Cryptanalysis of ForkAES. (English) Zbl 1458.94212
Deng, Robert H. (ed.) et al., Applied cryptography and network security. 17th international conference, ACNS 2019, Bogota, Colombia, June 5–7, 2019. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 11464, 43-63 (2019).
Summary: Forkciphers are a new kind of primitive proposed recently by Andreeva et al. for efficient encryption and authentication of small messages. They fork the middle state of a cipher and encrypt it twice under two smaller independent permutations. Thus, forkciphers produce two output blocks in one primitive call.
In [“Forking a blockcipher for authenticated encryption of very short messages”, Preprint, IACR Cryptology ePrint Archive, https://eprint.iacr.org/2018/916], E. Andreeva et al. proposed ForkAES, a tweakable AES-based forkcipher that splits the state after five out of ten rounds. While their authenticated encrypted schemes were accompanied by proofs, the security discussion for ForkAES was not provided, and founded on existing results on the AES and KIASU-BC. Forkciphers provide a unique interface called reconstruction queries that use one ciphertext block as input and compute the respective other ciphertext block. Thus, they deserve a careful security analysis.
This work fosters the understanding of the security of ForkAES with three contributions: (1) We observe that security in reconstruction queries differs strongly from the existing results on the AES. This allows to attack nine out of ten rounds with differential, impossible-differential and yoyo attacks. (2) We observe that some forkcipher modes may lack the interface of reconstruction queries, so that attackers must use encryption queries. We show that nine rounds can still be attacked with rectangle and impossible-differential attacks. (3) We present forgery attacks on the AE modes proposed by Andreeva et al. [loc. cit.] with nine-round ForkAES.
For the entire collection see [Zbl 1415.94004].
In [“Forking a blockcipher for authenticated encryption of very short messages”, Preprint, IACR Cryptology ePrint Archive, https://eprint.iacr.org/2018/916], E. Andreeva et al. proposed ForkAES, a tweakable AES-based forkcipher that splits the state after five out of ten rounds. While their authenticated encrypted schemes were accompanied by proofs, the security discussion for ForkAES was not provided, and founded on existing results on the AES and KIASU-BC. Forkciphers provide a unique interface called reconstruction queries that use one ciphertext block as input and compute the respective other ciphertext block. Thus, they deserve a careful security analysis.
This work fosters the understanding of the security of ForkAES with three contributions: (1) We observe that security in reconstruction queries differs strongly from the existing results on the AES. This allows to attack nine out of ten rounds with differential, impossible-differential and yoyo attacks. (2) We observe that some forkcipher modes may lack the interface of reconstruction queries, so that attackers must use encryption queries. We show that nine rounds can still be attacked with rectangle and impossible-differential attacks. (3) We present forgery attacks on the AE modes proposed by Andreeva et al. [loc. cit.] with nine-round ForkAES.
For the entire collection see [Zbl 1415.94004].
MSC:
| 94A60 | Cryptography |
Keywords:
symmetric-key cryptography; cryptanalysis; tweakable block cipher; impossible differential; boomerang; yoyo; AEReferences:
| [1] | Andreeva, E., Reyhanitabar, R., Varici, K., Vizár, D.: Forking a blockcipher for authenticated encryption of very short messages. IACR Archive (2018). https://eprint.iacr.org/2018/916, Version: 20180926:123554 |
| [2] | Banik, S., et al.: Cryptanalysis of ForkAES. Cryptology ePrint Archive, Report 2019/289 (2019). https://eprint.iacr.org/2019/289 |
| [3] | Biham, E.; Biryukov, A.; Dunkelman, O.; Richardson, E.; Shamir, A.; Tavares, S.; Meijer, H., Initial observations on skipjack: cryptanalysis of skipjack-3XOR, Selected Areas in Cryptography, 362-375, 1999, Heidelberg: Springer, Heidelberg · Zbl 0929.94009 · doi:10.1007/3-540-48892-8_27 |
