Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                



Dates are inconsistent

Dates are inconsistent

2312 results sorted by ID

2024/2063 (PDF) Last updated: 2024-12-23
The Number of the Beast: Reducing Additions in Fast Matrix Multiplication Algorithms for Dimensions up to 666
Erik Mårtensson, Paul Stankovski Wagner
Foundations

While a naive algorithm for multiplying two 2 × 2 matrices requires eight multiplications and four additions, Strassen showed how to compute the same matrix product using seven multiplications and 18 additions. Winograd reduced the number of additions to 15, which was assumed to be optimal. However, by introducing a change of basis, Karstadt and Schwartz showed how to lower the number of additions to 12, which they further showed to be optimal within this generalized Karstadt-Schwartz (KS)...

2024/2061 (PDF) Last updated: 2024-12-23
Programming Equation Systems of Arithmetization-Oriented Primitives with Constraints
Mengyu Chang, Kexin Qiao, Junjie Cheng, Changhai Ou, Liehuang Zhu
Attacks and cryptanalysis

Arithmetization-Oriented (AO) cryptographic algorithms operate on large finite fields. The most threatening attack on such designs is the Gröbner basis attack, which solves the equation system encoded from the cryptanalysis problem. However, encoding a primitive as a system of equations is not unique, and finding the optimal one with low solving complexity is a challenge. This paper introduces an automatic tool that converts the CICO problem into a Mixed-Integer Quadratic Constraint...

2024/2055 (PDF) Last updated: 2024-12-20
Zeroed Out: Cryptanalysis of Weak PRFs in Alternating Moduli
Irati Manterola Ayala, Håvard Raddum
Attacks and cryptanalysis

The growing adoption of secure multi-party computation (MPC) has driven the development of efficient symmetric key primitives tailored for MPC. Recent advancements, such as the alternating moduli paradigm, have shown promise but leave room for cryptographic and practical improvements. In this paper, we analyze a family of weak pseudorandom functions (wPRF) proposed at Crypto 2024, focusing on the One-to-One parameter sets. We demonstrate that these configurations fail to achieve their...

2024/2045 (PDF) Last updated: 2024-12-18
Cryptanalysis of TETRA Encryption Algorithms - Episode 1: TEA-3
Jens Alich, Amund Askeland, Subhadeep Banik, Tim Beyne, Anne Canteaut, Patrick Felke, Gregor Leander, Willi Meier, Lukas Stennes
Secret-key cryptography

We present the first public and in-depth cryptanalysis of TEA-3, a stream cipher used in TETRA radio networks that was kept secret until recently. While the same also holds for the six other TETRA encryption algorithms, we pick TEA-3 to start with as (i) it is not obviously weakened as TEA-{1,4,7} but (ii) in contrast to TEA-2 it is approved only for extra-European emergency service, and (iii) as already noted by [MBW23] the TEA-3 design surprisingly contains a non-bijective S-box. Most...

2024/2039 (PDF) Last updated: 2024-12-17
Revisiting Boomerang Attacks on Lightweight ARX and AND-RX Ciphers with Applications to KATAN, SIMON and CHAM
Li Yu, Je Sen Teh
Attacks and cryptanalysis

In this paper, we investigate the security of lightweight block ciphers, focusing on those that utilize the ADD-Rotate-XOR (ARX) and AND-Rotate-XOR (AND-RX) design paradigms. More specifically, we examine their resilience against boomerang-style attacks. First, we propose an automated search strategy that leverages the boomerang connectivity table (BCT) for AND operations ($\wedge BCT$) to conduct a complete search for boomerang and rectangle distinguishers for AND-RX ciphers. The proposed...

2024/2033 (PDF) Last updated: 2024-12-17
General Practical Cryptanalysis of the Sum of Round-Reduced Block Ciphers and ZIP-AES
Antonio Flórez-Gutiérrez, Lorenzo Grassi, Gregor Leander, Ferdinand Sibleyras, Yosuke Todo
Secret-key cryptography

We introduce a new approach between classical security proofs of modes of operation and dedicated security analysis for known cryptanalysis families: General Practical Cryptanalysis. This allows us to analyze generically the security of the sum of two keyed permutations against known attacks. In many cases (of course, not all), we show that the security of the sum is strongly linked to that of the composition of the two permutations. This enables the construction of beyond-birthday bound...

2024/2031 (PDF) Last updated: 2024-12-16
Covert 19th century political intrigues of Tenerife nobility revealed by cryptanalyzing an encrypted letter
Jezabel Molina-Gil, Cándido Caballero-Gil, Judit Gutiérrez-de-Armas, Moti Yung
Attacks and cryptanalysis

This article presents a cryptanalysis of a 19th-century encrypted manuscript discovered in the archives of Conde de Siete Fuentes in Tenerife, Canary Islands, Spain. The manuscript, preserved by the heirs of the 6th Count of Valle de Salazar, utilizes a polyalphabetic substitution cipher. The cryptanalysis was performed by applying statistical frequency analysis and developing a Python script for decryption, resulting in the authors successfully deciphering the message. The decrypted letter...

2024/2029 (PDF) Last updated: 2024-12-16
NLAT: the NonLinear Approximation Table of Vectorial Boolean Mappings
Jorge Nakahara Jr
Secret-key cryptography

This paper studies an extension of the Linear Approximation Table (LAT) of vectorial Boolean mappings (also known as Substitution boxes) used in Linear Cryptanalysis (LC). This extended table is called NonLinear Approximation Table (NLAT).

2024/2002 (PDF) Last updated: 2024-12-12
Improving Differential-Neural Distinguisher For Simeck Family
Xue Yuan, Qichun Wang
Attacks and cryptanalysis

In CRYPTO 2019, Gohr introduced the method of differential neural cryptanalysis, utilizing neural networks as the underlying distinguishers to achieve distinguishers for (5-8)-round of the Speck32/64 cipher and subsequently recovering keys for 11 and 12 rounds. Inspired by this work, we propose an enhanced neural cryptanalysis framework that combines the Efficient Channel Attention (ECA) module with residual networks. By introducing the channel attention mechanism to emphasize key features...

2024/1998 (PDF) Last updated: 2024-12-11
Impossible Differential Automation: Model Generation and New Techniques
Emanuele Bellini, Paul Huynh, David Gerault, Andrea Visconti, Alessandro De Piccoli, Simone Pelizzola
Secret-key cryptography

In this paper, we aim to enhance and automate advanced techniques for impossible differential attacks. To demonstrate these advancements, we present improved attacks on the LBlock and HIGHT block ciphers. More precisely, we (a) introduce a methodology to automatically invert symmetric ciphers when represented as directed acyclic graphs, a fundamental step in the search for impossible differential trails and in key recovery techniques; (b) automate the search for impossible differential...

2024/1992 (PDF) Last updated: 2024-12-09
Improved Quantum Linear Attacks and Application to CAST
Kaveh Bashiri, Xavier Bonnetain, Akinori Hosoyamada, Nathalie Lang, André Schrottenloher
Attacks and cryptanalysis

This paper studies quantum linear key-recovery attacks on block ciphers. The first such attacks were last-rounds attacks proposed by Kaplan et al. (ToSC 2016), which combine a linear distinguisher with a guess of a partial key. However, the most efficient classical attacks use the framework proposed by Collard et al. (ICISC 2007), which computes experimental correlations using the Fast Walsh-Hadamard Transform. Recently, Schrottenloher (CRYPTO 2023) proposed a quantum version of this...

2024/1989 (PDF) Last updated: 2024-12-09
Revisiting OKVS-based OPRF and PSI: Cryptanalysis and Better Construction
Kyoohyung Han, Seongkwang Kim, Byeonghak Lee, Yongha Son
Attacks and cryptanalysis

Oblivious pseudorandom function (OPRF) is a two-party cryptographic protocol that allows the receiver to input $x$ and learn $F(x)$ for some PRF $F$, only known to the sender. For private set intersection (PSI) applications, OPRF protocols have evolved to enhance efficiency, primarily using symmetric key cryptography. Current state-of-the-art protocols, such as those by Rindal and Schoppmann (Eurocrypt '21), leverage vector oblivious linear evaluation (VOLE) and oblivious key-value store...

