Abstract
We consider the related-tweak impossible differential cryptanalysis of TweAES. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme ESTATE which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of TweAES, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against TweAES based on one of these 5.5-round distinguishers. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against TweAES, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of TweAES in the design document. Our 8-round key recovery attack is the best one against TweAES in terms of the number of rounds and complexities so far.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
\(\mathrm {STP}\) supports two kinds of input languages, here we use the CVC one. For more information about the CVC, please refer to https://stp.readthedocs.io/en/latest/cvc-input-language.html.
References
Bahrak, B., Aref, M.R.: Impossible differential attack on seven-round AES-128. IET Inf. Secur. 2(2), 28–32 (2008)
Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.) Handbook of Satisfiability, Frontiers in Artificial Intelligence and Applications, vol. 185, pp. 825–885. IOS Press (2009)
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: Quantum security analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), 55–93 (2019)
Boura, C., Lallemand, V., Naya-Plasencia, M., Suder, V.: Making the impossible possible. J. Cryptol. 31(1), 101–133 (2018)
Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_10
Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: ESTATE: a lightweight and low energy authenticated encryption mode. IACR Trans. Symmetric Cryptol. 2020(S1), 350–389 (2020)
Cook, S.A.: The complexity of theorem-proving procedures. In: Harrison, M.A., Banerji, R.B., Ullman, J.D. (eds.) Proceedings of the 3rd Annual ACM Symposium on Theory of Computing, 3–5 May 1971, Shaker Heights, Ohio, USA, pp. 151–158. ACM (1971)
Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7
Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round, in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23
Dworkin, M., Barker, E., Nechvatal, J., Foti, J., Bassham, L., Roback, E., Dray, J.: Advanced encryption standard (aes), 26 November 2001. https://doi.org/10.6028/NIST.FIPS.197
Gilbert, H.: A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 200–222. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_11
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Jérémy Jean, I.N., Peyrin., T.: Deoxys v1.41. Submission to CAESAR (2016). https://competitions.cr.yp.to/round3/deoxysv141.pdf
Leurent, G., Pernot, C.: New representations of the AES key schedule. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 54–84. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_3
Liu, Y., et al.: STP models of optimal differential and linear trail for s-box based ciphers. IACR Cryptol. ePrint Arch. 2019, 25 (2019)
Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for arx: Application to salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). https://eprint.iacr.org/2013/328
Sun, S., et al.: Analysis of AES, skinny, and others with constraint programming. IACR Trans. Symmetric Cryptol. 2017(1), 281–306 (2017)
Tiessen, T.: Polytopic cryptanalysis. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 214–239. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_9
Zong, R., Dong, X.: Milp-aided related-tweak/key impossible differential attack and its applications to qarma, joltik-bc. IEEE Access 7, 153683–153693 (2019)
Acknowledgements
We thank the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper. This work is supported by the National Natural Science Foundation of China (Grant No. 62032014), the National Key Research and Development Program of China (Grant No. 2018YFA0704702), the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025). Qingju Wang is funded by Huawei Technologies Co., Ltd (Agreement No.: YBN2020035184).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Related-Tweak Impossible Differential Distinguisher of TweAES in Design Document [7]
B 8-Round Key Recovery Attack on TweAES in Design Document [7]
By appending one round at the beginning and the end of the distinguisher (Fig. 7), they can perform an 8-round key recovery attack. The attack differential is shown in Fig. 8. The key recovery attack procedure is as follows.
-
1.
Choose all tweak values denoted by \(T^{i}\) where \(i = 0,1,...,2^{4}-1\).
-
2.
For each of \(T^{i}\), fix the value of inactive 8 bytes at the input, choose all 8-byte values at the active byte positions of the input state. Query those \(2^{64}\) values to get the corresponding outputs. Those outputs are stored in the list \(L^{i}\) where \(i=0,1,...,2^{4}-1\).
-
3.
For all \(\left( \begin{array}{c}2^{4}\\ 2\end{array}\right) \approx 2^{7}\) pairs of \(L^{i}\) and \(L^{j}\) with \(i\ne j\), find the pairs that do not have difference in 12 inactive bytes of the output state. About \(2^{7+64+64-96}=2^{39}\) pairs will be obtained.
-
4.
For each of the obtained pairs, the tweak difference is fixed and the differences at the input and output states are also fixed. Those fix both of input and output differences of each Sbox in the first round and the last round. Hence, each pair suggests a wrong key.
-
5.
Repeat the procedure \(2^{59}\) times from the first step by changing the inactive byte values at the input. After this step, \(2^{39+59} = 2^{98}\) wrong-key candidates (including overlaps) will be obtained. The remaining key space of the involved 12 bytes becomes \(2^{96} \times (1-2^{-96})^{2^{98}} \approx 2^{96}\times e^{-2} \approx 2^{90.2}\). Hence, the key space for the 8 bytes of \(K_{1}\) and 4 bytes of \(K_9\) will be reduced by a factor of \(2^{5.77}\).
The data complexity is \(2^4\times 2^{64}\times 2^{59}= 2^{127}\). The time complexity is also \(2^{127}\) memory accesses. The memory complexity is to record the wrong keys of the 12 bytes, which is \(2^{96}\).
C The Algorithm for The Key Recovery Attack on 7-Round TweAES
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Niu, C., Li, M., Wang, M., Wang, Q., Yiu, SM. (2022). Related-Tweak Impossible Differential Cryptanalysis of Reduced-Round TweAES. In: AlTawy, R., Hülsing, A. (eds) Selected Areas in Cryptography. SAC 2021. Lecture Notes in Computer Science, vol 13203. Springer, Cham. https://doi.org/10.1007/978-3-030-99277-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-99277-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-99276-7
Online ISBN: 978-3-030-99277-4
eBook Packages: Computer ScienceComputer Science (R0)