Key Guessing Strategies for Linear Key-Schedule Algorithms in Rectangle Attacks

In building boomerang distinguishers, Murphy indicated that two independently chosen differentials for a boomerang may be incompatible. In this paper, we find that similar incompatibility also happens to key-recovery phase. When generating quartets for the rectangle attack on linear key-schedule ciphers, we find that the right quartets which may suggest key candidates have to satisfy some nonlinear relationships. However, some quartets generated always violate these relationships, so that they will never suggest any key candidates. We call those quartets as nonlinearly incompatible quartets. Inspired by previous rectangle frameworks, we find that guessing certain key cells before generating quartets may reduce the number of nonlinearly incompatible quartets. However, guessing a lot of key cells at once may lose the benefit from the guessand-filter or early abort technique, which may lead to a higher overall complexity. To get better tradeoff from the two aspects, we build a new rectangle attack framework on linear key-schedule ciphers with the purpose of reducing the overall complexity or attacking more rounds. The first application is on SKINNY. In the tradeoff model, there are many parameters affecting the overall complexity. We build a uniform automatic model on SKINNY to identify all the optimal parameters, which includes the optimal rectangle distinguishers for key-recovery phase, the number and positions of key guessing cells before generating quartets, the size of key counters to build that affecting the exhaustive search step, etc. Based on the automatic model, we identify a 32-round key-recovery attack on SKINNY-128-384 in related-key setting, which extend the best previous attack by 2 rounds. For other versions with n-2n or n-3n, we also achieve one more round than before. In addition, using the previous rectangle distinguishers, we achieve better attacks on reduced ForkSkinny, Deoxys-BC-384 and GIFT-64. At last, we discuss the conversion of our rectangle framework from related-key setting into single-key setting and give new single-key rectangle attack on 10-round Serpent. 2 Xiaoyang Dong, Lingyue Qin, Siwei Sun, and Xiaoyun Wang

[1]  Lei Hu,et al.  Boomerang Connectivity Table Revisited. Application to SKINNY and AES , 2019, IACR Trans. Symmetric Cryptol..

[2]  Serpent: A New Block Cipher Proposal , 1998, FSE.

[3]  Orr Dunkelman,et al.  DLCT: A New Tool for Differential-Linear Cryptanalysis , 2019, IACR Cryptol. ePrint Arch..

[4]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[5]  Thomas Peyrin,et al.  GIFT: A Small Present - Towards Reaching the Limit of Lightweight Encryption , 2017, CHES.

[6]  Damian Vizár,et al.  Forkcipher: a New Primitive for Authenticated Encryption of Very Short Messages , 2019, IACR Cryptol. ePrint Arch..

[7]  Adi Shamir,et al.  The Retracing Boomerang Attack , 2020, IACR Cryptol. ePrint Arch..

[8]  Alex Biryukov,et al.  Cryptanalysis of SAFER++ , 2003, CRYPTO.

[9]  Yu Sasaki,et al.  Improved Related-Tweakey Boomerang Attacks on Deoxys-BC , 2018, AFRICACRYPT.

[10]  Stéphanie Delaune,et al.  Catching the Fastest Boomerangs Application to SKINNY , 2020, IACR Trans. Symmetric Cryptol..

[11]  Nicolas David,et al.  Cryptanalysis of Forkciphers , 2020, IACR Trans. Symmetric Cryptol..

[12]  Tao Huang,et al.  Boomerang Connectivity Table: A New Cryptanalysis Tool , 2018, IACR Cryptol. ePrint Arch..

[13]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[14]  Anne Canteaut,et al.  Sieve-in-the-Middle: Improved MITM Attacks (Full Version) , 2013, IACR Cryptol. ePrint Arch..

[15]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[16]  Keting Jia,et al.  New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect , 2019, IACR Trans. Symmetric Cryptol..

[17]  Pierre-Alain Fouque,et al.  Automatic Search of Meet-in-the-Middle and Impossible Differential Attacks , 2016, CRYPTO.

[18]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[19]  Nasour Bagheri,et al.  Improved Rectangle Attacks on SKINNY and CRAFT , 2021, IACR Cryptol. ePrint Arch..

[20]  Chunning Zhou,et al.  Improved (Related-key) Differential Cryptanalysis on GIFT , 2020, IACR Cryptol. ePrint Arch..

[21]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[22]  Florian Mendel,et al.  Related-Key Impossible-Differential Attack on Reduced-Round Skinny , 2017, ACNS.

[23]  Stefan Kölbl,et al.  Observations on the SIMON Block Cipher Family , 2015, CRYPTO.

[24]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, Journal of Cryptology.

[25]  Nasour Bagheri,et al.  Cryptanalysis of Reduced round SKINNY Block Cipher , 2018, IACR Cryptol. ePrint Arch..

[26]  Jongsung Kim,et al.  Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY 1 , 2007 .

[27]  Thomas Peyrin,et al.  Boomerang Switch in Multiple Rounds. Application to AES Variants and Deoxys , 2019, IACR Trans. Symmetric Cryptol..

[28]  Guozhen Liu,et al.  Security Analysis of SKINNY under Related-Tweakey Settings , 2017, IACR Cryptol. ePrint Arch..

[29]  Yu Sasaki,et al.  New Impossible Differential Search Tool from Design and Cryptanalysis Aspects - Revealing Structural Properties of Several Ciphers , 2017, EUROCRYPT.

[30]  Lei Hu,et al.  Programming the Demirci-Selçuk Meet-in-the-Middle Attack with Constraints , 2018, IACR Cryptol. ePrint Arch..

[31]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[32]  Keting Jia,et al.  Improved Related-Tweakey Rectangle Attacks on Reduced-Round Deoxys-BC-384 and Deoxys-I-256-128 , 2019, INDOCRYPT.

[33]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[34]  Anne Canteaut,et al.  On the Boomerang Uniformity of Cryptographic Sboxes , 2018, IACR Trans. Symmetric Cryptol..

[35]  María Naya-Plasencia,et al.  Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version) , 2014, IACR Cryptol. ePrint Arch..

[36]  María Naya-Plasencia,et al.  Improving Key-Recovery in Linear Attacks: Application to 28-Round PRESENT , 2020, EUROCRYPT.

[37]  Tim Beyne,et al.  Block Cipher Invariants as Eigenvectors of Correlation Matrices , 2018, Journal of Cryptology.

[38]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[39]  Eli Biham,et al.  New Results on Boomerang and Rectangle Attacks , 2002, FSE.

[40]  María Naya-Plasencia,et al.  Making the Impossible Possible , 2016, Journal of Cryptology.

[41]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[42]  Keting Jia,et al.  Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule: Applications to Boomerangs in SKINNY and ForkSkinny , 2021, IACR Cryptol. ePrint Arch..

[43]  Tao Huang,et al.  A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers , 2017, IACR Trans. Symmetric Cryptol..

[44]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[45]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[46]  Meiqin Wang,et al.  Accelerating the Search of Differential and Linear Characteristics with the SAT Method , 2021, IACR Trans. Symmetric Cryptol..

[47]  Sean Murphy,et al.  The Return of the Cryptographic Boomerang , 2011, IEEE Transactions on Information Theory.