Abstract
In this paper, we revisit the difference enumeration technique for LowMC and develop new algebraic techniques to achieve efficient key-recovery attacks. In the original difference enumeration attack framework, an inevitable step is to precompute and store a set of intermediate state differences for efficient checking via the binary search. Our first observation is that Bar-On et al.’s general algebraic technique developed for SPNs with partial nonlinear layers can be utilized to fulfill the same task, which can make the memory complexity negligible as there is no need to store a huge set of state differences any more. Benefiting from this technique, we could significantly improve the attacks on LowMC when the block size is much larger than the key size and even break LowMC with such a kind of parameter. On the other hand, with our new key-recovery technique, we could significantly improve the time to retrieve the full key if given only a single pair of input and output messages together with the difference trail that they take, which was stated as an interesting question by Rechberger et al. at ToSC 2018. Combining both techniques, with only 2 chosen plaintexts, we could break 4 rounds of LowMC adopting a full S-Box layer with block size of 129, 192 and 255 bits, respectively, which are the 3 recommended parameters for Picnic3, an alternative third-round candidate in NIST’s Post-Quantum Cryptography competition. We have to emphasize that our attacks do not indicate that Picnic3 is broken as the Picnic use-case is very different and an attacker cannot even freely choose 2 plaintexts to encrypt for a concrete LowMC instance. However, such parameters are deemed as secure in the latest LowMC. Moreover, much more rounds of seven instances of the backdoor cipher LowMC-M as proposed by Peyrin and Wang in CRYPTO 2020 can be broken without finding the backdoor by making full use of the allowed \(2^{64}\) data. The above mentioned attacks are all achieved with negligible memory.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the security proof of Picnic, 2 plaintexts are required, which can be found at footnote 11 in Page 10 in [10]. This is also our motivation to analyze such instances with only 2 allowed plaintexts. In the security proof, the parameters with 2 allowed plaintexts are treated as secure.
- 2.
For a tuple of \((d+1)\) values \((u_0,u_1,\ldots ,u_d)\), its d-difference is defined as \((\delta _0,\delta _1,\ldots ,\delta _{d-1})=(u_0\oplus u_1,u_0\oplus u_2,\ldots ,u_0\oplus u_{d})\).
- 3.
If we use the equivalent representation of LowMC, such a statement is correct. If we do not use it, \(A_{r-1}\) can be written as linear expressions in terms of \((v_0,\cdot \cdot \cdot ,v_{3m-1})\) and the key bits, which will not affect our attack as our final goal is to construct a linear equation system in terms of the \(3mr_3\) variables and the key bits. For simplicity, we consider the equivalent representation.
- 4.
Experiments show that it is better to choose \(q=11\), though \(V(129,12)>1\).
- 5.
See https://github.com/LFKOKAMI/LowMC_Diff_Enu.git for the code.
- 6.
In several experiments with 1000 random tests each, the average number of iterations to enumerate differences is \(392500\pm 12500\) and the average number of valid compact differential trails is \(3425\pm 125\).
- 7.
The S-boxes in the 3rd round will be fully linearized, though it is an overestimation.
- 8.
It can be found that V(192, 16) is only slightly greater than 1. Experiments show that it is better to choose \(q=15\).
- 9.
It can be found that V(255, 20) is only slightly greater than 1. Experiments show that it is better to choose \(q=19\).
