Related-Tweak Impossible Differential Cryptanalysis of Reduced-Round TweAES

We consider the related-tweak impossible differential cryptanalysis of TweAES. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme ESTATE which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of TweAES, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against TweAES based on one of these 5.5-round distinguishers. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against TweAES, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of TweAES in the design document. Our 8round key recovery attack is the best one against TweAES in terms of the number of rounds and complexities so far.

[1]  Xiaoyang Dong,et al.  MILP-Aided Related-Tweak/Key Impossible Differential Attack and its Applications to QARMA, Joltik-BC , 2019, IEEE Access.

[2]  B. Preneel,et al.  Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20⋆ , 2013 .

[3]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[4]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[5]  Avik Chakraborti,et al.  ESTATE: A Lightweight and Low Energy Authenticated Encryption Mode , 2020, IACR Trans. Symmetric Cryptol..

[6]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[7]  Tyge Tiessen,et al.  Polytopic Cryptanalysis , 2016, EUROCRYPT.

[8]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[9]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[10]  Henri Gilbert,et al.  A Simplified Representation of AES , 2014, ASIACRYPT.

[11]  María Naya-Plasencia,et al.  Making the Impossible Possible , 2016, Journal of Cryptology.

[12]  Yu Liu,et al.  STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers , 2019, IACR Cryptol. ePrint Arch..

[13]  María Naya-Plasencia,et al.  Quantum Security Analysis of AES , 2019, IACR Cryptol. ePrint Arch..

[14]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.

[15]  Behnam Bahrak,et al.  Impossible differential attack on seven-round AES-128 , 2008, IET Inf. Secur..

[16]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[17]  Lei Hu,et al.  Analysis of AES, SKINNY, and Others with Constraint Programming , 2017, IACR Trans. Symmetric Cryptol..

[18]  Gaëtan Leurent,et al.  New Representations of the AES Key Schedule , 2020, IACR Cryptol. ePrint Arch..

[19]  María Naya-Plasencia,et al.  Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version) , 2014, IACR Cryptol. ePrint Arch..