Abstract
Forkciphers are a new kind of primitive proposed recently by Andreeva et al. for efficient encryption and authentication of small messages. They fork the middle state of a cipher and encrypt it twice under two smaller independent permutations. Thus, forkciphers produce two output blocks in one primitive call.
Andreeva et al. proposed ForkAES, a tweakable AES-based forkcipher that splits the state after five out of ten rounds. While their authenticated encrypted schemes were accompanied by proofs, the security discussion for ForkAES was not provided, and founded on existing results on the AES and KIASU-BC. Forkciphers provide a unique interface called reconstruction queries that use one ciphertext block as input and compute the respective other ciphertext block. Thus, they deserve a careful security analysis.
This work fosters the understanding of the security of ForkAES with three contributions: (1) We observe that security in reconstruction queries differs strongly from the existing results on the AES. This allows to attack nine out of ten rounds with differential, impossible-differential and yoyo attacks. (2) We observe that some forkcipher modes may lack the interface of reconstruction queries, so that attackers must use encryption queries. We show that nine rounds can still be attacked with rectangle and impossible-differential attacks. (3) We present forgery attacks on the AE modes proposed by Andreeva et al. with nine-round ForkAES.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
\(\nu \) is a so-called zero-differential pattern that denotes the position of inactive words. Refer to Appendix A for more precise definition.
References
Andreeva, E., Reyhanitabar, R., Varici, K., Vizár, D.: Forking a blockcipher for authenticated encryption of very short messages. IACR Archive (2018). https://eprint.iacr.org/2018/916, Version: 20180926:123554
Banik, S., et al.: Cryptanalysis of ForkAES. Cryptology ePrint Archive, Report 2019/289 (2019). https://eprint.iacr.org/2019/289
Biham, E., Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A.: Initial observations on skipjack: cryptanalysis of skipjack-3XOR. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 362–375. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_27
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2
Biham, E., Dunkelman, O., Keller, N.: The rectangle attack - rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_21
Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–16. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_1
Blondeau, C.: Accurate Estimate of the Advantage of Impossible Differential Attacks. IACR Trans. Symmetric Cryptol. 2017(3), 169–191 (2017)
Boura, C., Lallemand, V., Naya-Plasencia, M., Suder, V.: Making the impossible possible. J. Cryptol. 31(1), 101–133 (2018)
Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_10
Cid, C., Huang, T., Peyrin, T., Sasaki, Y., Song, L.: Boomerang connectivity table: a new cryptanalysis tool. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 683–714. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_22
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Derbez, P.: Note on impossible differential attacks. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 416–427. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_21
Dobraunig, C., List, E.: Impossible-differential and boomerang cryptanalysis of round-reduced Kiasu-BC. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 207–222. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_12
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016)
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Kara, O.: Reflection cryptanalysis of some ciphers. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 294–307. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_23
Knudsen, L.: DEAL - a 128-bit block cipher. Complexity 258(2), 216 (1998)
Murphy, S.: The return of the cryptographic boomerang. IEEE Trans. Inf. Theory 57(4), 2517–2521 (2011)
National Institute of Standards and Technology. FIPS 197. National Institute of Standards and Technology, November, pp. 1–51 (2001)
Rønjom, S., Bardeh, N.G., Helleseth, T.: Yoyo tricks with AES. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 217–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_8
Tolba, M., Abdelkhalek, A., Youssef, A.M.: A meet in the middle attack on reduced round Kiasu-BC. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E99-A(10), 21–34 (2016)
Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Acknowledgments.
Parts of this work have been initiated during the group sessions of the 8th Asian Workshop on Symmetric Cryptography (ASK 2018) held at the Indian Statistical Institute in Kolkata. We would also like to thank the anonymous reviewers and the designers of ForkAES for their helpful comments. Subhadeep Banik is supported by the Ambizione Grant PZ00P2_179921, awarded by the Swiss National Science Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Previous Yoyo Game
A Previous Yoyo Game
The yoyo game was introduced by Biham et al. for the cryptanalysis of Skipjack [3]. Recently, Rønjom et al. [20] reported a deterministic distinguisher for two generic Substitution-Permutation (SP) rounds. This result has been applied to eight-round ForkAES to perform a key-recovery attack. Let us look at some definitions originally introduced in [20]. Let \(F:\mathbb {F}^n_{q} \rightarrow \mathbb {F}^n_{q}\) be a generic permutation where \(q=2^k\). Then, F is given by \(F = S \circ L \circ S \circ L \circ S\), where S is a concatenation of n parallel S-Boxes on n individual words from \(\mathbb {F}_q\) and L denotes the linear layer over \(\mathbb {F}^n_{q}\). A vector of words \(\alpha =(\alpha _0,\alpha _1,\cdots ,\alpha _{n-1}) \in \mathbb {F}^n_q\) forms the states. The Zero-difference Pattern is defined as:
Definition 1
(Zero-difference Pattern [20]). Let, \(\alpha \in \mathbb {F}_{q}^{n}\) for \(q=2^{k}\). The Zero-difference Pattern for \(\alpha \) is \(\nu (\alpha )=(z_0,z_1,...,z_{n-1})\), where \(\nu (\alpha )\) takes values in \(\mathbb {F}_{2}^{n}\) and \(z_i=1\) if \(\alpha _i=0\) or \(z_i=0\) otherwise.
The weight \(wt(\nu (\alpha ))\) refers to the number of active words in \(\alpha \). The Yoyo game depends then on the swapping of words among the texts. The following definition describes the swapping mechanism.
Definition 2
(Word Swapping [20]). Let, \(\alpha ,\beta \in \mathbb {F}_{q}^{n}\) be two states and \(v \in \mathbb {F}_{2}^{n}\) be a vector, then \(\rho ^{v}(\alpha ,\beta )\) is a new state in \(\mathbb {F}_{q}^{n}\) created from \(\alpha , \beta \) by swapping components among them. The i-th component of \(\rho ^{v}(\alpha ,\beta ) = \alpha _i\) if \(v_i = 1\) and \(\rho ^{v}(\alpha ,\beta ) = \beta _i\) otherwise.
Yoyo Distinguisher for Two Generic SP Rounds. Two generic SP rounds can be written as \(G_{2} = L \circ S \circ L \circ S\) where the final L layer can be omitted since it does not affect the security. Also, the substitution layers do not have to be equal. After modification, \(G_{2} = S_1 \circ L \circ S_2\). The deterministic distinguisher for two generic SP rounds is described by the following theorem.
Theorem 1
(The Yoyo Game [20]). Let, \(p^0,p^1 \in \mathbb {F}_{q}^{n}\), \(c^0=G_{2}(p^0)\) and \(c^1=G_{2}(p^1)\). For any vector \(v \in \mathbb {F}_{2}^{n}\), \(c^{'0}=\rho ^{v}(c^0,c^1)\) and \(c^{'1}=\rho ^{v}(c^1,c^0)\). Then
\(\nu (G_2^{-1}(c^{'0}) \oplus G_2^{-1}(c^{'1})) =\nu (p^{'0} \oplus p^{'1}) =\nu (p^{0} \oplus p^{1})\).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Banik, S. et al. (2019). Cryptanalysis of ForkAES. In: Deng, R., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2019. Lecture Notes in Computer Science(), vol 11464. Springer, Cham. https://doi.org/10.1007/978-3-030-21568-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-21568-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21567-5
Online ISBN: 978-3-030-21568-2
eBook Packages: Computer ScienceComputer Science (R0)