Abstract
We describe an approach to zero-sum partitions using Todo’s division property at EUROCRYPT 2015. It follows the inside-out methodology, and includes MILP-assisted search for the forward and backward trails, and subspace approach to connect those two trails that is less restrictive than commonly done.
As an application we choose PHOTON, a family of sponge-like hash function proposals that was recently standardized by ISO. With respect to the security claims made by the designers, we for the first time show zero-sum partitions for almost all of those full 12-round permutation variants that use a 4-bit S-Box. As with essentially any other zero-sum property in the literature, also here the gap between a generic attack and the shortcut is small.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We mention that our distinguishers have only a small advantage (approximately a factor 2) when compared to the generic attack.
- 2.
A C/C++ program that verifies our 8 inequalities can cover DDT of PRESENT as the ones given in [32] can be provided if requested. We note that a smaller number of inequalities could help to accelerate searching for zero-sum partitions in some cases (e.g. when the state size is getting large).
- 3.
Let two vectors \(\mathbf{k} = (k_0, k_1, \ldots , k_{m-1})\) and \(\mathbf{k}^\prime = (k^\prime _0, k^\prime _1, \ldots , k^\prime _{m-1}) \in \mathbb {Z}^m\), define \(k \succeq k^\prime \) if \(k_i \ge k^\prime _i\) for all \(0\le i\le m-1\); otherwise we denote \(k \nsucceq k^\prime \).
- 4.
In order to explain such result, Gilbert propose that super-Sbox notation, where super-\(Sbox(\cdot ) := \) S-Box \(\circ ARK \circ MC \circ \) S-Box\((\cdot )\). The same result has been explained in details in [16] using the subspace trail notation.
- 5.
More precisely, S-Box(aaac) is a subset of 8 elements of \(\{0x0, 0x1,\ldots , 0xf\}\). On the other hand, such subset depends on the details of the S-Box function and doesn’t have any particular property.
- 6.
Given a fixed set \(\{a_i\}_i\), they satisfy the required equality with probability \(2^{-2n}\). It follows that given \(2n+\varepsilon \) sets, at least one of them satisfy it with probability \(1-(1-2^{-2n})^{2n+\varepsilon } \approx 1-e^\varepsilon \), assuming \(2n \gg 1\). For a probability of success higher than 99.99%, it follows \(\varepsilon \ge 10\).
References
http://www.ibm.com/software/integration/optimization/cplex-optimizer/
Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. In: Presented at the Rump Session of Cryptographic Hardware and Embedded Systems - CHES 2009 (2009). https://131002.net/data/papers/AM09.pdf
Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_13
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Note on zero-sum distinguishers of Keccak-f. http://keccak.noekeon.org/NoteZeroSum.pdf
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop (2007)
Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_24
Boura, C., Canteaut, A.: A zero-sum property for the Keccak-\(f\) permutation with 18 rounds. In: Proceedings of the IEEE International Symposium on Information Theory, ISIT 2010, Austin, Texas, USA, 13–18 June 2010, pp. 2488–2492. IEEE (2010). https://doi.org/10.1109/ISIT.2010.5513442
Boura, C., Canteaut, A.: Another view of the division property. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 654–682. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_24
Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343
Dobbertin, H.: Cryptanalysis of MD5 compress. In: Presented at the Rump Session of Eurocrypt 1996 (1996)
Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2) (1996). ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n2.pdf
Duan, M., Lai, X.: Improved zero-sum distinguisher for full round Keccak-\(f\) permutation. Chin. Sci. Bull. 57(6), 694–697 (2012)
Gilbert, H.: A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 200–222. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_11
Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: AES Candidate Conference, pp. 230–241 (2000)
Grassi, L., Rechberger, C.: New and old limits for AES known-key distinguishers. Cryptology ePrint Archive, Report 2017/255 (2017). http://eprint.iacr.org/2017/255
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/571
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_13
Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attack on the finalist Grøstl. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 110–126. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_7
Knudsen, L.R., Rijmen, V.: Known-key distinguishers for some block ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_19
Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Lucks, S.: Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In: AES Candidate Conference, pp. 215–229 (2000)
Sun, L., Wang, W., Wang, M.: MILP-aided bit-based division property for primitives with non-bit-permutation linear layers. Cryptology ePrint Archive, Report 2016/811 (2016). http://eprint.iacr.org/2016/811
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_20
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12
Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_18
Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Wang, Q., Grassi, L., Rechberger, C.: Zero-sum partitions of PHOTON permutations. Cryptology ePrint Archive, Report 2017/1211 (2017). http://eprint.iacr.org/2017/1211
Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13039-2_9
Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_24
Zhang, W., Rijmen, V.: Division cryptanalysis of block ciphers with a binary diffusion layer. Cryptology ePrint Archive, Report 2017/188 (2017). http://eprint.iacr.org/2017/188
Acknowledgements
The authors would like to thank Meicheng Liu and Jian Guo for their fruitful discussions, and the anonymous reviewers for their comments. This work was supported partially by National Natural Science Foundation of China (No. 61472250, No. 61672347), Major State Basic Research Development Program (973 Plan, No. 2013CB338004), and Program of Shanghai Academic/Technology Research Leader (No. 16XD1401300).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Wang, Q., Grassi, L., Rechberger, C. (2018). Zero-Sum Partitions of PHOTON Permutations. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-76953-0_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76952-3
Online ISBN: 978-3-319-76953-0
eBook Packages: Computer ScienceComputer Science (R0)