A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro

Invariant subspace attacks were introduced at CRYPTO 2011 to cryptanalyze PRINTcipher. The invariant subspaces for PRINTcipher were discovered in an ad hoc fashion, leaving a generic technique to discover invariant subspaces in other ciphers as an open problem. Here, based on a rather simple observation, we introduce a generic algorithm to detect invariant subspaces. We apply this algorithm to the CAESAR candidate iSCREAM, the closely related LS-design Robin, as well as the lightweight cipher Zorro. For all three candidates invariant subspaces were detected, and result in practical breaks of the ciphers. A closer analysis of independent interest reveals that these invariant subspaces are underpinned by a new type of self-similarity property. For all ciphers, our strongest attack shows the existence of a weak key set of density \(2^{-32}\). These weak keys lead to a simple property on the plaintexts going through the whole encryption process with probability one. All our attacks have been practically verified on reference implementations of the ciphers.

[1]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[2]  David Chaum,et al.  Crytanalysis of DES with a Reduced Number of Rounds: Sequences of Linear Factors in Block Ciphers , 1985, CRYPTO.

[3]  Xiaoli Yu,et al.  Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro , 2014, ACNS.

[4]  Mohammad Reza Aref,et al.  Total Break of Zorro using Linear and Differential Attacks , 2014, IACR Cryptol. ePrint Arch..

[5]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[6]  John Manferdelli,et al.  DES Has No Per Round Linear Factors , 1985, CRYPTO.

[7]  Sean Murphy An Analysis of SAFER , 1998, Journal of Cryptology.

[8]  Jan-Hendrik Evertse,et al.  Linear Structures in Blockciphers , 1987, EUROCRYPT.

[9]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[10]  Thomas Peyrin,et al.  Cryptanalysis of Zorro , 2013, IACR Cryptol. ePrint Arch..

[11]  Boaz Tsaban,et al.  Improved Analysis of Zorro-Like Ciphers , 2014, IACR Cryptol. ePrint Arch..

[12]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[13]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[14]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[15]  Eli Biham,et al.  In How Many Ways Can You Write Rijndael? , 2002, ASIACRYPT.

[16]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[17]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[18]  François Durvaux,et al.  CAESAR candidate SCREAM , 2014 .

[19]  Stanislav Bulygin,et al.  Many Weak Keys for PRINTcipher: Fast Key Recovery and Countermeasures , 2013, CT-RSA.

[20]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[21]  A. E. Harmanci,et al.  ITUbee: A Software Oriented Lightweight Block Cipher , 2013, LightSec.

[22]  María Naya-Plasencia,et al.  Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[23]  Hadi Soleimany,et al.  Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro , 2014, FSE.

[24]  Boaz Tsaban,et al.  Cryptanalysis of SP Networks with Partial Non-Linear Layers , 2015, EUROCRYPT.

[25]  François-Xavier Standaert,et al.  LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations , 2014, FSE.

[26]  Jason Smith,et al.  SIMON and SPECK: Block Ciphers for the Internet of Things , 2015, IACR Cryptol. ePrint Arch..

[27]  D. Chaum,et al.  Cryptanalysis of DES with a reduced number of rounds , 1986, CRYPTO 1986.

[28]  Orr Dunkelman,et al.  Another Look at Complementation Properties , 2010, FSE.