2024/1962 (PDF) Last updated: 2024-12-04
uKNIT: Breaking Round-alignment for Cipher Design -- Featuring uKNIT-BC, an Ultra Low-Latency Block Cipher
Kai Hu, Mustafa Khairallah, Thomas Peyrin, Quan Quan Tan
Secret-key cryptography

Automated cryptanalysis has seen a lot of attraction and success in the past decade, leading to new distinguishers or key-recovery attacks against various ciphers. We argue that the improved efficiency and usability of these new tools have been undervalued, especially for design processes. In this article, we break for the first time the classical iterative design paradigm for symmetric-key primitives, where constructions are built around the repetition of a round function. We propose...

2024/1927 (PDF) Last updated: 2024-11-27
ToFA: Towards Fault Analysis of GIFT and GIFT-like Ciphers Leveraging Truncated Impossible Differentials
Anup Kumar Kundu, Shibam Ghosh, Aikata Aikata, Dhiman Saha
Attacks and cryptanalysis

In this work, we introduce ToFA, the first fault attack (FA) strategy that attempts to leverage the classically well-known idea of impossible differential cryptanalysis to mount practically verifiable attacks on bit-oriented ciphers like GIFT and BAKSHEESH. The idea used stems from the fact that truncated differential paths induced due to fault injection in certain intermediate rounds of the ciphers lead to active SBox-es in subsequent rounds whose inputs admit specific truncated...

2024/1926 (PDF) Last updated: 2024-11-27
Cryptanalysis of BAKSHEESH Block Cipher
Shengyuan Xu, Siwei Chen, Xiutao Feng, Zejun Xiang, Xiangyong Zeng
Attacks and cryptanalysis

BAKSHEESH is a lightweight block cipher following up the well-known cipher GIFT-128, which uses a 4-bit SBox that has a non-trivial Linear Structure (LS). Also, the Sbox requires a low number of AND gates that makes BAKSHEESH stronger to resist the side channel attacks compared to GIFT-128. In this paper, we give the first third-party security analysis of BAKSHEESH from the traditional attacks perspective: integral, differential and linear attacks. Firstly, we propose a framework for...

2024/1908 (PDF) Last updated: 2024-11-24
Generalized Impossible Differential Attacks on Block Ciphers: Application to SKINNY and ForkSKINNY
Ling Song, Qinggan Fu, Qianqian Yang, Yin Lv, Lei Hu
Attacks and cryptanalysis

Impossible differential cryptanalysis is a crucial cryptanalytical method for symmetric ciphers. Given an impossible differential, the key recovery attack typically proceeds in two steps: generating pairs of data and then identifying wrong keys using the guess-and-filtering method. At CRYPTO 2023, Boura \etal first proposed a new key recovery technique - the differential meet-in-the-middle attack, which recovers the key in a meet-in-the-middle manner. Inspired by this technique, we...

2024/1900 (PDF) Last updated: 2024-11-25
Opening the Blackbox: Collision Attacks on Round-Reduced Tip5, Tip4, Tip4' and Monolith
Fukang Liu, Katharina Koschatko, Lorenzo Grassi, Hailun Yan, Shiyao Chen, Subhadeep Banik, Willi Meier
Attacks and cryptanalysis

A new design strategy for ZK-friendly hash functions has emerged since the proposal of $\mathsf{Reinforced Concrete}$ at CCS 2022, which is based on the hybrid use of two types of nonlinear transforms: the composition of some small-scale lookup tables (e.g., 7-bit or 8-bit permutations) and simple power maps over $\mathbb{F}_p$. Following such a design strategy, some new ZK-friendly hash functions have been recently proposed, e.g., $\mathsf{Tip5}$, $\mathsf{Tip4}$, $\mathsf{Tip4}'$ and the...

2024/1888 (PDF) Last updated: 2024-11-20
Chosen-Prefix Collisions on AES-like Hashing
Shiyao Chen, Xiaoyang Dong, Jian Guo, Tianyu Zhang
Attacks and cryptanalysis

Chosen-prefix collision (CPC) attack was first presented by Stevens, Lenstra and de Weger on MD5 at Eurocrypt 2007. A CPC attack finds a collision for any two chosen prefixes, which is a stronger variant of collision attack. CPCs are naturally harder to construct but have larger practical impact than (identical-prefix) collisions, as seen from the series of previous works on MD5 by Stevens et al. and SHA-1 by Leurent and Peyrin. Despite its significance, the resistance of CPC attacks has not...

2024/1887 (PDF) Last updated: 2024-11-20
Differential MITM attacks on SLIM and LBCIoT
Peter Grochal, Martin Stanek
Attacks and cryptanalysis

SLIM and LBCIoT are lightweight block ciphers proposed for IoT applications. We present differential meet-in-the-middle attacks on these ciphers and discuss several implementation variants and possible improvements of these attacks. Experimental validation also shows some results that may be of independent interest in the cryptanalysis of other ciphers. Namely, the problems with low-probability differentials and the questionable accuracy of standard complexity estimates of using filters.

2024/1870 (PDF) Last updated: 2024-11-15
A Hard-Label Cryptanalytic Extraction of Non-Fully Connected Deep Neural Networks using Side-Channel Attacks
Benoit Coqueret, Mathieu Carbone, Olivier Sentieys, Gabriel Zaid
Attacks and cryptanalysis

During the past decade, Deep Neural Networks (DNNs) proved their value on a large variety of subjects. However despite their high value and public accessibility, the protection of the intellectual property of DNNs is still an issue and an emerging research field. Recent works have successfully extracted fully-connected DNNs using cryptanalytic methods in hard-label settings, proving that it was possible to copy a DNN with high fidelity, i.e., high similitude in the output predictions....

2024/1869 (PDF) Last updated: 2024-11-15
Black-box Collision Attacks on the NeuralHash Perceptual Hash Function
Diane Leblanc-Albarel, Bart Preneel
Attacks and cryptanalysis

Perceptual hash functions map multimedia content that is perceptually close to outputs strings that are identical or similar. They are widely used for the identification of protected copyright and illegal content in information sharing services: a list of undesirable files is hashed with a perceptual hash function and compared, server side, to the hash of the content that is uploaded. Unlike cryptographic hash functions, the design details of perceptual hash functions are typically kept...

2024/1864 (PDF) Last updated: 2024-11-29
Tweakable ForkCipher from Ideal Block Cipher
Sougata Mandal
Secret-key cryptography

In ASIACRYPT 2019, Andreeva et al. introduced a new symmetric key primitive called the $\textit{forkcipher}$, designed for lightweight applications handling short messages. A forkcipher is a keyed function with a public tweak, featuring fixed-length input and fixed-length (expanding) output. They also proposed a specific forkcipher, ForkSkinny, based on the tweakable block cipher SKINNY, and its security was evaluated through cryptanalysis. Since then, several efficient AEAD and MAC schemes...

2024/1858 (PDF) Last updated: 2024-11-14
(In)Security of Threshold Fully Homomorphic Encryption based on Shamir Secret Sharing
Wonhee Cho, Jiseung Kim, Changmin Lee
Attacks and cryptanalysis

Boneh et al. (CRYPTO'18) proposed two $t$-out-of-$N$ threshold fully homomorphic encryption ($\sf TFHE$) schemes based on Shamir secret sharing scheme and $\{0,1\}$-linear secret sharing scheme. They demonstrated the simulation security, ensuring no information leakage during partial or final decryption. This breakthrough allows any scheme to be converted into a threshold scheme by using $\sf TFHE$. We propose two polynomial time algorithms to break the simulation security of...

2024/1853 (PDF) Last updated: 2024-11-12
Giant Does NOT Mean Strong: Cryptanalysis of BQTRU
Ali Raya, Vikas Kumar, Aditi Kar Gangopadhyay, Sugata Gangopadhyay
Attacks and cryptanalysis

NTRU-like constructions are among the most studied lattice-based schemes. The freedom of design of NTRU resulted in many variants in literature motivated by faster computations or more resistance against lattice attacks by changing the underlying algebra. To the best of our knowledge, BQTRU (DCC 2017), a noncommutative NTRU-like cryptosystem, is the fastest claimed variant of NTRU built over the quaternion algebra of the bivariate ring of polynomials. The key generation and the encryption of...

