CryptoDB
Qianqian Yang
ORCID: 0000-0002-2062-1344
Publications
Year
Venue
Title
2024
JOFC
2024
EUROCRYPT
Probabilistic Extensions: A One-Step Framework for Finding Rectangle Attacks and Beyond
Abstract
In differential-like attacks, the process typically involves extending a distinguisher forward and backward with probability 1 for some rounds and recovering the key involved in the extended part. Particularly in rectangle attacks, a holistic key recovery strategy can be employed to yield the most efficient attacks tailored to a given distinguisher. In this paper, we treat the distinguisher and the extended part as an integrated entity and give a one-step framework for finding rectangle attacks with the purpose of reducing the overall complexity or attacking more rounds. In this framework, we propose to allow probabilistic differential propagations in the extended part and incorporate the holistic recovery strategy. Additionally, we introduce the ``split-and-bunch technique'' to further reduce the time complexity. Beyond rectangle attacks, we extend these foundational concepts to encompass differential attacks as well. To demonstrate the efficiency of our framework, we apply it to Deoxys-BC-384, SKINNY, ForkSkinny, and CRAFT, achieving a series of refined and improved rectangle attacks and differential attacks. Notably, we obtain the first 15-round attack on Deoxys-BC-384, narrowing its security margin to only one round. Furthermore, our differential attack on CRAFT extends to 23 rounds, covering two more rounds than the previous best attacks.
2024
ASIACRYPT
Generic Differential Key Recovery Attacks and Beyond
Abstract
At Asiacrypt 2022, a holistic key guessing strategy was proposed to yield the most efficient key recovery for the rectangle attack. Recently, at Crypto 2023, a new cryptanalysis technique--the differential meet-in-the-middle (MITM) attack--was introduced. Inspired by these two previous works, we present three generic key recovery attacks in this paper. First, we extend the holistic key guessing strategy from the rectangle to the differential attack, proposing the generic classical differential attack (GCDA). Next, we combine the holistic key guessing strategy with the differential MITM attack, resulting in the generalized differential MITM attack (GDMA). Finally, we apply the MITM technique to the rectangle attack, creating the generic rectangle MITM attack (GRMA). In terms of applications, we improve 12/13-round attacks on AES-256. For 12-round AES-256, by using the GDMA, we reduce the time complexity by a factor of 2^{62}; by employing the GCDA, we reduce both the time and memory complexities by factors of 2^{61} and 2^{56}, respectively. For 13-round AES-256, we present a new differential attack with data and time complexities of 2^{89} and 2^{240}, where the data complexity is 2^{37} times lower than previously published results. These are currently the best attacks on AES-256 using only two related keys. For KATAN-32, we increase the number of rounds covered by the differential attack from 115 to 151 in the single-key setting using the basic differential MITM attack (BDMA) and GDMA. Furthermore, we achieve the first 38-round rectangle attack on SKINNYe-64-256 v2 by using the GRMA.
2023
EUROCRYPT
Exploiting Non-Full Key Additions: Full-Fledged Automatic Demirci-Sel{\c{c}}uk Meet-in-the-Middle Cryptanalysis of SKINNY
Abstract
The Demirci-Sel{\c{c}}uk meet-in-the-middle (DS-MITM) attack is
a sophisticated variant of differential attacks.
Due to its sophistication, it is hard to efficiently find the best
DS-MITM attacks on most ciphers \emph{except} for AES.
Moreover, the current automatic tools
only capture the most basic version of DS-MITM attacks, and the
critical techniques developed for enhancing the attacks
(e.g., differential enumeration and key-dependent-sieve) still rely
on manual work. In this paper, we develop a full-fledged automatic
framework integrating all known techniques
(differential enumeration, key-dependent-sieve, and key bridging, etc)
for the DS-MITM attack that can produce key-recovery
attacks directly rather than only search for distinguishers. Moreover,
we develop a new technique that is able to exploit partial key additions
to generate more linear relations beneficial to the attacks.
We apply the framework to the SKINNY family of block ciphers
and significantly improved results are obtained. In particular,
all known DS-MITM attacks on the respective versions of SKINNY are improved by at least 2 rounds,
and the data, memory, or time complexities of some attacks
are reduced even compared to previous best attacks penetrating less rounds.
2022
ASIACRYPT
Optimizing Rectangle Attacks: A Unified and Generic Framework for Key Recovery
📺
Abstract
The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance vary from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we investigate the rectangle key recovery in depth and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Notably, it not only covers the four previous rectangle key recovery algorithms, but also unveils five types of new attacks which were missed previously. Along with the new key recovery algorithm, we propose a framework for automatically finding the best attacking parameters, with which the time complexity of the rectangle attack will be minimized using the new algorithm. To demonstrate the efficiency of the new key recovery algorithm, we apply it to Serpent, CRAFT, SKINNY and Deoxys-BC-256 based on existing distinguishers and obtain a series of improved rectangle attacks.
2022
TOSC
New Properties of the Double Boomerang Connectivity Table
Abstract
The double boomerang connectivity table (DBCT) is a new table proposed recently to capture the behavior of two consecutive S-boxes in boomerang attacks. In this paper, we observe an interesting property of DBCT of S-box that the ladder switch and the S-box switch happen in most cases for two continuous S-boxes, and for some S-boxes only S-box switch and ladder switch are possible. This property implies an additional criterion for S-boxes to resist the boomerang attacks and provides as well a new evaluation direction for an S-box. Using an extension of the DBCT, we verify that some boomerang distinguishers of TweAES and Deoxys are flawed. On the other hand, inspired by the property, we put forward a formula for estimating boomerang cluster probabilities. Furthermore, we introduce the first model to search for boomerang distinguishers with good cluster probabilities. Applying the model to CRAFT, we obtain 9-round and 10-round boomerang distinguishers with a higher probability than that of previous works.
2017
TOSC
Analysis of AES, SKINNY, and Others with Constraint Programming
Abstract
Search for different types of distinguishers are common tasks in symmetrickey cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault et al. leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral distinguishers, impossible differentials, zero-correlation linear approximations, in both the single-key and related-(twea)key model. We implement the method using the open source constraint solver Choco and apply it to the block ciphers PRESENT, SKINNY, and HIGHT (ARX construction). As a result, we find 16 related-tweakey impossible differentials for 12-round SKINNY-64-128 based on which we construct an 18-round attack on SKINNY-64-128 (one target version for the crypto competition https://sites.google.com/site/skinnycipher announced at ASK 2016). Moreover, we show that in some cases, when equipped with proper strategies (ordering heuristic, restart and dynamic branching strategy), the CP approach can be very efficient. Therefore, we suggest that the constraint programming technique should become a convenient tool at hand of the symmetric-key cryptanalysts.
Coauthors
- Yincen Chen (2)
- David Gerault (1)
- Lei Hu (7)
- Pascal Lafourcade (1)
- Huimin Liu (1)
- Kexin Qiao (1)
- Danping Shi (4)
- Ling Song (6)
- Siwei Sun (3)
- Yosuke Todo (1)
- Libo Wang (1)
- Jian Weng (4)
- Qianqian Yang (7)
- Neng Zhang (1)
- Nana Zhang (1)
- Jiahao Zhao (1)
- Jingyuan Zhao (1)