Advertisement

A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro

  • Gregor LeanderEmail author
  • Brice Minaud
  • Sondre Rønjom
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)

Abstract

Invariant subspace attacks were introduced at CRYPTO 2011 to cryptanalyze PRINTcipher. The invariant subspaces for PRINTcipher were discovered in an ad hoc fashion, leaving a generic technique to discover invariant subspaces in other ciphers as an open problem. Here, based on a rather simple observation, we introduce a generic algorithm to detect invariant subspaces. We apply this algorithm to the CAESAR candidate iSCREAM, the closely related LS-design Robin, as well as the lightweight cipher Zorro. For all three candidates invariant subspaces were detected, and result in practical breaks of the ciphers. A closer analysis of independent interest reveals that these invariant subspaces are underpinned by a new type of self-similarity property. For all ciphers, our strongest attack shows the existence of a weak key set of density \(2^{-32}\). These weak keys lead to a simple property on the plaintexts going through the whole encryption process with probability one. All our attacks have been practically verified on reference implementations of the ciphers.

Keywords

Cryptanalysis Lightweight cryptography Invariant subspace Self-similarity iSCREAM LS-designs Zorro CAESAR 

References

  1. 1.
    CAESAR- Competition for Authenticated Encryption: Security, Applicability, and Robustness. General secretary Daniel J. Bernstein (2013). http://competitions.cr.yp.to/caesar.html
  2. 2.
    Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  3. 3.
    Bar-On, A., Dinur, I., Dunkelman, O., Lallemand, V., Tsaban, B.: Improved analysis of Zorro-like ciphers. Cryptology ePrint Archive, Report 2014/228 (2014). http://eprint.iacr.org/
  4. 4.
    Barkan, E., Biham, E.: In how many ways can you write rijndael? In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 160–175. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  5. 5.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptology ePrint Archive, 2013:414 (2013)Google Scholar
  6. 6.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  7. 7.
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Bouillaguet, C., Dunkelman, O., Leurent, G., Fouque, P.-A.: Another look at complementation properties. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 347–364. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  9. 9.
    Bulygin, S., Walter, M., Buchmann, J.: Many weak keys for PRINTcipher: fast key recovery and countermeasures. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 189–206. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  11. 11.
    Chaum, D., Evertse, J.-H.: Cryptanalysis of des with a reduced number of rounds. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1986) Google Scholar
  12. 12.
    Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: NESSIE proposal: Noekeon (2000). http://gro.noekeon.org/
  13. 13.
    Evertse, J.-H.: Linear structures in block ciphers. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 249–266. Springer, Heidelberg (1988) CrossRefGoogle Scholar
  14. 14.
    Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  15. 15.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-designs: bitslice encryption for efficient masked software implementations. To appear in the Proceedings of FSE 2014 (2014). http://www.uclouvain.be/crypto/people/show/382
  16. 16.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: Addendum to the CAESAR submission for SCREAM and iSCREAM. Posted on the official CAESAR submission list (2014). http://competitions.cr.yp.to/round1/scream-ordering.txt
  17. 17.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: CAESAR candidate SCREAM. Presentation by Gaëtan Leurent at DIAC 2014 (2014). http://2014.diac.cr.yp.to/slides/leurent-scream.pdf
  18. 18.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM & iSCREAM. Entry in the CAESAR competition [1] (2014). http://competitions.cr.yp.to/round1/screamv1.pdf
  19. 19.
    Guo, J., Nikolić, I., Peyrin, T., Wang, L.: Cryptanalysis of Zorro. Cryptology ePrint Archive, Report 2013/713 (2013). http://eprint.iacr.org/
  20. 20.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  21. 21.
    Karakoç, F., Demirci, H., Harmancı, A.E.: ITUbee: a software oriented lightweight block cipher. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 16–27. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  22. 22.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  23. 23.
    Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: Cryptanalysis of Robin, iSCREAM and Zorro. Cryptology ePrint Archive, Report 2015/068 (2015). http://eprint.iacr.org/2015/068
  24. 24.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  25. 25.
    Murphy, S.: An analysis of SAFER. Journal of Cryptology 11(4), 235–251 (1998)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  27. 27.
    Rasoolzadeh, S., Ahmadian, Z., Salmasizadeh, M., Aref, M.R.: Total break of Zorro using linear and differential attacks. Cryptology ePrint Archive, Report 2014/220 (2014). http://eprint.iacr.org/
  28. 28.
    Reeds, J.A., Manferdelli, J.L.: Des has no per round linear factors. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 377–389. Springer, Heidelberg (1985) CrossRefGoogle Scholar
  29. 29.
    Sim, S.M., Wang, L.: Practical forgery attacks on SCREAM and iSCREAM (2014). Posted on the crypto competitions mailing list at https://groups.google.com/d/forum/crypto-competitions, report available at https://www1.spms.ntu.edu.sg/~syllab/m/images/b/b3/ForgeryAttackOnSCREAM.pdf
  30. 30.
    Soleimany, H.: Probabilistic slide cryptanalysis and its applications to LED-64 and Zorro. To appear in the Proceedings of FSE 2014 (2014). http://research.ics.aalto.fi/publications/bibdb2014/pdf/fse2014.pdf
  31. 31.
    Wang, Y., Wu, W., Guo, Z., Yu, X.: Differential cryptanalysis and linear distinguisher of full-round zorro. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 308–323. Springer, Heidelberg (2014) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Horst Görtz University for IT SecurityRuhr-Universität BochumBochumGermany
  2. 2.Agence Nationale de la Sécurité des Systèmes d’InformationParisFrance
  3. 3.Nasjonal sikkerhetsmyndighetOsloNorway

Personalised recommendations