2024/1849 (PDF) Last updated: 2024-11-12
A Linearisation Method for Identifying Dependencies in Differential Characteristics: Examining the Intersection of Deterministic Linear Relations and Nonlinear Constraints
Ling Sun
Attacks and cryptanalysis

The analytical perspective employed in the study classifies the theoretical research on dependencies in differential characteristics into two types. By categorising all dependence representations from the value restrictions and the theory of quasidifferential trails, we pinpoint a specific set of nonlinear constraints, which we term linearised nonlinear constraints. We aim to establish a method that utilises value restrictions to identify these constraints, as the current method based on...

2024/1838 (PDF) Last updated: 2024-11-11
Pushing the QAM method for finding APN functions further
Nadiia Ichanska, Simon Berg, Nikolay S. Kaleyski, Yuyin Yu
Foundations

APN functions offer optimal resistance to differential attacks and are instrumental in the design of block ciphers in cryptography. While finding APN functions is very difficult in general, a promising way to construct APN functions is through symmetric matrices called Quadratic APN matrices (QAM). It is known that the search space for the QAM method can be reduced by means of orbit partitions induced by linear equivalences. This paper builds upon and improves these approaches in the case of...

2024/1837 (PDF) Last updated: 2024-11-08
A Query Reconstruction Attack on the Chase-Shen Substring-Searchable Symmetric Encryption Scheme
Zichen Gui, Kenneth G. Paterson, Sikhar Patranabis
Attacks and cryptanalysis

Searchable symmetric encryption (SSE) enables queries over symmetrically encrypted databases. To achieve practical efficiency, SSE schemes incur a certain amount of leakage; however, this leads to the possibility of leakage cryptanalysis, i.e., cryptanalytic attacks that exploit the leakage from the target SSE scheme to subvert its data and query privacy guarantees. Leakage cryptanalysis has been widely studied in the context of SSE schemes supporting either keyword queries or range queries,...

2024/1801 (PDF) Last updated: 2024-11-04
Investigation of the Optimal Linear Characteristics of BAKSHEESH (Full Version)
Yuxuan Peng, Jinpeng Liu, Ling Sun
Attacks and cryptanalysis

This paper aims to provide a more comprehensive understanding of the optimal linear characteristics of BAKSHEESH. Initially, an explicit formula for the absolute correlation of the $R$-round optimal linear characteristic of BAKSHEESH is proposed when $R \geqslant 12$. By examining the linear characteristics of BAKSHEESH with three active S-boxes per round, we derive some properties of the three active S-boxes in each round. Furthermore, we demonstrate that there is only one 1-round iterative...

2024/1770 (PDF) Last updated: 2024-10-30
Improved Attacks for SNOVA by Exploiting Stability under a Group Action
Daniel Cabarcas, Peigen Li, Javier Verbel, Ricardo Villanueva-Polanco
Attacks and cryptanalysis

SNOVA is a post-quantum digital signature scheme based on multivariate polynomials. It is a first-round candidate in an ongoing NIST standardization process for post-quantum signatures, where it stands out for its efficiency and compactness. Since its initial submission, there have been several improvements to its security analysis, both on key recovery and forgery attacks. All these works reduce to solving a structured system of quadratic polynomials, which we refer to as SNOVA...

2024/1767 (PDF) Last updated: 2024-10-30
ECPM Cryptanalysis Resource Estimation
Dedy Septono Catur Putranto, Rini Wisnu Wardhani, Jaehan Cho, Howon Kim
Attacks and cryptanalysis

Elliptic Curve Point Multiplication (ECPM) is a key component of the Elliptic Curve Cryptography (ECC) hierarchy protocol. However, the specific estimation of resources required for this process remains underexplored despite its significance in the cryptanalysis of ECC algorithms, particularly binary ECC in GF (2𝑚). Given the extensive use of ECC algorithms in various security protocols and devices, it is essential to conduct this examination to gain valuable insights into its cryptanalysis,...

2024/1757 (PDF) Last updated: 2024-11-05
On the Sample Complexity of Linear Code Equivalence for all Code Rates
Alessandro Budroni, Andrea Natale
Attacks and cryptanalysis

In parallel with the standardization of lattice-based cryptosystems, the research community in Post-quantum Cryptography focused on non-lattice-based hard problems for constructing public-key cryptographic primitives. The Linear Code Equivalence (LCE) Problem has gained attention regarding its practical applications and cryptanalysis. Recent advancements, including the LESS signature scheme and its candidacy in the NIST standardization for additional signatures, supported LCE as a...

2024/1755 (PDF) Last updated: 2024-10-28
Exponential sums in linear cryptanalysis
Tim Beyne, Clémence Bouvier
Secret-key cryptography

It is shown how bounds on exponential sums derived from modern algebraic geometry, and l-adic cohomology specifically, can be used to upper bound the absolute correlations of linear approximations for cryptographic constructions of low algebraic degree. This is illustrated by applying results of Deligne, Denef and Loeser, and Rojas-León, to obtain correlation bounds for a generalization of the Butterfly construction, three-round Feistel ciphers, and a generalization of the Flystel...

2024/1706 (PDF) Last updated: 2024-10-21
State of the art of HFE variants Is it possible to repair HFE with appropriate perturbations?
Benoit COGLIATI, Gilles Macariot-Rat, Jacques Patarin, Pierre Varjabedian
Public-key cryptography

HFE (that stands for Hidden Field Equations) belongs to multivariate cryptography and was designed by Jacques Patarin in 1996 as a public key trapdoor suitable for encryption or signature. This original basic version is unfortunately known to have a super-polynomial attack, but as imagined since the beginning, it comes with various variants, one can describe as combinations of “modifiers”. In this work, we first present the state of the art of these HFE modifiers, along with their...

2024/1700 (PDF) Last updated: 2024-10-18
Does quantum lattice sieving require quantum RAM?
Beomgeun Cho, Minki Hhan, Taehyun Kim, Jeonghoon Lee, Yixin Shen
Public-key cryptography

In this paper, we study the requirement for quantum random access memory (QRAM) in quantum lattice sieving, a fundamental algorithm for lattice-based cryptanalysis. First, we obtain a lower bound on the cost of quantum lattice sieving with a bounded size QRAM. We do so in a new query model encompassing a wide range of lattice sieving algorithms similar to those in the classical sieving lower bound by Kirshanova and Laarhoven [CRYPTO 21]. This implies that, under reasonable assumptions,...

2024/1692 (PDF) Last updated: 2024-10-17
On the practicality of quantum sieving algorithms for the shortest vector problem
Joao F. Doriguello, George Giapitzakis, Alessandro Luongo, Aditya Morolia
Attacks and cryptanalysis

One of the main candidates of post-quantum cryptography is lattice-based cryptography. Its cryptographic security against quantum attackers is based on the worst-case hardness of lattice problems like the shortest vector problem (SVP), which asks to find the shortest non-zero vector in an integer lattice. Asymptotic quantum speedups for solving SVP are known and rely on Grover's search. However, to assess the security of lattice-based cryptography against these Grover-like quantum speedups,...

2024/1678 (PDF) Last updated: 2024-10-16
Commutative Cryptanalysis as a Generalization of Differential Cryptanalysis
Jules Baudrin, Christof Beierle, Patrick Felke, Gregor Leander, Patrick Neumann, Léo Perrin, Lukas Stennes
Secret-key cryptography

Recently, Baudrin et al. analyzed a special case of Wagner's commutative diagram cryptanalysis, referred to as commutative cryptanalysis. For a family $(E_k)_k$ of permutations on a finite vector space $G$, commutative cryptanalysis exploits the existence of affine permutations $A,B \colon G \rightarrow G$, $I \notin \{A,B\}$ such that $E_k \circ A (x) = B \circ E_k(x)$ holds with high probability, taken over inputs $x$, for a significantly large set of weak keys $k$. Several attacks...

