Skip to main content

Related-Tweak Impossible Differential Cryptanalysis of Reduced-Round TweAES

  • Conference paper
  • First Online:
Selected Areas in Cryptography (SAC 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13203))

Included in the following conference series:

Abstract

We consider the related-tweak impossible differential cryptanalysis of TweAES. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme ESTATE which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of TweAES, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against TweAES based on one of these 5.5-round distinguishers. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against TweAES, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of TweAES in the design document. Our 8-round key recovery attack is the best one against TweAES in terms of the number of rounds and complexities so far.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://stp.github.io/.

  2. 2.

    \(\mathrm {STP}\) supports two kinds of input languages, here we use the CVC one. For more information about the CVC, please refer to https://stp.readthedocs.io/en/latest/cvc-input-language.html.

References

  1. Bahrak, B., Aref, M.R.: Impossible differential attack on seven-round AES-128. IET Inf. Secur. 2(2), 28–32 (2008)

    Article  Google Scholar 

  2. Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.) Handbook of Satisfiability, Frontiers in Artificial Intelligence and Applications, vol. 185, pp. 825–885. IOS Press (2009)

    Google Scholar 

  3. Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5

    Chapter  Google Scholar 

  4. Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: Quantum security analysis of AES. IACR Trans. Symmetric Cryptol. 2019(2), 55–93 (2019)

    Article  Google Scholar 

  5. Boura, C., Lallemand, V., Naya-Plasencia, M., Suder, V.: Making the impossible possible. J. Cryptol. 31(1), 101–133 (2018)

    Article  MathSciNet  Google Scholar 

  6. Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_10

    Chapter  Google Scholar 

  7. Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Y.: ESTATE: a lightweight and low energy authenticated encryption mode. IACR Trans. Symmetric Cryptol. 2020(S1), 350–389 (2020)

    Article  Google Scholar 

  8. Cook, S.A.: The complexity of theorem-proving procedures. In: Harrison, M.A., Banerji, R.B., Ullman, J.D. (eds.) Proceedings of the 3rd Annual ACM Symposium on Theory of Computing, 3–5 May 1971, Shaker Heights, Ohio, USA, pp. 151–158. ACM (1971)

    Google Scholar 

  9. Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7

    Chapter  Google Scholar 

  10. Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round, in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23

    Chapter  MATH  Google Scholar 

  11. Dworkin, M., Barker, E., Nechvatal, J., Foti, J., Bassham, L., Roback, E., Dray, J.: Advanced encryption standard (aes), 26 November 2001. https://doi.org/10.6028/NIST.FIPS.197

  12. Gilbert, H.: A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 200–222. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_11

    Chapter  Google Scholar 

  13. Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15

    Chapter  Google Scholar 

  14. Jérémy Jean, I.N., Peyrin., T.: Deoxys v1.41. Submission to CAESAR (2016). https://competitions.cr.yp.to/round3/deoxysv141.pdf

  15. Leurent, G., Pernot, C.: New representations of the AES key schedule. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 54–84. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_3

    Chapter  Google Scholar 

  16. Liu, Y., et al.: STP models of optimal differential and linear trail for s-box based ciphers. IACR Cryptol. ePrint Arch. 2019, 25 (2019)

    Google Scholar 

  17. Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for arx: Application to salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). https://eprint.iacr.org/2013/328

  18. Sun, S., et al.: Analysis of AES, skinny, and others with constraint programming. IACR Trans. Symmetric Cryptol. 2017(1), 281–306 (2017)

    Article  Google Scholar 

  19. Tiessen, T.: Polytopic cryptanalysis. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 214–239. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_9

    Chapter  Google Scholar 

  20. Zong, R., Dong, X.: Milp-aided related-tweak/key impossible differential attack and its applications to qarma, joltik-bc. IEEE Access 7, 153683–153693 (2019)

    Article  Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper. This work is supported by the National Natural Science Foundation of China (Grant No. 62032014), the National Key Research and Development Program of China (Grant No. 2018YFA0704702), the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025). Qingju Wang is funded by Huawei Technologies Co., Ltd (Agreement No.: YBN2020035184).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Meiqin Wang .

Editor information

Editors and Affiliations

Appendices

A Related-Tweak Impossible Differential Distinguisher of TweAES in Design Document [7]

Fig. 7.
figure 7

6-round related-tweak impossible distinguisher of TweAES [7]

B 8-Round Key Recovery Attack on TweAES in Design Document [7]

Fig. 8.
figure 8

Key recovery attack against 8-round TweAES in [7]

By appending one round at the beginning and the end of the distinguisher (Fig. 7), they can perform an 8-round key recovery attack. The attack differential is shown in Fig. 8. The key recovery attack procedure is as follows.

  1. 1.

    Choose all tweak values denoted by \(T^{i}\) where \(i = 0,1,...,2^{4}-1\).

  2. 2.

    For each of \(T^{i}\), fix the value of inactive 8 bytes at the input, choose all 8-byte values at the active byte positions of the input state. Query those \(2^{64}\) values to get the corresponding outputs. Those outputs are stored in the list \(L^{i}\) where \(i=0,1,...,2^{4}-1\).

  3. 3.

    For all \(\left( \begin{array}{c}2^{4}\\ 2\end{array}\right) \approx 2^{7}\) pairs of \(L^{i}\) and \(L^{j}\) with \(i\ne j\), find the pairs that do not have difference in 12 inactive bytes of the output state. About \(2^{7+64+64-96}=2^{39}\) pairs will be obtained.

  4. 4.

    For each of the obtained pairs, the tweak difference is fixed and the differences at the input and output states are also fixed. Those fix both of input and output differences of each Sbox in the first round and the last round. Hence, each pair suggests a wrong key.

  5. 5.

    Repeat the procedure \(2^{59}\) times from the first step by changing the inactive byte values at the input. After this step, \(2^{39+59} = 2^{98}\) wrong-key candidates (including overlaps) will be obtained. The remaining key space of the involved 12 bytes becomes \(2^{96} \times (1-2^{-96})^{2^{98}} \approx 2^{96}\times e^{-2} \approx 2^{90.2}\). Hence, the key space for the 8 bytes of \(K_{1}\) and 4 bytes of \(K_9\) will be reduced by a factor of \(2^{5.77}\).

The data complexity is \(2^4\times 2^{64}\times 2^{59}= 2^{127}\). The time complexity is also \(2^{127}\) memory accesses. The memory complexity is to record the wrong keys of the 12 bytes, which is \(2^{96}\).

C The Algorithm for The Key Recovery Attack on 7-Round TweAES

figure c

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Niu, C., Li, M., Wang, M., Wang, Q., Yiu, SM. (2022). Related-Tweak Impossible Differential Cryptanalysis of Reduced-Round TweAES. In: AlTawy, R., Hülsing, A. (eds) Selected Areas in Cryptography. SAC 2021. Lecture Notes in Computer Science, vol 13203. Springer, Cham. https://doi.org/10.1007/978-3-030-99277-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-99277-4_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-99276-7

  • Online ISBN: 978-3-030-99277-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics