Higher-Order Cryptanalysis of LowMC

LowMC is a family of block ciphers developed particularly for use in multi-party computations and fully homomorphic encryption schemes, where the main performance penalty comes from non-linear operations. Thus, LowMC has been designed to minimize the total quantity of logical “and” operations, as well as the “and” depth. To achieve this, the LowMC designers opted for an incomplete S-box layer that does not cover the complete state, and compensate for it with a very dense, randomly chosen linear layer. In this work, we exploit this design strategy in a cube-like key-recovery attack. We are able to recover the secret key of a round-reduced variant of LowMC with 80-bit security, where the number of rounds is reduced from 11 to 9. Our attacks are independent of the actual instances of the used linear layers and therefore, do not exploit possible weak choices of them. From our results, we conclude that the resulting security margin of 2 rounds is smaller than expected.

[1]  Mohammad Reza Aref,et al.  Total Break of Zorro using Linear and Differential Attacks , 2014, IACR Cryptol. ePrint Arch..

[2]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[3]  Thomas Johansson,et al.  Fast Software Encryption, FSE 2003 , 2003 .

[4]  Matt Henricksen,et al.  Bit-Pattern Based Integral Attack , 2008, FSE.

[5]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[6]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[7]  Thomas Peyrin,et al.  Cryptanalysis of Zorro , 2013, IACR Cryptol. ePrint Arch..

[8]  Richard M. Wilson,et al.  A course in combinatorics , 1992 .

[9]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[10]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[11]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[12]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[13]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[14]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[15]  Xiaoli Yu,et al.  Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro , 2014, ACNS.

[16]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[17]  Boaz Tsaban,et al.  Cryptanalysis of SP Networks with Partial Non-Linear Layers , 2015, EUROCRYPT.

[18]  J. Massey,et al.  Communications and Cryptography: Two Sides of One Tapestry , 1994 .

[19]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[20]  Willi Meier,et al.  Optimized Interpolation Attacks on LowMC , 2015, ASIACRYPT.

[21]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.