformity, linearity, differential-linear uniformity or boomerang uniformity. Additionally, our method can recover a Boolean function from a given Walsh spectrum or a Boolean function with a given nonlinearity. We also introduce a new heuristic called Optimistic MILP objective that guides the model towards obtaining multiple S-boxes or Boolean functions with the same cryptographic property. We give detailed experimental results for up to 6-bit S-boxes showing the effectiveness of our technique.
2024
TCHES
Know-Thy-Basis: Decomposing F26 for Lightweight S-box Implementation
A recent trend has shown constructions of 6-bit S-boxes that are mostly focused on their cryptographic elegance, while their lightweight aspects have not really been addressed well. This paper attempts to plug-in this existing research gap where we show how the composite structure of the extension field F26 could be leveraged. An earlier well-known example is an efficient implementation of AES S-box using the tower field extension of F28 . The case of F2ab is completely different from any tower field as the implementation varies as per the choice of extension – for instance, F(2a)b or F(2b)a , where a and b are prime. Thus, it makes the implementation of S-boxes over F26 = F2(2×3) very interesting. In this work, we systematically study the composite field structure of F26 from a hardware standpoint for a class of S-boxes that are power mapping or their affine equivalents. We analyze the hardware efficiency with respect to different representations of the field extension, i.e., F(22)3 or F(23)2 . Furthermore, for each extension, we investigate the impact of various choices of bases – for instance, we present the evidence of the effect that normal or polynomial bases have on the implementation. This gives us further insight on the choice of basis with respect to the field extension. In the process, we present a special normal basis, when used in conjunction with F(23)2 results in the least (or very close to least) area in terms of GE for the 18 (6 quadratic and 12 cubic) S-boxes studied in this work. The special normal basis reported here has some algebraic properties which make it inherently hardware friendly and allow us to predict the area reduction, without running a tool. Overall, this work constitutes an extensive hardware characterization of a class of cryptographically significant 6-bit S-boxes giving us interesting insights into the systematic lightweight implementation of S-boxes without relying on an automated tool.
2023
TCHES
Low Trace-Count Template Attacks on 32-bit Implementations of ASCON AEAD
The recently adopted Ascon standard by NIST offers a lightweight authenticated encryption algorithm for use in resource-constrained cryptographic devices. To help assess side-channel attack risks of Ascon implementations, we present the first template attack based on analyzing power traces, recorded from an STM32F303 microcontroller board running Weatherley’s 32-bit implementations of Ascon-128. Our analysis combines a fragment template attack with belief-propagation and key-enumeration techniques. The main results are three-fold: (1) we reached 100% success rate from a single trace if the C compiler optimized the unmasked implementation for space, (2) the success rate was about 95% after three traces if the compiler optimized instead for time, and (3) we also attacked a masked version, where the success rate was over 90% with 20 traces of executions with the same key, all after enumerating up to 224 key candidates. These results show that suitably-designed template attacks can pose a real threat to Ascon implementations, even if protected by first-order masking, but we also learnt how some differences in programming style, and even compiler optimization settings, can significantly affect the result.
2022
TOSC
On the Lower Bound of Cost of MDS Matrices
Ever since lightweight cryptography emerged as one of the trending topics in symmetric key cryptography, optimizing the implementation cost of MDS matrices has been in the center of attention. In this direction, various metrics like d-XOR, s-XOR and g-XOR have been proposed to mimic the hardware cost. Consequently, efforts also have been made to search for the optimal MDS matrices for dimensions relevant to cryptographic applications according to these metrics. However, finding the optimal MDS matrix in terms of hardware cost still remains an unsolved problem. In this paper, we settle the question of the optimal 4 x 4 MDS matrices over GL(n, F2) under the recently proposed metric sequential XOR count based on words (sw-XOR). We prove that the sw-XOR of such matrices is at least 8n + 3, and the bound is tight as matrices with sw-XOR cost 35 and 67 for the values of n = 4 and 8, respectively, were already known. Moreover, the lower bound for these values of n matches with the known lower bounds according to s-XOR and g-XOR metrics.
