-
Chapter and Conference Paper
Improving Linear Key Recovery Attacks Using Walsh Spectrum Puncturing
In some linear key recovery attacks, the function which determines the value of the linear approximation from the plaintext, ciphertext and key is replaced by a similar map in order to improve the time or memo...
-
Chapter and Conference Paper
Keyed Sum of Permutations: A Simpler RP-Based PRF
Idealized constructions in cryptography prove the security of a primitive based on the security of another primitive. The challenge of building a pseudorandom function (PRF) from a random permutation (RP) has ...
-
Article
Improved Differential-Linear Attacks with Applications to ARX Ciphers
We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to s...
-
Article
Sycon: a new milestone in designing ASCON-like permutations
ASCON is one of the elegant designs of authenticated encryption with associated data (AEAD) that was selected as the first choice for lightweight applications in the CAESAR competition, which also has been submit...
-
Chapter and Conference Paper
A Modular Approach to the Incompressibility of Block-Cipher-Based AEADs
Incompressibility is one of the most fundamental security goals in white-box cryptography. Given recent advances in the design of efficient and incompressible block ciphers such as SPACE, SPNbox and WhiteBlock, w...
-
Chapter and Conference Paper
New Attacks from Old Distinguishers Improved Attacks on Serpent
Serpent was originally proposed in 1998 and is one of the most studied block ciphers. In this paper we improve knowledge of its security by providing the current best attack on this cipher, which is a 12-round...
-
Chapter and Conference Paper
Designing S-Boxes Providing Stronger Security Against Differential Cryptanalysis for Ciphers Using Byte-Wise XOR
In this paper, we develop an S-box designing method by considering an interplay between an S-box and a linear layer, which enhances security against differential cryptanalysis. The basic idea can be found in b...
-
Chapter and Conference Paper
Birthday-Bound Slide Attacks on TinyJAMBU’s Keyed-Permutations for All Key Sizes
We study the security of the underlying keyed-permutations of NIST LWC finalist TinyJAMBU. Our main findings are key-recovery attacks whose data and time complexities are close to the birthday bound ...
-
Article
Modeling for Three-Subset Division Property without Unknown Subset
A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, ...
-
Chapter and Conference Paper
PRINCEv2
In this work, we propose tweaks to the PRINCE block cipher that help us to increase its security without changing the number of rounds or round operations. We get substantially higher security for the same comple...
-
Chapter and Conference Paper
Massive Superpoly Recovery with Nested Monomial Predictions
Determining the exact algebraic structure or some partial information of the superpoly for a given cube is a necessary step in the cube attack – a generic cryptanalytic technique for symmetric-key primitives ...
-
Chapter and Conference Paper
Strong and Tight Security Guarantees Against Integral Distinguishers
Integral attacks belong to the classical attack vectors against any given block ciphers. However, providing arguments that a given cipher is resistant against those attacks is notoriously difficult. In this p...
-
Chapter and Conference Paper
Lower Bounds on the Degree of Block Ciphers
Only the method to estimate the upper bound of the algebraic degree on block ciphers is known so far, but it is not useful for the designer to guarantee the security. In this paper we provide meaningful lower...
-
Chapter and Conference Paper
Modeling for Three-Subset Division Property Without Unknown Subset
A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers,...
-
Chapter and Conference Paper
On the Data Limitation of Small-State Stream Ciphers: Correlation Attacks on Fruit-80 and Plantlet
Many cryptographers have focused on lightweight cryptography, and a huge number of lightweight block ciphers have been proposed. On the other hand, designing lightweight stream ciphers is a challenging task du...
-
Chapter and Conference Paper
Out of Oddity – New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems
The security and performance of many integrity proof systems like SNARKs, STARKs and Bulletproofs highly depend on the underlying hash function. For this reason several new proposals have recently been develop...
-
Chapter and Conference Paper
Improved Differential-Linear Attacks with Applications to ARX Ciphers
We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to s...
-
Article
Nonlinear Invariant Attack: Practical Attack on Full SCREAM, iSCREAM, and Midori64
In this paper, we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers...
-
Chapter and Conference Paper
Programming the Demirci-Selçuk Meet-in-the-Middle Attack with Constraints
Cryptanalysis with SAT/SMT, MILP and CP has increased in popularity among symmetric-key cryptanalysts and designers due to its high degree of automation. So far, this approach covers differential, linear, impo...
-
Chapter and Conference Paper
Several MILP-Aided Attacks Against SNOW 2.0
SNOW 2.0 is a software-oriented stream cipher and internationally standardized by ISO/IEC 18033-4. In this paper, we present three attacks on SNOW 2.0 by MILP-aided automatic search algorithms. First, we prese...