| [4] | Biham, E.; Biryukov, A.; Shamir, A.; Stern, J., Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials, Advances in Cryptology — EUROCRYPT 99, 12-23, 1999, Heidelberg: Springer, Heidelberg · Zbl 0927.94013 · doi:10.1007/3-540-48910-X_2 |
| [5] | Biham, E.; Dunkelman, O.; Keller, N.; Pfitzmann, B., The rectangle attack - rectangling the serpent, Advances in Cryptology — EUROCRYPT 2001, 340-357, 2001, Heidelberg: Springer, Heidelberg · Zbl 0981.94017 · doi:10.1007/3-540-44987-6_21 |
| [6] | Biham, E.; Dunkelman, O.; Keller, N.; Daemen, J.; Rijmen, V., New results on boomerang and rectangle attacks, Fast Software Encryption, 1-16, 2002, Heidelberg: Springer, Heidelberg · Zbl 1045.94512 · doi:10.1007/3-540-45661-9_1 |
| [7] | Blondeau, C., Accurate Estimate of the Advantage of Impossible Differential Attacks, IACR Trans. Symmetric Cryptol., 2017, 3, 169-191, 2017 |
| [8] | Boura, C.; Lallemand, V.; Naya-Plasencia, M.; Suder, V., Making the impossible possible, J. Cryptol., 31, 1, 101-133, 2018 · Zbl 1421.94041 · doi:10.1007/s00145-016-9251-7 |
| [9] | Boura, C.; Naya-Plasencia, M.; Suder, V.; Sarkar, P.; Iwata, T., Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon, Advances in Cryptology - ASIACRYPT 2014, 179-199, 2014, Heidelberg: Springer, Heidelberg · Zbl 1306.94035 · doi:10.1007/978-3-662-45611-8_10 |
| [10] | Cid, C.; Huang, T.; Peyrin, T.; Sasaki, Y.; Song, L.; Nielsen, JB; Rijmen, V., Boomerang connectivity table: a new cryptanalysis tool, Advances in Cryptology - EUROCRYPT 2018, 683-714, 2018, Cham: Springer, Cham · Zbl 1428.94065 · doi:10.1007/978-3-319-78375-8_22 |
| [11] | Daemen, J.; Rijmen, V., The Design of Rijndael: AES - The Advanced Encryption Standard, 2002, Heidelberg: Springer, Heidelberg · Zbl 1065.94005 · doi:10.1007/978-3-662-04722-4 |
| [12] | Derbez, P.; Peyrin, T., Note on impossible differential attacks, Fast Software Encryption, 416-427, 2016, Heidelberg: Springer, Heidelberg · Zbl 1387.94079 · doi:10.1007/978-3-662-52993-5_21 |
| [13] | Dobraunig, C.; List, E.; Handschuh, H., Impossible-differential and boomerang cryptanalysis of round-reduced Kiasu-BC, Topics in Cryptology - CT-RSA 2017, 207-222, 2017, Cham: Springer, Cham · Zbl 1383.94018 · doi:10.1007/978-3-319-52153-4_12 |
| [14] | Grassi, L.; Rechberger, C.; Rønjom, S., Subspace trail cryptanalysis and its applications to AES, IACR Trans. Symmetric Cryptol., 2016, 2, 192-225, 2016 |
| [15] | Jean, J.; Nikolić, I.; Peyrin, T.; Sarkar, P.; Iwata, T., Tweaks and keys for block ciphers: the TWEAKEY framework, Advances in Cryptology - ASIACRYPT 2014, 274-288, 2014, Heidelberg: Springer, Heidelberg · Zbl 1317.94113 · doi:10.1007/978-3-662-45608-8_15 |
| [16] | Kara, O.; Chowdhury, DR; Rijmen, V.; Das, A., Reflection cryptanalysis of some ciphers, Progress in Cryptology - INDOCRYPT 2008, 294-307, 2008, Heidelberg: Springer, Heidelberg · Zbl 1203.94106 · doi:10.1007/978-3-540-89754-5_23 |
| [17] | Knudsen, L., DEAL - a 128-bit block cipher, Complexity, 258, 2, 216, 1998 |
| [18] | Murphy, S., The return of the cryptographic boomerang, IEEE Trans. Inf. Theory, 57, 4, 2517-2521, 2011 · Zbl 1366.94520 · doi:10.1109/TIT.2011.2111091 |
| [19] | National Institute of Standards and Technology. FIPS 197. National Institute of Standards and Technology, November, pp. 1-51 (2001) |
| [20] | Rønjom, S.; Bardeh, NG; Helleseth, T.; Takagi, T.; Peyrin, T., Yoyo tricks with AES, Advances in Cryptology - ASIACRYPT 2017, 217-243, 2017, Cham: Springer, Cham · Zbl 1420.94094 · doi:10.1007/978-3-319-70694-8_8 |
| [21] | Tolba, M., Abdelkhalek, A., Youssef, A.M.: A meet in the middle attack on reduced round Kiasu-BC. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E99-A(10), 21-34 (2016) |
| [22] | Wagner, D.; Knudsen, L., The boomerang attack, Fast Software Encryption, 156-170, 1999, Heidelberg: Springer, Heidelberg · Zbl 0942.94022 · doi:10.1007/3-540-48519-8_12 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