References
Reference Code (2017). https://github.com/LowMC/lowmc/blob/master/determine_rounds.py
The Picnic signature algorithm specification (2019). https://microsoft.github.io/Picnic/
Galbraith, S.D., Moriai, S. (eds.): Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. Cryptology ePrint Archive, Report 2019/426 (2019). https://eprint.iacr.org/2019/426
Banik, S., Barooti, K., Durak, F.B., Vaudenay, S.: Cryptanalysis of LowMC instances using single plaintext/ciphertext pair. IACR Trans. Symmetric Cryptol. 2020(4), 130–146 (2020)
Bar-On, A., Dinur, I., Dunkelman, O., Lallemand, V., Keller, N., Tsaban, B.: Cryptanalysis of SP networks with partial non-linear layers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 315–342. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_13
Beyne, T., Li, C.: Cryptanalysis of the MALICIOUS Framework. Cryptology ePrint Archive, Report 2020/1032 (2020). https://eprint.iacr.org/2020/1032
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. Cryptology ePrint Archive, Report 2017/279 (2017). https://eprint.iacr.org/2017/279
Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_17
Dinur, I.: Cryptanalytic applications of the polynomial method for solving multivariate equation systems over GF(2). Cryptology ePrint Archive, Report 2021/578 (2021). To appear at EUROCRYPT 2021. https://eprint.iacr.org/2021/578
Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_25
Dinur, I., Liu, Y., Meier, W., Wang, Q.: Optimized interpolation attacks on LowMC. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 535–560. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_22
Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_28
Dobraunig, C., Eichlseder, M., Mendel, F.: Higher-order cryptanalysis of LowMC. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 87–101. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30840-1_6
Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_22
Guo, J., Liao, G., Liu, G., Liu, M., Qiao, K., Song, L.: Practical collision attacks against round-reduced SHA-3. IACR Cryptology ePrint Archive 2019:147 (2019)
Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_9
Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round Keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_9
Kales, D., Zaverucha, G.: Improving the performance of the picnic signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(4), 154–188 (2020)
Li, T., Sun, Y.: Preimage attacks on round-reduced Keccak-224/256 via an allocating approach. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 556–584. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_19
Li, Z., Dong, X., Bi, W., Jia, K., Wang, X., Meier, W.: New conditional cube attack on Keccak keyed modes. IACR Trans. Symmetric Cryptol. 2019(2), 94–124 (2019)
Liu, F., Isobe, T., Meier, W.: Automatic verification of differential characteristics: application to reduced Gimli. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 219–248. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_8
Liu, F., Isobe, T., Meier, W., Yang, Z.: Algebraic attacks on round-reduced Keccak/Xoodoo. Cryptology ePrint Archive, Report 2020/346 (2020). To appear at ACISP 2021. https://eprint.iacr.org/2020/346
Murphy, S., Robshaw, M.J.B.: Essential algebraic structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_1
Peyrin, T., Wang, H.: The MALICIOUS framework: embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_9
Qiao, K., Song, L., Liu, M., Guo, J.: New collision attacks on round-reduced Keccak. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 216–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_8
Rechberger, C., Soleimany, H., Tiessen, T.: Cryptanalysis of low-data instances of full LowMC v2. IACR Trans. Symmetric Cryptol. 2018(3), 163–181 (2018)
Song, L., Liao, G., Guo, J.: Non-full Sbox linearization: applications to collision attacks on round-reduced Keccak. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 428–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_15
Tiessen, T.: Polytopic cryptanalysis. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 214–239. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_9
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)
Acknowledgement
We thank the reviewers of EUROCRYPT 2021 and CRYPTO 2021 for their insightful comments. Especially, we thank one reviewer for suggesting that we generalize our observations to an arbitrary 3-bit APN S-box. We also thank Itai Dinur for his advice to significantly improve this paper. Moreover, we thank Gaoli Wang for pointing out some typos. Fukang Liu is supported by the National Key Research and Development Program of China (Grant No. 2020YFA0712300), the National Natural Science Foundation of China (Grant No.61632012, No. 62072181), the Peng Cheng Laboratory Project of Guangdong Province (Grant No. PCL2018KP004), the International Science and Technology Cooperation Projects (No. 61961146004) and the Invitation Programs for Foreigner-based Researchers of NICT. Takanori Isobe is supported by JST, PRESTO Grant Number JPMJPR2031, Grant-inAid for Scientific Research (B) (KAKENHI 19H02141) for Japan Society for the Promotion of Science, and Support Center for Advanced Telecommunications Technology Research (SCAT).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Description of LowMC-M
LowMC-M [27] is a family of tweakable block ciphers built on LowMC, which is introduced by Peyrin and Wang at CRYPTO 2020. The feature of LowMC-M is that backdoors can be inserted in the instantiation. The only difference between LowMC and LowMC-M is that there is an addition operation AddSubTweak (AT) after AK and WK. In other words, the round function in the \((i+1)\)-round \((0\le i\le R-1)\) can be described as follows:
-
1.
