Advertisement

Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem

  • Itai DinurEmail author
Article

Abstract

The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a \(\kappa \)-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE, PRIDE and MANTIS (presented at ASIACRYPT 2012, CRYPTO 2014 and CRYPTO 2016, respectively). In this paper, we devise new cryptanalytic time–memory–data trade-off attacks on FX-constructions. By fine-tuning the parameters to the recent FX-construction proposals, we show that the security margin of these ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time–memory–data trade-offs, typically applied to stream ciphers, with a cryptanalytic technique by Fouque, Joux and Mavromati. In the final part of the paper, we show that the techniques we use in cryptanalysis of the FX-construction are applicable to additional schemes. In particular, we use related methods in order to devise new time–memory trade-offs for solving the affine equivalence problem. In this problem, the input consists of two functions \(F,G: \{0,1\}^n \rightarrow \{0,1\}^n\), and the goal is to determine whether there exist invertible affine transformations \(A_1,A_2\) over \(GF(2)^n\) such that \(G = A_2 \circ F \circ A_1\).

Keywords

Cryptanalysis Block cipher Time–memory–data trade-off FX-construction DESX PRINCE PRIDE MANTIS Affine equivalence problem 

Notes

Acknowledgements

The author would like to thank the anonymous reviewers of EUROCRYPT 2015 and the Journal of Cryptology for their valuable comments that helped improve the presentation of this paper. The author was supported in part by the Israeli Science Foundation through Grant No. 573/16.

References

  1. 1.
    M.R. Albrecht, B. Driessen, E.B. Kavun, G. Leander, C. Paar, T. Yalçin, Block ciphers—focus on the linear layer (feat. PRIDE), in J.A. Garay, R. Gennaro, editors, Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014), pp. 57–76Google Scholar
  2. 2.
    E. Barkan, E. Biham, A. Shamir, Rigorous bounds on cryptanalytic time/memory tradeoffs, in C. Dwork, editor, CRYPTO. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 1–21Google Scholar
  3. 3.
    C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw, J. Katz, editors, Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9815 (Springer, 2016), pp. 123–153Google Scholar
  4. 4.
    A. Biryukov, C.D. Cannière, A. Braeken, B. Preneel, A toolbox for cryptanalysis: linear and affine equivalence algorithms, in E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2656 (Springer, 2003), pp. 33–50Google Scholar
  5. 5.
    A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in T. Okamoto, editor, ASIACRYPT. Lecture Notes in Computer Science, vol. 1976 (Springer, 2000), pp. 1–13Google Scholar
  6. 6.
    A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC, in B. Schneier, editor, FSE. Lecture Notes in Computer Science, vol. 1978 (Springer, 2000), pp. 1–18Google Scholar
  7. 7.
    A. Biryukov, D. Wagner, Advanced slide attacks, in B. Preneel, editor, EUROCRYPT. Lecture Notes in Computer Science, vol. 1807 (Springer, 2000), pp. 589–606Google Scholar
  8. 8.
    Bitcoin network graphs. http://bitcoin.sipa.be/
  9. 9.
    J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, T. Yalçin, PRINCE—a low-latency block cipher for pervasive computing applications—extended abstract, in X. Wang, K. Sako, editors, ASIACRYPT. Lecture Notes in Computer Science, vol. 7658 (Springer, 2012), pp. 208–225Google Scholar
  10. 10.
    J. Borst, B. Preneel, J. Vandewalle, On the time–memory tradeoff between exhaustive key search and table precomputation, in Proceedings of 19th Symposium in Information Theory in the Benelux, WIC (1998), pp. 111–118Google Scholar
  11. 11.
    M. Brinkmann, G. Leander. On the classification of APN functions up to dimension five. Des. Codes Cryptogr. 49(1–3), 273–288 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    A. Canteaut, J. Roué, On the behaviors of affine equivalent sboxes regarding differential and linear attacks, in Oswald, Fischlin [24], pp. 45–74Google Scholar
  13. 13.
    J. Daemen, Limitations of the Even–Mansour construction, in ASIACRYPT, pp. 495–498 (1991)Google Scholar
  14. 14.
    I. Dinur. Cryptanalytic time–memory–data tradeoffs for FX-constructions with applications to PRINCE and PRIDE, in Oswald, Fischlin [24], pp. 231–253Google Scholar
  15. 15.
    I. Dinur, An improved affine equivalence algorithm for random permutations, in J.B. Nielsen, V. Rijmen, editors, Advances in Cryptology—EUROCRYPT 2018—37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29–May 3, 2018 Proceedings, Part I. Lecture Notes in Computer Science, vol. 10820 (Springer, 2018), pp. 413–442Google Scholar
  16. 16.
    O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even–Mansour scheme revisited, in D. Pointcheval, T. Johansson, editors, EUROCRYPT. Lecture Notes in Computer Science, vol. 7237 (Springer, 2012), pp. 336–354Google Scholar
  17. 17.
    S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol., 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    P. Fouque, A. Joux, C. Mavromati, Multi-user collisions: applications to discrete logarithm, Even–Mansour and PRINCE, in P. Sarkar, T. Iwata, editors, Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873 (Springer, 2014), pp. 420–438Google Scholar
  19. 19.
    M.E. Hellman, A cryptanalytic time–memory trade-off. IEEE Trans. Inf. Theory, 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    J. Kilian, P. Rogaway, How to protect DES against exhaustive key search, in N. Koblitz, editor, CRYPTO. Lecture Notes in Computer Science, vol. 1109 (Springer, 1996), pp. 252–267Google Scholar
  21. 21.
    G. Leander, A. Poschmann, On the classification of 4 bit s-boxes, in C. Carlet, B. Sunar, editors, Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 21–22, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4547 (Springer, 2007), pp. 159–176Google Scholar
  22. 22.
    W. Michiels, P. Gorissen, H.D.L. Hollmann, Cryptanalysis of a generic class of white-box implementations, in R.M. Avanzi, L. Keliher, F. Sica, editors, Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14–15, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5381 (Springer, 2008), pp. 414–428Google Scholar
  23. 23.
    N. I. of Standards and Technology. Recommendation for Key Management—Part 1: General (Revision 3). NIST Special Publication 800–57 (2012)Google Scholar
  24. 24.
    E. Oswald, M. Fischlin, editors. Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015)Google Scholar
  25. 25.
    J. Patarin, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, in U.M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12–16, 1996, Proceeding. Lecture Notes in Computer Science, vol. 1070 (Springer, 1996), pp. 33–48Google Scholar
  26. 26.
    R.L. Rivest. DESX. Never Published (1984)Google Scholar
  27. 27.
    F.-X. Standaert, G. Rouvroy, J.-J. Quisquater, J.-D. Legat, A time-memory tradeoff using distinguished points: new analysis & FPGA results, in B.S.K. Jr., Çetin Kaya Koç, C. Paar, editors, CHES. Lecture Notes in Computer Science, vol. 2523 (Springer, 2002), pp. 593–609Google Scholar
  28. 28.
    P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol, 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceBen-Gurion UniversityBeershebaIsrael

Personalised recommendations