SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition

Free to read on publisher website We investigate six authenticated encryption schemes (ACORN, ASCON-128a, ICEPOLE-128a, Ketje Jr, MORUS, and NORX-32) from the CAESAR competition. We aim at state recovery attacks using a SAT solver as a main tool. Our analysis reveals that these schemes, as submitted to CAESAR, provide strong resistance against SAT-based state recoveries. To shed a light on their security margins, we also analyse modified versions of these algorithms, including round-reduced variants and versions with higher security claims. Our attacks on such variants require only a few known plaintext-ciphertext pairs and small memory requirements (to run the SAT solver), whereas time complexity varies from very practical (few seconds on a desktop PC) to ‘theoretical’ attacks.

[1]  Willi Meier,et al.  Higher Order Differential Analysis of NORX , 2015, IACR Cryptol. ePrint Arch..

[2]  Ko Stoffelen,et al.  Optimizing S-Box Implementations for Several Criteria Using SAT Solvers , 2016, FSE.

[3]  Samuel Neves,et al.  NORX: Parallel and Scalable AEAD , 2014, ESORICS.

[4]  Florian Mendel,et al.  Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates , 2015, IACR Cryptol. ePrint Arch..

[5]  David G. Mitchell,et al.  Finding hard instances of the satisfiability problem: A survey , 1996, Satisfiability Problem: Theory and Applications.

[6]  Armin Biere,et al.  Splatz , Lingeling , Plingeling , Treengeling , YalSAT Entering the SAT Competition 2016 , 2016 .

[7]  Olivier Markowitch,et al.  SAT-based cryptanalysis of ACORN , 2016, IACR Cryptol. ePrint Arch..

[8]  R. Rudell,et al.  Multiple-Valued Logic Minimization for PLA Synthesis , 1986 .

[9]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[10]  Florian Mendel,et al.  Forgery Attacks on round-reduced ICEPOLE-128 , 2015, IACR Cryptol. ePrint Arch..

[11]  Florian Mendel,et al.  Cryptanalysis of Ascon , 2015, CT-RSA.

[12]  Tao Huang,et al.  Cryptanalysis of Reduced NORX , 2016, FSE.

[13]  Marian Srebrny,et al.  Security margin evaluation of SHA-3 contest finalists through SAT-based attacks , 2012, IACR Cryptol. ePrint Arch..

[14]  Vesselin Velichkov,et al.  Analysis of the Authenticated Cipher MORUS (v1) , 2015, BalkanCryptSec.

[15]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[16]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[17]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[18]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[19]  Tao Huang,et al.  Differential-Linear Cryptanalysis of ICEPOLE , 2015, FSE.

[20]  Marian Srebrny,et al.  ICEPOLE: High-speed, Hardware-oriented Authenticated Encryption , 2014, IACR Cryptol. ePrint Arch..

[21]  Samuel Neves,et al.  Analysis of NORX: Investigating Differential and Rotational Properties , 2014, LATINCRYPT.

[22]  Hilary Putnam,et al.  A Computing Procedure for Quantification Theory , 1960, JACM.

[23]  Bart Preneel,et al.  A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis , 2013, IACR Cryptol. ePrint Arch..

[24]  Donald W. Loveland,et al.  A machine program for theorem-proving , 2011, CACM.

[25]  Markku-Juhani O. Saarinen The BRUTUS automatic cryptanalytic framework - Testing CAESAR authenticated encryption candidates for weaknesses , 2016, J. Cryptogr. Eng..