2021
TOSC
Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon 📺
Being one of the winning algorithms of the CAESAR competition and currently a second round candidate of the NIST lightweight cryptography standardization project, the authenticated encryption scheme Ascon (designed by Dobraunig, Eichlseder, Mendel, and Schläffer) has withstood extensive self and third-party cryptanalysis. The best known attack on Ascon could only penetrate up to 7 (out of 12) rounds due to Li et al. (ToSC Vol I, 2017). However, it violates the data limit of 264 blocks per key specified by the designers. Moreover, the best known distinguishers of Ascon in the AEAD context reach only 6 rounds. To fill these gaps, we revisit the security of 7-round Ascon in the nonce-respecting setting without violating the data limit as specified in the design. First, we introduce a new superpoly-recovery technique named as partial polynomial multiplication for which computations take place between the so-called degree-d homogeneous parts of the involved Boolean functions for a 2d-dimensional cube. We apply this method to 7-round Ascon and present several key recovery attacks. Our best attack can recover the 128-bit secret key with a time complexity of about 2123 7-round Ascon permutations and requires 264 data and 2101 bits memory. Also, based on division properties, we identify several 60 dimensional cubes whose superpolies are constant zero after 7 rounds. We further improve the cube distinguishers for 4, 5 and 6 rounds. Although our results are far from threatening the security of full 12-round Ascon, they provide new insights in the security analysis of Ascon.
2021
ASIACRYPT
DEFAULT: Cipher Level Resistance Against Differential Fault Attack 📺
Differential Fault Analysis (DFA) is a well known cryptanalytic technique that exploits faulty outputs of an encryption device. Despite its popularity and similarity with the classical Differential Analysis (DA), a thorough analysis explaining DFA from a designer's point of view is missing in the literature. To the best of our knowledge, no DFA immune cipher at an algorithmic level has been proposed so far. Furthermore, all known DFA countermeasures somehow depend on the device/protocol or on the implementation such as duplication/comparison. As all of these are outside the scope of the cipher designer, we focus on designing a primitive which can protect from DFA on its own. We present the first concept of cipher level DFA resistance which does not rely on any device/protocol related assumption, nor does it depend on any form of duplication. Our construction is simple, software/hardware friendly and DFA security scales up with the state size. It can be plugged before and/or after (almost) any symmetric key cipher and will ensure a non-trivial search complexity against DFA. One key component in our DFA protection layer is an SBox with linear structures. Such SBoxes have never been used in cipher design as they generally perform poorly against differential attacks. We argue that they in fact represent an interesting trade-off between good cryptographic properties and DFA resistance. As a proof of concept, we construct a DFA protecting layer, named DEFAULT-LAYER, as well as a full-fledged block cipher DEFAULT. Our solutions compare favourably to the state-of-the-art, offering advantages over the sophisticated duplication based solutions like impeccable circuits/CRAFT or infective countermeasures.
2016
TOSC
Lightweight Diffusion Layer: Importance of Toeplitz Matrices
Sumanta Sarkar Habeeb Syed
MDS matrices are used as building blocks of diffusion layers in block ciphers, and XOR count is a metric that estimates the hardware implementation cost. In this paper we report the minimum value of XOR counts of 4 × 4 MDS matrices over F24 and F28 , respectively. We give theoretical constructions of Toeplitz MDS matrices and show that they achieve the minimum XOR count. We also prove that Toeplitz matrices cannot be both MDS and involutory. Further we give theoretical constructions of 4 × 4 involutory MDS matrices over F24 and F28 that have the best known XOR counts so far: for F24 our construction gives an involutory MDS matrix that actually improves the existing lower bound of XOR count, whereas for F28 , it meets the known lower bound.