论文信息 - Analysis of the CAESAR Candidate Silver

Analysis of the CAESAR Candidate Silver

In this paper, we present the first third-party cryptanalysis against the authenticated encryption scheme Silver. In high-level, Silver builds a tweakable block cipher by tweaking AES-128 with a dedicated method and performs a similar computation as OCB3 to achieve 128-bit security for both of integrity and confidentiality in nonce-respecting model. Besides, by modifying the tag generation of OCB3, some robustness against nonce-repeating adversaries is claimed. We first present a forgery attack against 8 out of 10 rounds with $$2^{111}$$2111 blocks of queries in the nonce-respecting model. The attack exploits a weakness of the dedicated AES tweaking method of Silver. Then, we present several attacks in the nonce-repeating model. Those include 1 a forgery against full Silver with $$2^{49.46}$$249.46 blocks of queries which matches a conservative security claim by the designers, 2 a plaintext recovery against full Silver with a single query and 3 a key recovery against 8 rounds with $$2^{111}$$2111 blocks of queries. In particular, the plaintext recovery breaks the security claim by the designers. Considering that the current best key recovery for plain AES-128 is upi?źto seven rounds, Silver lowers the security margin of AES due to its tweaking method. The attacks have been partially implemented and experimentally verified.

Yu Sasaki | Lei Wang | Jérémy Jean

[1] David A. Wagner,et al. Tweakable Block Ciphers , 2002, CRYPTO.

[2] Thomas Peyrin,et al. Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[3] Florian Mendel,et al. Submission to the CAESAR Competition , 2014 .

[4] Vincent Rijmen,et al. The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[5] Phillip Rogaway,et al. The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[6] Serge Vaudenay. A classical introduction to cryptography - applications for communications security , 2005 .

[7] David A. Wagner,et al. Integral Cryptanalysis , 2002, FSE.

[8] Shiho Moriai,et al. Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[9] Vincent Rijmen,et al. The Design of Rijndael , 2002, Information Security and Cryptography.

[10] Jérémy Jean,et al. Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[11] Phillip Rogaway,et al. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[12] Thomas Peyrin,et al. Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[13] Vincent Rijmen,et al. The Block Cipher Square , 1997, FSE.