Abstract
The linear structure technique was developed by Guo et al. at ASIACRYPT 2016, notably boosting the preimage attacks on Keccak. This technique transforming the preimage attack into solving algebraic systems allows entire linearization of the underlying permutation of Keccak for up to 2.5 rounds with significant degrees of freedom left. A linear structure with a larger degree of freedom left refers to a more powerful preimage attack, as it can substantially reduce the complexity of solving algebraic systems. However, previous linear structures on Keccak relied solely on manual design. They impose restrictions on specific lanes, requiring each of them to have exactly 64 variables, which may lead to some better linear structures without this restriction being ignored.
In this paper, we remove such restrictions, formulate the essential ideas of designing linear structures for preimage attacks in well-defined ways, and translate the problem of finding the best preimage attacks into searching for optimal linear structure problems. We propose a new bit-level SAT-based automatic tool to search for optimal linear structures. The SAT model captures a large solution space of linear structures. Based on our tool, we find Guo et al. ’s structures on Keccak-224/-256/-384/-512, which proves the correctness of our model. Furthermore, we improve Guo et al. ’s preimage attacks on 2-/3-round Keccak-512 from \(2^{384}/2^{482} \) to \(2^{365}/2^{478}\) by identifying a new 1.5-round linear structure on Keccak-512 with 147\(^\circ \)C of freedom left. Since a similar nonlinear layer exists in the final winner of the lightweight cryptography standardization competition Ascon, we make a study of linear structures on Ascon as an independent interest. As a result, we discover a 2-round linear structure with 102\(^\circ \)C of freedom left. Based on this 2-round structure, we construct a full-round zero-sum distinguisher with a time complexity of \(2^{82}\).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Till now, in [15], preimage attacks based on non-linear structure with extra linear dependence on 2-/3-round Keccak-512 perform best.
- 2.
With the tacit assumption that differentials of two consecutive rounds are independent, these local differentials for all rounds could be chained into one so-called differential characteristic, for the sake of simplicity, we generally refer to all these underlying assumptions as the Markov assumption here.
- 3.
The minimum or compact size refers to one SAT model with as small as possible number of clauses.
- 4.
Noted that our zero-sum distinguisher is not the best so far, a novel higher-order differential technique was presented in [16] published on the ePrint, which offers a more efficient zero-sum distinguisher for full-round Ascon with a time complexity of only \(2^{55}\), yet we first provide an internally better 2-round linear structure combined with automated tools from an algebraic aspect.
- 5.
Their algebraic degrees are at most 1..
References
Aumasson, J.P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of luffa and Hamsi. rump session of Cryptographic Hardware and Embedded Systems-CHES 2009, p. 67 (2009)
Bao, Z., et al.: Automatic search of meet-in-the-middle preimage attacks on AES-like hashing. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 771–804. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_27
Bao, Z., Guo, J., Shi, D., Tu, Y.: Superposition meet-in-the-middle attacks: updates on fundamental security of AES-like hashing. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology - CRYPTO 2022, CRYPTO 2022. LNCS, vol. 13507, pp. 64–93. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_3
Bertoni, G., Peeters, M., Van Assche, G., et al.: The keccak reference (2011). http://keccak.noekeon.org
Biere, A.: CADICAL at the SAT Race 2019 (2019). https://github.com/arminbiere/cadical
Boura, C., Canteaut, A.: Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 1–17. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_1
Daemen, J., Van Assche, G.: Differential propagation analysis of Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_24
Dinur, I.: Cryptanalytic applications of the polynomial method for solving multivariate equation systems over GF(2). In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 374–403. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_14
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1. 2 submission to the caesar competition, September 15 2016. submission to the caesar competition
Dong, X., Hua, J., Sun, S., Li, Z., Wang, X., Hu, L.: Meet-in-the-middle attacks revisited: key-recovery, collision, and preimage attacks. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 278–308. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_10
Erlacher, J., Mendel, F., Eichlseder, M.: Bounds for the security of ascon against differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2022(1), 64–87 (2022)
Guo, J., Liu, G., Song, L., Tu, Y.: Exploring SAT for cryptanalysis: (Quantum) collision attacks against 6-round SHA-3. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology - ASIACRYPT 2022, ASIACRYPT 2022, LNCS, vol. 13793, pp. 645–674. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_22
Guo, J., Liu, M., Song, L.: Linear structures: applications to cryptanalysis of round-reduced Keccak. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 249–274. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_9
He, L., Lin, X., Yu, H.: Improved preimage attacks on 4-round keccak-224/256. IACR Trans. Symmetric Cryptol. 2021(1), 217–238 (2021). https://doi.org/10.46586/tosc.v2021.i1.217-238
He, L., Lin, X., Yu, H.: Improved preimage attacks on round-reduced keccak-384/512 via restricted linear structures. IACR Cryptol. ePrint Arch. p. 788 (2022)
Hu, K., Peyrin, T.: Revisiting higher-order differential(-Linear) attacks from an Algebraic perspective - applications to Ascon, Grain v1, Xoodoo, and ChaCha. IACR Cryptol. ePrint Arch. p. 1335 (2022)
Huang, S., Wang, X., Xu, G., Wang, M., Zhao, J.: Conditional cube attack on reduced-round keccak sponge function. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 259–288. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_9