2024/1614 (PDF) Last updated: 2024-10-10
Related-Key Cryptanalysis of FUTURE
Amit Jana, Smita Das, Ayantika Chatterjee, Debdeep Mukhopadhyay
Attacks and cryptanalysis

In Africacrypt 2022, Gupta \etal introduced a 64-bit lightweight \mds matrix-based \spn-like block cipher designed to encrypt data in a single clock cycle with minimal implementation cost, particularly when unrolled. While various attack models were discussed, the security of the cipher in the related-key setting was not addressed. In this work, we bridge this gap by conducting a security analysis of the cipher under related-key attacks using \milp(Mixed Integer Linear Programming)-based...

2024/1612 (PDF) Last updated: 2024-10-10
On Wagner's k-Tree Algorithm Over Integers
Haoxing Lin, Prashant Nalini Vasudevan
Attacks and cryptanalysis

The $k$-Tree algorithm [Wagner 02] is a non-trivial algorithm for the average-case $k$-SUM problem that has found widespread use in cryptanalysis. Its input consists of $k$ lists, each containing $n$ integers from a range of size $m$. Wagner's original heuristic analysis suggested that this algorithm succeeds with constant probability if $n \approx m^{1/(\log{k}+1)}$, and that in this case it runs in time $O(kn)$. Subsequent rigorous analysis of the algorithm [Lyubashevsky 05, Shallue 08,...

2024/1589 (PDF) Last updated: 2024-10-08
A Systematic Study of Sparse LWE
Aayush Jain, Huijia Lin, Sagnik Saha
Foundations

In this work, we introduce the sparse LWE assumption, an assumption that draws inspiration from both Learning with Errors (Regev JACM 10) and Sparse Learning Parity with Noise (Alekhnovich FOCS 02). Exactly like LWE, this assumption posits indistinguishability of $(\mathbf{A}, \mathbf{s}\mathbf{A}+\mathbf{e} \mod p)$ from $(\mathbf{A}, \mathbf{u})$ for a random $\mathbf{u}$ where the secret $\mathbf{s}$, and the error vector $\mathbf{e}$ is generated exactly as in LWE. However, the...

2024/1580 (PDF) Last updated: 2024-10-07
Polynomial Time Cryptanalytic Extraction of Deep Neural Networks in the Hard-Label Setting
Nicholas Carlini, Jorge Chávez-Saab, Anna Hambitzer, Francisco Rodríguez-Henríquez, Adi Shamir
Attacks and cryptanalysis

Deep neural networks (DNNs) are valuable assets, yet their public accessibility raises security concerns about parameter extraction by malicious actors. Recent work by Carlini et al. (Crypto’20) and Canales- Martínez et al. (Eurocrypt’24) has drawn parallels between this issue and block cipher key extraction via chosen plaintext attacks. Leveraging differential cryptanalysis, they demonstrated that all the weights and biases of black-box ReLU-based DNNs could be inferred using a polynomial...

2024/1525 (PDF) Last updated: 2024-09-28
Evaluating Leakage Attacks Against Relational Encrypted Search
Patrick Ehrler, Abdelkarim Kati, Thomas Schneider, Amos Treiber
Attacks and cryptanalysis

Encrypted Search Algorithms (ESAs) are a technique to encrypt data while the user can still search over it. ESAs can protect privacy and ensure security of sensitive data stored on a remote storage. Originally, ESAs were used in the context of documents that consist of keywords. The user encrypts the documents, sends them to a remote server and is still able to search for keywords, without exposing information about the plaintext. The idea of ESAs has also been applied to relational...

2024/1465 (PDF) Last updated: 2024-09-19
Linear approximations of the Flystel construction
Tim Beyne, Clémence Bouvier
Secret-key cryptography

Using a purity theorem for exponential sums due to Rojas-Léon, we upper bound the absolute correlations of linear approximations of the Flystel construction used in Anemoi. This resolves open problem 7.1 in [Bouvier, 2023].

2024/1453 (PDF) Last updated: 2024-09-17
Breaking and Repairing SQIsign2D-East
Wouter Castryck, Mingjie Chen, Riccardo Invernizzi, Gioella Lorenzon, Frederik Vercauteren
Attacks and cryptanalysis

We present a key recovery attack on SQIsign2D-East that reduces its security level from $\lambda$ to $\lambda/2$. We exploit the fact that each signature leaks a Legendre symbol modulo the secret degree of the private key isogeny. About $\lambda/2$ signatures are enough for these Legendre symbols to fully determine the secret degree, which can then be recovered by exhaustive search over a set of size $O(2^{\lambda/2})$. Once the degree is known, the private key isogeny itself can be found,...

2024/1450 (PDF) Last updated: 2024-09-17
TentLogiX: 5-bit Chaos-Driven S-Boxes for Lightweight Cryptographic Systems
Maha Allouzi, Arefeh Rahaei
Cryptographic protocols

Cryptography is a crucial method for ensuring the security of communication and data transfers across networks. While it excels on devices with abundant resources, such as PCs, servers, and smartphones, it may encounter challenges when applied to resource-constrained Internet of Things (IoT) devices like Radio Frequency Identification (RFID) tags and sensors. To address this issue, a demand arises for a lightweight variant of cryptography known as lightweight cryptography (LWC). In...

2024/1447 (PDF) Last updated: 2024-09-17
Generic Differential Key Recovery Attacks and Beyond
Ling Song, Huimin Liu, Qianqian Yang, Yincen Chen, Lei Hu, Jian Weng
Secret-key cryptography

At Asiacrypt 2022, a holistic key guessing strategy was proposed to yield the most efficient key recovery for the rectangle attack. Recently, at Crypto 2023, a new cryptanalysis technique--the differential meet-in-the-middle (MITM) attack--was introduced. Inspired by these two previous works, we present three generic key recovery attacks in this paper. First, we extend the holistic key guessing strategy from the rectangle to the differential attack, proposing the generic classical...

2024/1408 (PDF) Last updated: 2024-09-09
Multiple-Tweak Differential Attack Against SCARF
Christina Boura, Shahram Rasoolzadeh, Dhiman Saha, Yosuke Todo
Secret-key cryptography

In this paper, we present the first third-party cryptanalysis of SCARF, a tweakable low-latency block cipher designed to thwart contention-based cache attacks through cache randomization. We focus on multiple-tweak differential attacks, exploiting biases across multiple tweaks. We establish a theoretical framework explaining biases for any number of rounds and verify this framework experimentally. Then, we use these properties to develop a key recovery attack on 7-round SCARF with a time...

2024/1403 (PDF) Last updated: 2024-09-08
Hard-Label Cryptanalytic Extraction of Neural Network Models
Yi Chen, Xiaoyang Dong, Jian Guo, Yantian Shen, Anyu Wang, Xiaoyun Wang
Attacks and cryptanalysis

The machine learning problem of extracting neural network parameters has been proposed for nearly three decades. Functionally equivalent extraction is a crucial goal for research on this problem. When the adversary has access to the raw output of neural networks, various attacks, including those presented at CRYPTO 2020 and EUROCRYPT 2024, have successfully achieved this goal. However, this goal is not achieved when neural networks operate under a hard-label setting where the raw output...

2024/1396 (PDF) Last updated: 2024-09-05
Rare structures in tensor graphs - Bermuda triangles for cryptosystems based on the Tensor Isomorphism problem
Lars Ran, Simona Samardjiska
Attacks and cryptanalysis

Recently, there has been a lot of interest in improving the understanding of the practical hardness of the 3-Tensor Isomorphism (3-TI) problem, which, given two 3-tensors, asks for an isometry between the two. The current state-of-the-art for solving this problem is the algebraic algorithm of Ran et al. '23 and the graph-theoretic algorithm of Narayanan et al. '24 that have both slightly reduced the security of the signature schemes MEDS and ALTEQ, based on variants of the 3-TI problem...

