Decomposing the ASASA Block Cipher Construction

We consider the problem of recovering the internal specification of a general SP-network consisting of three linear layers (A) interleaved with two Sbox layers (S) (denoted by ASASA for short), given only black-box access to the scheme. The decomposition of such general ASASA schemes was first considered at ASIACRYPT 2014 by Biryukov et al. which used the alleged difficulty of this problem to propose several concrete block cipher designs as candidates for white-box cryptography. In this paper, we present several attacks on general ASASA schemes that significantly outperform the analysis of Biryukov et al. As a result, we are able to break all the proposed concrete ASASA constructions with practical complexity. For example, we can decompose an ASASA structure that was supposed to provide 64-bit security in roughly 2 steps, and break the scheme that supposedly provides 128-bit security in about 2 time. Whenever possible, our findings are backed up with experimental verifications.

[1]  Louis Goubin,et al.  Asymmetric cryptography with S-Boxes , 1997, ICICS.

[2]  Luke O'Connor On the Distribution of Characteristics in Bijective Mappings , 1993, EUROCRYPT.

[3]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[4]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[5]  Anne Canteaut,et al.  On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$ , 2013, IEEE Transactions on Information Theory.

[6]  Alex Biryukov,et al.  Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract) , 2014, ASIACRYPT.

[7]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[8]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[9]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[10]  Henri Gilbert,et al.  Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-Boxes , 2015, CRYPTO.

[11]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[12]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[13]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[14]  Eli Biham,et al.  Cryptanalysis of Patarin's 2-Round Public Key System with S Boxes (2R) , 2000, EUROCRYPT.

[15]  Stefan Kölbl,et al.  Security of the AES with a Secret S-Box , 2015, FSE.

[16]  Lars R. Knudsen,et al.  Slender-Set Differential Cryptanalysis , 2011, Journal of Cryptology.