SBoxLayer (SB): Same with LowMC.
-
2.
LinearLayer (L): Same with LowMC.
-
3.
ConstantAddition (AC): Same with LowMC.
-
4.
KeyAddition (AK): Same with LowMC.
-
5.
AddSubTweak (AT): Add an n-bit sub-tweak \(TW_{i+1}\) to the n-bit state.
For the state after WK, it will also be XORed with an n-bit sub-tweak \(TW_0\).
To strengthen the security of the backdoors, \(TW_i\) \((0\le i\le R)\) are generated via an extendable-output-function (XOF) function. SHAKE-128 and SHAKE-256 are used as the XOF functions in LowMC-M for 128-bit and 256-bit security respectively. Specifically, the tweak TW is the input of the XOF function and the corresponding \(n(R+1)\)-bit output will be split into \((R+1)\) sub-tweaks \(TW_i\), i.e. \((TW_0,TW_1,\cdot \cdot \cdot ,TW_{R})\leftarrow \mathrm{XOF}(TW)\).
B Exploiting the Tweak to Maximize \(r_0\) for LowMC-M
In brief, when there is no active S-box in the first \(r_0\) rounds, an attacker can construct a linear equation system of size \(3mr_0\) and in terms of \(\varDelta _0\) as well as the difference of the sub-tweaks \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\). When the sub-tweaks are fixed, the equation system is thus only in terms of \(\varDelta _0\), i.e. n variables. Therefore, when \(3mr_0>n\), the equation system is consistent with probability \(2^{n-3mr_0}\). Thus, the attacker needs to find an assignment for \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) such that the constructed equation system is consistent.
To achieve this goal, the equation system will be first re-organized by placing \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) on the right-hand of the equation system and placing \(\varDelta _0\) on the left-hand of the equation system. In other words, the equation system becomes
where A is a binary matrix of size \(3mr_0\times n\) and B is a binary matrix of size \(3mr_0\times nr_0\). To ensure that there is a solution to \(\varDelta _0\), one can derive an equation system of size \(3mr_0-n\) and only in terms of \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\). Specifically, apply a transform \(A^{\prime }_{3mr_0\times 3mr_0}\) to both A and B such that the first n rows of \(A^{\prime }\cdot A\) is an identity matrix and the remaining \((3mr_0-n)\) rows of \(A^{\prime }\cdot A\) are all zero. In this way, we only need to focus on the last \((3mr_0-n)\) rows of \(A^{\prime }\cdot B\), i.e. a linear equation system of size \(3mr_0-n\) and in terms of \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) can be derived to ensure that there is always a solution to \(\varDelta _0\). Thus, with a parallel collision search [32], it is expected to find \((\varDelta TW_0,\cdot \cdot \cdot ,\varDelta TW_{r_0-1})\) with time complexity \(2^{\frac{3mr_0-n}{2}}\) and negligible memory satisfying such an equation system. Therefore, the constraint for \(r_0\) becomes
In this way, one could find the desirable pair of tweaks as well as the plaintext difference \(\varDelta _0\) with time complexity \(2^{\frac{3mr_0-n}{2}}\). This is the method given in [9] to maximize \(r_0\).
C Explanation of the Attacks on LowMC with a Full S-box Layer
Attacks on (192, 192, 64, 1, 4). Similar to the above analysis, we first confirm q. As \(V(192,15)>1\) based on Eq. 12, we can expect to always find an assignment to \(\varDelta _0^S\) such that there will be \(q=15\)Footnote 8 inactive S-boxes in the 2nd round.