Ignatiev, A., Morgado, A., Marques-Silva, J.: PySAT: a python toolkit for prototyping with SAT oracles. In: SAT, pp. 428–437 (2018). https://doi.org/10.1007/978-3-319-94144-8_26
Li, H., He, L., Chen, S., Guo, J., Qiu, W.: Automatic preimage attack framework on ascon using a linearize-and-guess approach 2023(3), 74–100 (2023). https://doi.org/10.46586/tosc.v2023.i3.74-100
Li, H., Liu, G., Zhang, H., Hu, K., Guo, J., Qiu, W.: AlgSAT – a SAT method for search and verification of differential characteristics from algebraic perspective. Cryptology ePrint Archive, Report 2022/1641 (2022). https://eprint.iacr.org/2022/1641
Li, T., Sun, Y.: Preimage attacks on round-reduced Keccak-224/256 via an allocating approach. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 556–584. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_19
Li, T., Sun, Y., Liao, M., Wang, D.: Preimage attacks on the round-reduced Keccak with cross-linear structures 2017(4), 39–57 (2017). https://doi.org/10.13154/tosc.v2017.i4.39-57
Lin, X., He, L., Yu, H.: Improved preimage attacks on 3-round Keccak-224/256. IACR Trans. Symmetric Cryptol. 2021(3), 84–101 (2021). https://doi.org/10.46586/tosc.v2021.i3.84-101
Lin, X., He, L., Yu, H.: Practical preimage attack on 3-round keccak-256. IACR Cryptol. ePrint Arch. p. 101 (2023)
Liu, F., Isobe, T., Meier, W.: Automatic verification of differential characteristics: application to reduced Gimli. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 219–248. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_8
Liu, F., Isobe, T., Meier, W., Yang, Z.: Algebraic attacks on round-reduced Keccak. In: Baek, J., Ruj, S. (eds.) ACISP 2021. LNCS, vol. 13083, pp. 91–110. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90567-5_5
Liu, F., et al.: Analysis of RIPEMD-160: new collision attacks and finding characteristics with MILP. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, EUROCRYPT 2023. LNCS, vol. 14007, pp. 189–219. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_7
Liu, G., Qiu, W., Tu, Y.: New techniques for searching differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2019(4), 407–437 (2019)
Marques-Silva, J., Lynce, I., Malik, S.: Conflict-driven clause learning sat solvers. In: Handbook of Satisfiability -. Frontiers in Artificial Intelligence and Applications, vol. 336, 2nd edn., pp. 133–182. IOS Press, Ohmsha (2021)
Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_13
Morawiecki, P., Srebrny, M.: A SAT-based preimage analysis of reduced Keccak hash functions. Inf. Process. Lett. 113(10–11), 392–397 (2013)
Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to Salsa20. IACR Cryptol. 2013, 328 (2013). https://eprint.iacr.org/2013/328
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5
Ogawa, T., Liu, Y., Hasegawa, R., Koshimura, M., Fujita, H.: Modulo based CNF encoding of cardinality constraints and its application to maxsat solvers. In: ICTAI, pp. 9–17. IEEE Computer Society (2013)
Qin, L., Hua, J., Dong, X., Yan, H., Wang, X.: Meet-in-the-middle preimage attacks on sponge-based hashing. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology - EUROCRYPT 2023, EUROCRYPT 2023, LNCS, vol. 14007, pp. 158–188. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30634-1_6
Rajasree, M.S.: Cryptanalysis of round-reduced KECCAK using non-linear structures. In: Hao, F., Ruj, S., Sen Gupta, S. (eds.) INDOCRYPT 2019. LNCS, vol. 11898, pp. 175–192. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35423-7_9
Sadeghi, S., Rijmen, V., Bagheri, N.: Proposing an MILP-based method for the experimental verification of difference-based trails: application to SPECK. SIMECK. Des. Codes Cryptogr. 89(9), 2113–2155 (2021). https://doi.org/10.1007/s10623-021-00904-5
Song, L., Guo, J.: Cube-attack-like cryptanalysis of round-reduced keccak using MILP. IACR Trans. Symmetric Cryptol. 2018(3), 182–214 (2018)
Song, L., Guo, J., Shi, D., Ling, S.: New MILP modeling: improved conditional cube attacks on Keccak-based constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 65–95. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_3
Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 244–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_24
Sun, L., Wang, W., Wang, M.: More accurate differential properties of LED64 and Midori64. IACR Trans. Symmetric Cryptol. 2018(3), 93–123 (2018). https://doi.org/10.13154/tosc.v2018.i3.93-123
Sun, L., Wang, W., Wang, M.: Accelerating the search of differential and linear characteristics with the SAT Method. IACR Trans. Symmetric Cryptol. 2021(1), 269–315 (2021). https://doi.org/10.46586/tosc.v2021.i1.269-315
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers, pp. 158–178 (2014). https://doi.org/10.1007/978-3-662-45611-8_9
The sage developers: SageMath, the sage mathematics software system (Version 9.5s) (2022). https://www.sagemath.org
Wei, C., et al.: Preimage attacks on 4-round Keccak by solving multivariate quadratic systems. In: Park, J.H., Seo, SH. (eds.) Information Security and Cryptology - ICISC 2021. ICISC 2021, LNCS, vol. 13218, pp 195–216. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-08896-4_10
Acknowledgments
We are grateful to the anonymous reviewers for their valuable feedback and comments that improved the quality of the paper. This research is supported by the National Natural Science Foundation of China under (Grants No. 61972249) and the State Scholarship Fund (No. 202106230206) organized by China Scholarship Council.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Li, H., Liu, G., Zhang, H., Tang, P., Qiu, W. (2024). Automatic Search of Linear Structure: Applications to Keccak and Ascon. In: Ge, C., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2023. Lecture Notes in Computer Science, vol 14527. Springer, Singapore. https://doi.org/10.1007/978-981-97-0945-8_10
Download citation
DOI: https://doi.org/10.1007/978-981-97-0945-8_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-0944-1
Online ISBN: 978-981-97-0945-8
eBook Packages: Computer ScienceComputer Science (R0)