2024/1389 (PDF) Last updated: 2024-09-07
DL-SITM: Deep Learning-Based See-in-the-Middle Attack on AES
Tomáš Gerlich, Jakub Breier, Pavel Sikora, Zdeněk Martinásek, Aron Gohr, Anubhab Baksi, Xiaolu Hou
Attacks and cryptanalysis

The see-in-the-middle (SITM) attack combines differential cryptanalysis and the ability to observe differential patterns in the side-channel leakage traces to reveal the secret key of SPN-based ciphers. While SITM presents a fresh perspective to side-channel analysis and allows attacks on deeper cipher rounds, there are practical difficulties that come with this method. First, one must realize a visual inspection of millions of power traces. Second, there is a strong requirement to reduce...

2024/1370 (PDF) Last updated: 2024-08-31
ML based Improved Differential Distinguisher with High Accuracy: Application to GIFT-128 and ASCON
Tarun Yadav, Manoj Kumar
Attacks and cryptanalysis

In recent years, ML based differential distinguishers have been explored and compared with the classical methods. Complexity of a key recovery attack on block ciphers is calculated using the probability of a differential distinguisher provided by classical methods. Since theoretical computations suffice to calculate the data complexity in these cases, so there seems no restrictions on the practical availability of computational resources to attack a block cipher using classical methods....

2024/1363 Last updated: 2024-11-16
Improved Key Recovery Attacks on Reduced-Round Salsa20
Sabyasachi Dey, Gregor Leander, Nitin Kumar Sharma
Attacks and cryptanalysis

In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of...

2024/1359 (PDF) Last updated: 2024-09-20
Finding Complete Impossible Differential Attacks on AndRX Ciphers and Efficient Distinguishers for ARX Designs
Debasmita Chakraborty, Hosein Hadipour, Phuong Hoa Nguyen, Maria Eichlseder
Attacks and cryptanalysis

The impossible differential (ID) attack is one of the most important cryptanalytic techniques for block ciphers. There are two phases to finding an ID attack: searching for the distinguisher and building a key recovery upon it. Previous works only focused on automated distinguisher discovery, leaving key recovery as a manual post-processing task, which may lead to a suboptimal final complexity. At EUROCRYPT~2023, Hadipour et al. introduced a unified constraint programming (CP) approach based...

2024/1358 (PDF) Last updated: 2024-12-24
Quantum Sieving for Code-Based Cryptanalysis and Its Limitations for ISD
Lynn Engelberts, Simona Etinski, Johanna Loyer
Attacks and cryptanalysis

Sieving using near-neighbor search techniques is a well-known method in lattice-based cryptanalysis, yielding the current best runtime for the shortest vector problem in both the classical [BDGL16] and quantum [BCSS23] setting. Recently, sieving has also become an important tool in code-based cryptanalysis. Specifically, using a sieving subroutine, [GJN23, DEEK24] presented a variant of the information-set decoding (ISD) framework, which is commonly used for attacking cryptographically...

2024/1334 (PDF) Last updated: 2024-08-26
Chosen Text Attacks Against an Image Encryption Based on the Kronecker Xor Product, the Hill Cipher and the Sigmoid Logistic Map
George Teseleanu
Secret-key cryptography

In 2023, Mfungo et al. presented an image encryption scheme that relies on a series of diffusion techniques and uses a chaotic map to generate three secret keys. Note that two out of three keys are dynamically generated based on the size of the original image, while the remaining key is static. The authors claim that their proposal offers $149$ bits of security. Unfortunately, we found a chosen plaintext attack that requires $2$ oracle queries and has a worse case complexity of $\mathcal...

2024/1332 (PDF) Last updated: 2024-09-26
Attacking trapdoors from matrix products
Thomas Decru, Tako Boris Fouotsa, Paul Frixons, Valerie Gilchrist, Christophe Petit
Attacks and cryptanalysis

Recently, Geraud-Stewart and Naccache proposed two trapdoors based on matrix products. In this paper, we answer the call for cryptanalysis. We explore how using the trace and determinant of a matrix can be used to attack their constructions. We fully break their first construction in a polynomial-time attack. We show an information leak in the second construction using characteristic polynomials, and provide an attack using traces that decreases the bit security by about half.

2024/1330 (PDF) Last updated: 2024-10-04
Newton Polytope-Based Strategy for Finding Small Roots of Multivariate Polynomials
Yansong Feng, Abderrahmane Nitaj, Yanbin Pan
Attacks and cryptanalysis

Coppersmith's method plays an important role in cryptanalysis. By introducing a new tool called Sumsets theory from Additive Combinatorics, we propose a novel strategy for Coppersmith's method based on Newton polytope. With our novel strategy, we provide the first provable and efficient algorithm for calculating the asymptotic bounds of Coppersmith's method, which is typically a tedious and non-trivial task. Moreover, our new perspective offers a better understanding of Coppersmith's...

2024/1324 (PDF) Last updated: 2024-08-29
CLAASPing ARADI: Automated Analysis of the ARADI Block Cipher
Emanuele Bellini, Mattia Formenti, David Gérault, Juan Grados, Anna Hambitzer, Yun Ju Huang, Paul Huynh, Mohamed Rachidi, Raghvendra Rohit, Sharwan K. Tiwari
Attacks and cryptanalysis

In early August 2024, three NSA researchers -- Patricia Greene, Mark Motley, and Bryan Weeks -- published the technical specifications for a new low-latency block cipher, ARADI, along with its corresponding authenticated encryption mode, LLAMA, which is specifically designed for memory encryption applications. Their manuscript offered minimal security analysis of the design, only briefly discussing the differential, linear and algebraic properties of cipher's underlying components. In this...

2024/1304 (PDF) Last updated: 2024-11-05
Improved Algebraic Attacks on Round-Reduced LowMC with Single-Data Complexity
Xingwei Ren, Yongqiang Li, Mingsheng Wang
Attacks and cryptanalysis

Recently, Picnic3 has introduced several alternative LowMC instances, which prompts the cryptanalysis competition for LowMC. In this paper, we provide new solutions to the competition with full S-box layers under single-data complexity. First, we present a new guess-and-determine attack framework that achieves the best trade-off in complexity, while effectively enhancing two algorithms applicable to 2-round LowMC cryptanalysis. Next, we present a new meet-in-the-middle attack framework for...

2024/1300 (PDF) Last updated: 2024-08-20
SoK: 5 Years of Neural Differential Cryptanalysis
David Gerault, Anna Hambitzer, Moritz Huppert, Stjepan Picek
Attacks and cryptanalysis

At CRYPTO 2019, A. Gohr introduced Neural Differential Cryptanalysis by applying deep learning to modern block cipher cryptanalysis. Surprisingly, the resulting neural differential distinguishers enabled a new state-of-the-art key recovery complexity for 11 rounds of SPECK32. As of May 2024, according to Google Scholar, Gohr’s article has been cited 178 times. The wide variety of targets, techniques, settings, and evaluation methodologies that appear in these follow-up works grants a careful...

2024/1297 (PDF) Last updated: 2024-08-20
Improved Cryptanalysis of SNOVA
Ward Beullens
Attacks and cryptanalysis

SNOVA is a multivariate signature scheme submitted to the NIST project for additional signature schemes by Cho, Ding, Kuan, Li, Tseng, Tseng, and Wang. With small key and signature sizes good performance, SNOVA is one of the more efficient schemes in the competition, which makes SNOVA an important target for cryptanalysis. In this paper, we observe that SNOVA implicitly uses a structured version of the ``whipping'' technique developed for the MAYO signature scheme. We show that the...

2024/1278 (PDF) Last updated: 2024-08-13
Quantum Key Recovery Attacks on 4-round Iterated Even-Mansour with Two Keys
Ravi Anand, Shibam Ghosh, Takanori Isobe, Rentaro Shiba
Secret-key cryptography

In this paper, we propose quantum key recovery attacks on 4-round iterated Even-Mansour (IEM) with a key schedule that applies two keys alternately. We first show that a conditional periodic function such that one of the secret keys appears as a period conditionally can be constructed using the encryption function and internal permutations. By applying the offline Simon's algorithm to this function, we construct a key recovery attack with a complexity of $O(\sqrt{N} \log N)$ for $N = 2^n$,...