As \(Pr[t\ge 3]\approx 0.99\) and \(Pr[62\le t\le 64]\approx 0\), based on Eq. 17 and Eq. 18, the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t}, 4\times 2^{3t-2})<2^{187.6}\). Based on Eq. 16, the time complexity to enumerate the difference is less than \(3\times (2^{2m}+2^{2m-2t+0.858m})=3\times (2^{2m}+2^{2.858m-2t})<2^{178.5}\). Therefore, we could break \((n,k,m,D,R)=(192,192,64,1,4)\) with time complexity less than \(2^{187.6}\) and success probability 0.99.
As \(Pr[t\ge 6]=0.82\) and \(Pr[61\le t\le 64]\approx 0\), the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t},4\times 2^{3t-2})=2^{180}\), while the time complexity to enumerate the differences will not exceed \(3\times (2^{2m}+2^{2.858m-2t})<2^{170.9}\). Therefore, we could break \((n,k,m,D,R)=(192,192,64,1,4)\) with time complexity less than \(2^{180}\) and success probability 0.82.
To further reduce the success probability, we focus on the expected case \(q=15\) and \(3\le t\le 52\). As \(Pr[t\ge 3]\approx 0.99\) and \(Pr[53\le t\le 64]\approx 0\), we have \(Pr[3\le t\le 52]\approx 0.99\). The time complexity to retrieve the master key becomes \(max(2^{3m-2t-2q},2^{3t-2})<2^{156}\). The time complexity to enumerate the difference is less than \(2^{2m-2q}+2^{2.858m-2t-2q}<2^{146.9}\). Therefore, we could break \((n,k,m,D,R)=(192,192,64,1,4)\) with time complexity less than \(2^{156}\) and success probability \(0.99\times 0.25=0.247\).
Attacks on (255, 256, 85, 1, 4). For \((n,k,m,D,R)=(255,255,85,1,4)\), we have \(V(255,19)>1\) based on Eq. 12, i.e. we can expect to always find an assignment to \(\varDelta _0^S\) such that there will be \(q=19\)Footnote 9 inactive S-boxes in the 2nd round.
As \(Pr[t\ge 5]\approx 0.986\) and \(Pr[79\le t\le 85]\approx 0\), based on Eq. 17 and Eq. 18, the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t}, 4\times 2^{3t-2})<2^{246.6}\). Based on Eq. 16, the time complexity to enumerate the difference is less than \(3\times (2^{2m}+2^{2m-2t+0.858m})=3\times (2^{2m}+2^{2.858m-2t})<2^{234.53}\). Therefore, we could break \((n,k,m,D,R)=(255,255,85,1,4)\) with time complexity less than \(2^{246.6}\) and success probability 0.986.
As \(Pr[t\ge 8]=0.848\) and \(Pr[79\le t\le 85]\approx 0\), the time complexity to retrieve the master key will be \(max(3\times 2^{3m-2t},4\times 2^{3t-2})<2^{240.6}\), while the time complexity to enumerate the differences will not exceed \(3\times (2^{2m}+2^{2.858m-2t})<2^{228.53}\). Therefore, we could break \((n,k,m,D,R)=(255,255,85,1,4)\) with time complexity less than \(2^{240.6}\) and success probability 0.848.
To further reduce the success probability, we focus on the expected case \(q=19\) and \(5\le t\le 85\). As \(Pr[t\ge 5]\approx 0.986\) and \(Pr[70\le t\le 85]\approx 0\), we have \(Pr[5\le t\le 69]\approx 0.986\). The time complexity to retrieve the master key becomes \(max(2^{3m-2t-2q},2^{3t-2})<2^{208}\). The time complexity to enumerate the difference is less than \(2^{2m-2q}+2^{2.858m-2t-2q}<2^{194.93}\). Therefore, we could break \((n,k,m,D,R)=(255,255,85,1,4)\) with time complexity less than \(2^{208}\) and success probability \(0.986\times 0.25=0.2465\).
D A Table
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Liu, F., Isobe, T., Meier, W. (2021). Cryptanalysis of Full LowMC and LowMC-M with Algebraic Techniques. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12827. Springer, Cham. https://doi.org/10.1007/978-3-030-84252-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-84252-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84251-2
Online ISBN: 978-3-030-84252-9
eBook Packages: Computer ScienceComputer Science (R0)