2024/1270 (PDF) Last updated: 2024-08-11
Meet-in-the-Middle Attack on 4+4 Rounds of SCARF under Single-Tweak Setting
Siwei Chen, Kai Hu, Guozhen Liu, Zhongfeng Niu, Quan Quan Tan, Shichang Wang
Attacks and cryptanalysis

\scarf, an ultra low-latency tweakable block cipher, is the first cipher designed for cache randomization. The block cipher design is significantly different from the other common tweakable block ciphers; with a block size of only 10 bits, and yet the input key size is a whopping $240$ bits. Notably, the majority of the round key in its round function is absorbed into the data path through AND operations, rather than the typical XOR operations. In this paper, we present a key-recovery...

2024/1261 (PDF) Last updated: 2024-08-09
A Key-Recovery Attack on a Leaky Seasign Variant
Shai Levin
Attacks and cryptanalysis

We present a key-recovery attack on a variant of the Seasign signature scheme presented by [Kim24], which attempts to avoid rejection sampling by presampling vectors $\mathbf{f}$ such that the $\mathbf{f}-\mathbf{e}$ is contained in an acceptable bound, where $\mathbf{e}$ is the secret key. We show that this choice leads to a bias of these vectors such that, in a small number of signatures, the secret key can either be completely recovered or its keyspace substantially reduced. In...

2024/1251 (PDF) Last updated: 2024-08-06
EMI Shielding for Use in Side-Channel Security: Analysis, Simulation and Measurements
Daniel Dobkin, Edut Katz, David Popovtzer, Itamar Levi
Attacks and cryptanalysis

Considering side-channel analysis (SCA) security for cryptographic devices, the mitigation of electromagnetic leakage and electromagnetic interference (EMI) between modules poses significant challenges. This paper presents a comprehensive review and deep analysis of the utilization of EMI shielding materials, devised for reliability purposes and standards such as EMI/EMC, as a countermeasure to enhance EM-SCA security. We survey the current landscape of EMI-shields materials, including...

2024/1249 (PDF) Last updated: 2024-08-06
Koala: A Low-Latency Pseudorandom Function
Parisa Amiri Eliasi, Yanis Belkheyar, Joan Daemen, Santosh Ghosh, Daniël Kuijsters, Alireza Mehrdad, Silvia Mella, Shahram Rasoolzadeh, Gilles Van Assche
Secret-key cryptography

This paper introduces the Koala PRF, which maps a variable-length sequence of $64$-bit input blocks to a single $257$-bit output block. Its design focuses on achieving low latency in its implementation in ASIC. To construct Koala, we instantiate the recently introduced Kirby construction with the Koala-P permutation and add an input encoding layer. The Koala-P permutation is obtained as the $8$-fold iteration of a simple round function inspired by that of Subterranean. Based on...

2024/1247 (PDF) Last updated: 2024-08-06
A Note on the Quasigroup Lai-Massey Structures
George Teseleanu
Secret-key cryptography

In our paper, we explore the consequences of replacing the commutative group operation used in Lai-Massey structures with a quasigroup operation. We introduce four quasigroup versions of the Lai-Massey structure, and prove that for quasigroups isotopic with a group $\mathbb{G}$, the complexity of launching a differential attack against these variants of the Lai-Massey structure is equivalent to attacking an alternative structure based on $\mathbb{G}$. Then we provide the conditions needed...

2024/1229 (PDF) Last updated: 2024-10-10
Benchmarking Attacks on Learning with Errors
Emily Wenger, Eshika Saxena, Mohamed Malhou, Ellie Thieu, Kristin Lauter
Attacks and cryptanalysis

Lattice cryptography schemes based on the learning with errors (LWE) hardness assumption have been standardized by NIST for use as post-quantum cryptosystems, and by HomomorphicEncryption.org for encrypted compute on sensitive data. Thus, understanding their concrete security is critical. Most work on LWE security focuses on theoretical estimates of attack performance, which is important but may overlook attack nuances arising in real-world implementations. The sole existing concrete...

2024/1221 (PDF) Last updated: 2024-07-31
Depth Optimized Quantum Circuits for HIGHT and LEA
Kyungbae Jang, Yujin Oh, Minwoo Lee, Dukyoung Kim, Hwajeong Seo
Implementation

Quantum computers can model and solve several problems that have posed challenges for classical super computers, leveraging their natural quantum mechanical characteristics. A large-scale quantum computer is poised to significantly reduce security strength in cryptography. In this context, extensive research has been conducted on quantum cryptanalysis. In this paper, we present optimized quantum circuits for Korean block ciphers, HIGHT and LEA. Our quantum circuits for HIGHT and LEA...

2024/1218 (PDF) Last updated: 2024-07-30
A Note on the use of the Double Boomerang Connectivity Table (DBCT) for Spotting Impossibilities
Xavier Bonnetain, Virginie Lallemand
Secret-key cryptography

In this short note we examine one of the impossible boomerang distinguishers of Skinny-128-384 provided by Zhang, Wang and Tang at ToSC 2024 Issue 2 and disprove it. The issue arises from the use of the Double Boomerang Connectivity Table (DBCT) as a tool to establish that a boomerang switch over 2 rounds has probability zero, whereas the DBCT only covers specific cases of difference propagation, missing a large set of events that might make the connection possible. We study in...

2024/1197 (PDF) Last updated: 2024-07-25
Optimizing Rectangle and Boomerang Attacks: A Unified and Generic Framework for Key Recovery
Qianqian Yang, Ling Song, Nana Zhang, Danping Shi, Libo Wang, Jiahao Zhao, Lei Hu, Jian Weng
Secret-key cryptography

The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and...

2024/1180 (PDF) Last updated: 2024-07-22
Fast computation of 2-isogenies in dimension 4 and cryptographic applications
Pierrick Dartois
Implementation

Dimension 4 isogenies have first been introduced in cryptography for the cryptanalysis of Supersingular Isogeny Diffie-Hellman (SIDH) and have been used constructively in several schemes, including SQIsignHD, a derivative of SQIsign isogeny based signature scheme. Unlike in dimensions 2 and 3, we can no longer rely on the Jacobian model and its derivatives to compute isogenies. In dimension 4 (and higher), we can only use theta-models. Previous works by Romain Cosset, David Lubicz and Damien...

2024/1177 (PDF) Last updated: 2024-07-21
Cryptanalysis of two post-quantum authenticated key agreement protocols
Mehdi Abri, Hamid Mala
Attacks and cryptanalysis

As the use of the internet and digital devices has grown rapidly, keeping digital communications secure has become very important. Authenticated Key Agreement (AKA) protocols play a vital role in securing digital communications. These protocols enable the communicating parties to mutually authenticate and securely establish a shared secret key. The emergence of quantum computers makes many existing AKA protocols vulnerable to their immense computational power. Consequently, designing new...

2024/1173 (PDF) Last updated: 2024-09-26
Cryptanalysis of Rank-2 Module-LIP with Symplectic Automorphisms
Hengyi Luo, Kaijie Jiang, Yanbin Pan, Anyu Wang
Attacks and cryptanalysis

At Eurocrypt'24, Mureau et al. formally defined the Lattice Isomorphism Problem for module lattices (module-LIP) in a number field $\mathbb{K}$, and proposed a heuristic randomized algorithm solving module-LIP for modules of rank 2 in $\mathbb{K}^2$ with a totally real number field $\mathbb{K}$, which runs in classical polynomial time for a large class of modules and a large class of totally real number field under some reasonable number theoretic assumptions. In this paper, by introducing a...

2024/1159 (PDF) Last updated: 2024-07-17
LaPSuS – A Lattice-Based Private Stream Aggregation Scheme under Scrutiny
Johannes Ottenhues, Alexander Koch
Attacks and cryptanalysis

Private Stream Aggregation (PSA) allows clients to send encryptions of their private values to an aggregator that is then able to learn the sum of these values but nothing else. It has since found many applications in practice, e.g. for smart metering or federated learning. In 2018, Becker et al. proposed the first lattice-based PSA scheme LaPS (NDSS 2018), with putative post-quantum security, which has subsequently been patented. In this paper, we describe two attacks on LaPS that break the...

2024/1137 (PDF) Last updated: 2024-07-12
Cryptanalysis of EagleSign
Ludo N. Pulles, Mehdi Tibouchi
Attacks and cryptanalysis

EagleSign is one of the 40 “Round 1 Additional Signatures” that is accepted for consideration in the supplementary round of the Post-Quantum Cryptography standardization process, organized by NIST. Its design is based on structured lattices, and it boasts greater simplicity and performance compared to the two lattice signatures already selected for standardization: Falcon and Dilithium. In this paper, we show that those claimed advantages come at the cost of security. More precisely, we...

2024/1134 (PDF) Last updated: 2024-07-12
Exploiting signature leakages: breaking Enhanced pqsigRM
Thomas Debris-Alazard, Pierre Loisel, Valentin Vasseur
Attacks and cryptanalysis

Enhanced pqsigRM is a code-based hash-and-sign scheme proposed to the second National Institute of Standards and Technology call for post-quantum signatures. The scheme is based on the $(U,U+V)$-construction and it enjoys remarkably small signature lengths, about $1$KBytes for a security level of $128$ bits. Unfortunately we show that signatures leak information about the underlying $(U,U+V)$-structure. It allows to retrieve the private-key with~$100, 000$ signatures.

2024/1133 (PDF) Last updated: 2024-07-12
Parameters of Algebraic Representation vs. Efficiency of Algebraic Cryptanalysis
Hossein Arabnezhad, Babak Sadeghiyan
Foundations

The aim of an algebraic attack is to find the secret key by solving a collection of relations that describe the internal structure of a cipher for observations of plaintext/cipher-text pairs. Although algebraic attacks are addressed for cryptanalysis of block and stream ciphers, there is a limited understanding of the impact of algebraic representation of the cipher on the efficiency of solving the resulting collection of equations. In this paper, we investigate on how different S-box...

2024/1126 (PDF) Last updated: 2024-08-08
Is ML-Based Cryptanalysis Inherently Limited? Simulating Cryptographic Adversaries via Gradient-Based Methods
Avital Shafran, Eran Malach, Thomas Ristenpart, Gil Segev, Stefano Tessaro
Foundations

Given the recent progress in machine learning (ML), the cryptography community has started exploring the applicability of ML methods to the design of new cryptanalytic approaches. While current empirical results show promise, the extent to which such methods may outperform classical cryptanalytic approaches is still somewhat unclear. In this work, we initiate exploration of the theory of ML-based cryptanalytic techniques, in particular providing new results towards understanding whether...

2024/1111 (PDF) Last updated: 2024-09-02
Collision Attacks on Galois/Counter Mode (GCM)
John Preuß Mattsson
Secret-key cryptography

Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) is the most widely used Authenticated Encryption with Associated Data (AEAD) algorithm in the world. In this paper, we analyze the use of GCM with all the Initialization Vector (IV) constructions and lengths approved by NIST SP 800-38D when encrypting multiple plaintexts with the same key. We derive attack complexities in both ciphertext-only and known-plaintext models, with or without nonce hiding, for collision attacks...

2024/1082 (PDF) Last updated: 2024-07-03
Quantum Implementation of LSH
Yujin Oh, Kyungbae Jang, Hwajeong Seo
Implementation

As quantum computing progresses, the assessment of cryptographic algorithm resilience against quantum attack gains significance interests in the field of cryptanalysis. Consequently, this paper implements the depth-optimized quantum circuit of Korean hash function (i.e., LSH) and estimates its quantum attack cost in quantum circuits. By utilizing an optimized quantum adder and employing parallelization techniques, the proposed quantum circuit achieves a 78.8\% improvement in full depth and a...

2024/1001 (PDF) Last updated: 2024-06-20
Guidance for Efficient Selection of Secure Parameters for Fully Homomorphic Encryption
Elena Kirshanova, Chiara Marcolla, Sergi Rovira
Public-key cryptography

The field of Fully Homomorphic Encryption (FHE) has seen many theoretical and computational advances in recent years, bringing the technology closer to practicality than ever before. For this reason, practitioners from neighbouring fields such as machine learning have sought to understand FHE to provide privacy to their work. Unfortunately, selecting secure and efficient parameters in FHE is a daunting task due to the many interdependencies between the parameters involved. In this work, we...

2024/935 (PDF) Last updated: 2024-07-26
MFKDF: Multiple Factors Knocked Down Flat
Matteo Scarlata, Matilda Backendal, Miro Haller
Attacks and cryptanalysis

Nair and Song (USENIX 2023) introduce the concept of a Multi-Factor Key Derivation Function (MFKDF), along with constructions and a security analysis. MFKDF integrates dynamic authentication factors, such as HOTP and hardware tokens, into password-based key derivation. The aim is to improve the security of password-derived keys, which can then be used for encryption or as an alternative to multi-factor authentication. The authors claim an exponential security improvement compared to...

2024/924 (PDF) Last updated: 2024-07-02
Climbing and descending tall volcanos
Steven Galbraith
Public-key cryptography

We revisit the question of relating the elliptic curve discrete logarithm problem (ECDLP) between ordinary elliptic curves over finite fields with the same number of points. This problem was considered in 1999 by Galbraith and in 2005 by Jao, Miller, and Venkatesan. We apply recent results from isogeny cryptography and cryptanalysis, especially the Kani construction, to this problem. We improve the worst case bound in Galbraith's 1999 paper from $\tilde{O}( q^{1.5} )$ to (heuristically)...

2024/908 (PDF) Last updated: 2024-06-07
Preliminary Analysis of Ascon-Xof and Ascon-Hash
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer
Secret-key cryptography

In this note, we present additional preliminary analysis dedicated to Ascon-Xof and Ascon-Hash [DEMS19].

2024/907 (PDF) Last updated: 2024-09-10
Reducing the Number of Qubits in Quantum Information Set Decoding
Clémence Chevignard, Pierre-Alain Fouque, André Schrottenloher
Attacks and cryptanalysis

This paper presents an optimization of the memory cost of the quantum Information Set Decoding (ISD) algorithm proposed by Bernstein (PQCrypto 2010), obtained by combining Prange's ISD with Grover's quantum search. When the code has constant rate and length $n$, this algorithm essentially performs a quantum search which, at each iteration, solves a linear system of dimension $\mathcal{O}(n)$. The typical code lengths used in post-quantum public-key cryptosystems range from $10^3$ to...

2024/894 (PDF) Last updated: 2024-09-20
Quantum Algorithms for Fast Correlation Attacks on LFSR-Based Stream Ciphers
Akinori Hosoyamada
Secret-key cryptography

This paper presents quantum algorithms for fast correlation attacks, one of the most powerful techniques for cryptanalysis on LFSR-based stream ciphers in the classical setting. Typical fast correlation attacks recover a value related to the initial state of the underlying LFSR by solving a decoding problem on a binary linear code with the Fast Walsh-Hadamard Transform (FWHT). Applying the FWHT on a function in the classical setting is mathematically equivalent to applying the Hadamard...

2024/886 (PDF) Last updated: 2024-12-06
A New Security Evaluation Method Based on Resultant for Arithmetic-Oriented Algorithms
Hong-Sen Yang, Qun-Xiong Zheng, Jing Yang, Quan-feng Liu, Deng Tang
Attacks and cryptanalysis

The rapid development of advanced cryptographic applications like multi-party computation (MPC), fully homomorphic encryption (FHE), and zero-knowledge (ZK) proofs have motivated the designs of the so-called arithmetic-oriented (AO) primitives. Efficient AO primitives typically build over large fields and use large S-boxes. Such design philosophy brings difficulties in the cryptanalysis of these primitives as classical cryptanalysis methods do not apply well. The generally recognized attacks...

2024/877 (PDF) Last updated: 2024-06-02
Multiple Sampling Fast Correlation Attack on Small State Stream Ciphers with Limited Round Key Period
Zhongzhi Zhou, Vahid Amin-Ghafari, Hui Liu
Attacks and cryptanalysis

The fast correlation attack (FCA) is a powerful cryptanalysis technique that targets stream ciphers based on linear feedback shift registers (LFSRs). Several FCAs were applied to small state stream ciphers (SSCs). In this paper, the idea of multiple sampling is proposed to use the available keystream bits more efficiently and decrease the data complexity of the attacks. This idea helps to overcome the limitation of SSCs on the number of output keystream bits. Moreover, we classify the parity...

2024/873 (PDF) Last updated: 2024-06-01
Cryptanalysis of Algebraic Verifiable Delay Functions
Alex Biryukov, Ben Fisch, Gottfried Herold, Dmitry Khovratovich, Gaëtan Leurent, María Naya-Plasencia, Benjamin Wesolowski
Attacks and cryptanalysis

Verifiable Delay Functions (VDF) are a class of cryptographic primitives aiming to guarantee a minimum computation time, even for an adversary with massive parallel computational power. They are useful in blockchain protocols, and several practical candidates have been proposed based on exponentiation in a large finite field: Sloth++, Veedo, MinRoot. The underlying assumption of these constructions is that computing an exponentiation $x^e$ requires at least $\log_2 e$ sequential...

2024/871 (PDF) Last updated: 2024-08-12
New Approaches for Estimating the Bias of Differential-Linear Distinguishers (Full Version)
Ting Peng, Wentao Zhang, Jingsui Weng, Tianyou Ding
Secret-key cryptography

Differential-linear cryptanalysis was introduced by Langford and Hellman in 1994 and has been extensively studied since then. In 2019, Bar-On et al. presented the Differential-Linear Connectivity Table (DLCT), which connects the differential part and the linear part, thus an attacked cipher is divided to 3 subciphers: the differential part, the DLCT part, and the linear part. In this paper, we firstly present an accurate mathematical formula which establishes a relation between...

2024/857 (PDF) Last updated: 2024-05-31
Speeding up Preimage and Key-Recovery Attacks with Highly Biased Differential-Linear Approximations
Zhongfeng Niu, Kai Hu, Siwei Sun, Zhiyu Zhang, Meiqin Wang
Attacks and cryptanalysis

We present a framework for speeding up the search for preimages of candidate one-way functions based on highly biased differential-linear distinguishers. It is naturally applicable to preimage attacks on hash functions. Further, a variant of this framework applied to keyed functions leads to accelerated key-recovery attacks. Interestingly, our technique is able to exploit related-key differential-linear distinguishers in the single-key model without querying the target encryption oracle...

2024/852 (PDF) Last updated: 2024-05-30
Breaking Indistinguishability with Transfer Learning: A First Look at SPECK32/64 Lightweight Block Ciphers
Jimmy Dani, Kalyan Nakka, Nitesh Saxena
Attacks and cryptanalysis

In this research, we introduce MIND-Crypt, a novel attack framework that uses deep learning (DL) and transfer learning (TL) to challenge the indistinguishability of block ciphers, specifically SPECK32/64 encryption algorithm in CBC mode (Cipher Block Chaining) against Known Plaintext Attacks (KPA). Our methodology includes training a DL model with ciphertexts of two messages encrypted using the same key. The selected messages have the same byte-length and differ by only one bit at the binary...

2024/845 (PDF) Last updated: 2024-07-19
PathGES: An Efficient and Secure Graph Encryption Scheme for Shortest Path Queries
Francesca Falzon, Esha Ghosh, Kenneth G. Paterson, Roberto Tamassia
Applications

The increasing importance of graph databases and cloud storage services prompts the study of private queries on graphs. We propose PathGES, a graph encryption scheme (GES) for single-pair shortest path queries. PathGES is efficient and mitigates the state-of-the-art attack by Falzon and Paterson (2022) on the GES by Ghosh, Kamara, and Tamassia (2021), while only incurring an additional logarithmic factor in storage overhead. PathGES leverages a novel data structure that minimizes leakage and...

2024/825 (PDF) Last updated: 2024-05-27
KHAN Encryption Algorithm: Leveraging Full Reptend Primes
Ayaz Khan
Implementation

The Keyed Hashing and Asymmetric Nonce (KHAN) encryption algorithm is a novel cryptographic scheme that utilizes the unique properties of full reptend prime numbers. This paper details the algorithm, its theoretical foundations, and the rigorous proofs of its security properties. By leveraging the characteristics of cyclic sequences derived from full reptend primes, KHAN provides robust encryption with high resistance to cryptanalytic attacks.

2024/817 (PDF) Last updated: 2024-05-26
DVA: Dangerous Variations of ALTEQ
Arnaud Sipasseuth
Public-key cryptography

In this paper, we present three types of variations of the ALTEQ cryptosystem, a recent submission to the NIST's additional call for signatures. We name these Dangerous Variations of ALTEQ (DVA), as there is always a certain danger in stepping out of usual constructions, although we attempt to maintain heuristic security. First, we present DVA-GG (Graph Generalization), that can be seen as a more abstract point-of-view on the operations done in ALTEQ and encourages more research on the...

2024/809 (PDF) Last updated: 2024-05-24
Reducing Overdefined Systems of Polynomial Equations Derived from Small Scale Variants of the AES via Data Mining Methods
Jana Berušková, Martin Jureček, Olha Jurečková
Attacks and cryptanalysis

This paper deals with reducing the secret key computation time of small scale variants of the AES cipher using algebraic cryptanalysis, which is accelerated by data mining methods. This work is based on the known plaintext attack and aims to speed up the calculation of the secret key by processing the polynomial equations extracted from plaintext-ciphertext pairs. Specifically, we propose to transform the overdefined system of polynomial equations over GF(2) into a new system so that the...

2024/802 (PDF) Last updated: 2024-10-30
On Maximum Size Simultaneous Linear Approximations in Ascon and Keccak and Related Translation and Differential Properties
Nicolas T. Courtois, Frédéric Amiel, Alexandre Bonnard de Fonvillars
Secret-key cryptography

In this paper we study the S-box known as Chi or \chi initially proposed by Daemen in 1995 and very widely used ever since in Keccak, Ascon, and many other. This type of ciphers is typically analyzed [in recent research] in terms of subspace trail attacks [TeDi19] and vector space invariants. An interesting question is then, when different spaces are mapped to each other by translations with a constant. In this paper we relax this fundamental question and we consider arbitrary sets of...

2024/783 (PDF) Last updated: 2024-05-24
Differential Cryptanalysis on Quantum Computers
Kyungbae Jang, Yujin Oh, Hwajeong Seo
Attacks and cryptanalysis

As quantum computing progresses, extensive research has been conducted to find quantum advantages in the field of cryptography. Combining quantum algorithms with classical cryptographic analysis methods, such as differential cryptanalysis and linear cryptanalysis, has the potential to reduce complexity. In this paper, we present a quantum differential finding circuit for differential cryptanalysis. In our quantum circuit, both plaintext and input difference are in a superposition state....

2024/763 (PDF) Last updated: 2024-10-26
Incorporating SIS Problem into Luby-Rackoff Cipher
Yu Morishima, Masahiro Kaminaga
Secret-key cryptography

With the rise of quantum computing, the security of traditional cryptographic systems, especially those vulnerable to quantum attacks, is under threat. While public key cryptography has been widely studied in post-quantum security, symmetric-key cryptography has received less attention. This paper explores using the Ajtai-Micciancio hash function, based on the Short Integer Solution (SIS) problem, as a pseudorandom function in the Luby-Rackoff cipher. Since lattice-based problems like SIS...

2024/748 (PDF) Last updated: 2024-05-16
PERK: Compact Signature Scheme Based on a New Variant of the Permuted Kernel Problem
Slim Bettaieb, Loïc Bidoux, Victor Dyseryn, Andre Esser, Philippe Gaborit, Mukul Kulkarni, Marco Palumbi
Public-key cryptography

In this work we introduce PERK a compact digital signature scheme based on the hardness of a new variant of the Permuted Kernel Problem (PKP). PERK achieves the smallest signature sizes for any PKP-based scheme for NIST category I security with 6 kB, while obtaining competitive signing and verification timings. PERK also compares well with the general state-of-the-art. To substantiate those claims we provide an optimized constant-time AVX2 implementation, a detailed performance analysis and...

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.