Abstract
The Higher-order Differential-Linear (HDL) attack was introduced by Biham et al. at FSE 2005, where a linear approximation was appended to a Higher-order Differential (HD) transition. It is a natural generalization of the Differential-Linear (DL) attack. Due to some practical restrictions, however, HDL cryptanalysis has unfortunately attracted much less attention compared to its DL counterpart since its proposal.
In this paper, we revisit HD/HDL cryptanalysis from an algebraic perspective and provide two novel tools for detecting possible HD/HDL distinguishers, including: (a) Higher-order Algebraic Transitional Form (HATF) for probabilistic HD/HDL attacks; (b) Differential Supporting Function (DSF) for deterministic HD attacks. In general, the HATF can estimate the biases of \(\ell ^{th}\)-order HDL approximations with complexity \(\mathcal {O}(2^{\ell +d2^\ell })\) where d is the algebraic degree of the function studied. If the function is quadratic, the complexity can be further reduced to \(\mathcal {O}(2^{3.8\ell })\). HATF is therefore very useful in HDL cryptanalysis for ciphers with quadratic round functions, such as Ascon and Xoodyak. DSF provides a convenient way to find good linearizations on the input of a permutation, which facilitates the search for HD distinguishers.
Unsurprisingly, HD/HDL attacks have the potential to be more effective than their simpler differential/DL counterparts. Using HATF, we found many HDL approximations for round-reduced Ascon and Xoodyak initializations, with significantly larger biases than DL ones. For instance, there are deterministic 2\(^{nd}\)-order/4\(^{th}\)-order HDL approximations for Ascon/Xoodyak initializations, respectively (which is believed to be impossible in the simple DL case). We derived highly biased HDL approximations for 5-round Ascon up to 8\(^{th}\) order, which improves the complexity of the distinguishing attack on 5-round Ascon from \(2^{16}\) to \(2^{12}\) calls. We also proposed HDL approximations for 6-round Ascon and 5-round Xoodyak (under the single-key model), which couldn’t be reached with simple DL so far. For key recovery, HDL attacks are also more efficient than DL attacks, thanks to the larger biases of HDL approximations. Additionally, HATF works well for DL (1\(^{st}\)-order HDL) attacks and some well-known DL biases of Ascon and Xoodyak that could only be obtained experimentally before can now be predicted theoretically.
With DSF, we propose a new distinguishing attack on 8-round Ascon permutation, with a complexity of \(2^{48}\). Also, we provide a new zero-sum distinguisher for the full 12-round Ascon permutation with \(2^{55}\) time/data complexity. We highlight that our cryptanalyses do not threaten the security of Ascon or Xoodyak.
The full version of this paper is [14].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In [20], there is another terminology DATF when ATF is used to construct transitional expressions for \(f_\varDelta \). In this paper, we directly use ATF for all kinds of Boolean functions no matter whether we target f or \(f_\varDelta \).
- 2.
Note that \(f_{\boldsymbol{\varDelta }}\) is a Boolean function of \(\boldsymbol{x} = (x_0, x_1, \ldots , x_{\ell -1})\), X and \(\boldsymbol{\varDelta }\) are regarded as parameters.
- 3.
In all attacks of this paper, we simply use uniform \(\alpha ^{(0)}_u\), i.e., the input values do not have biases.
- 4.
Note that not all bits in \(\alpha _u^{(r)}\), \(u \in \mathbb {F}_2^n\) are input of \(g\circ M^{-1}\). We write it in this way for convenience.
- 5.
Our experiments show such cutting can lead to slightly better results compared to the cutting method according to the rounds, in the case of HATF.
- 6.
Under the default setting that \(S^{(0)}[3][0] = S^{(0)}[4][0]\), see [11] for more information about this DL distinguisher.
- 7.
We also encourage readers to read our code to further understand how we use these conditions: https://github.com/hukaisdu/HDL/blob/main/HATF/ascon.cpp.
- 8.
A larger \(r_0\) will make the estimation of \(\deg (\mathrm{{DSF}} _{f, X, \boldsymbol{\varDelta }})\) more precise but more time-consuming to compute the ANFs, while a smaller \(r_0\) may undermine the precision.
- 9.
Note that the degree matrix method only happens to be as good as the division property in this specific case. We choose the degree matrix method simply because it can be more easily integrated into our algorithm. In general case, the division property has overwhelming advantages in accuracy and versatility.
References
Bar-On, A., Dunkelman, O., Keller, N., Weizman, A.: DLCT: a new tool for differential-linear cryptanalysis. In: EUROCRYPT (2019)
Biham, E., Dunkelman, O., Keller, N.: A new attack on 6-round IDEA. In: FSE (2007)
Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: ASIACRYPT (2002)
E. Biham, O. Dunkelman, Keller, N.: New combined attacks on block ciphers. In: FSE (2005)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: CRYPTO (1990)
Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017)
Bonnetain, X., Leurent, G., Naya-Plasencia, M., Schrottenloher, A.: Quantum linearization attacks. In: ASIACRYPT (2021)
Daemen, J., Hoffert, S., Assche, G., Keer, R.: The design of Xoodoo and Xoofff. IACR ToSC (4) (2018)
Daemen, J., Hoffert, S., Peeters, M., Assche, G., Keer, R.: Xoodyak, a lightweight cryptographic scheme. In: IACR ToSC, 2020(S1) (2020)
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT (2009)
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Cryptanalysis of Ascon. In: CT-RSA (2015)
Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021)
Dunkelman, O., Weizman, A.: Differential-linear cryptanalysis on Xoodyak. In: NIST Lightweight Cryptography Workshop (2022)
Hu, K., Peyrin, T., Tan, Q., Yap, T.: Revisiting Higher-Order Differential-Linear Attacks from an Algebraic Perspective. Cryptology ePrint Archive, 2022/1335
Florence Jessie, M., Neil James Alexander, S.: The Theory of Error-Correcting Codes, vol. 16. Elsevier (1977)
Knudsen, L.: Truncated and higher order differentials. In: FSE (1994)
Lai, X., Massey, J.: A proposal for a new block encryption standard. In: EUROCRYPT (1990)
Langford, S., Hellman, M.: Differential-Linear cryptanalysis. In: CRYPTO (1994)
Li, Z., Dong, X., Wang, X.: Conditional cube attack on round-reduced ASCON. IACR ToSC, 2017(1) (2017)
Liu, M., Lu, X., Lin, D.: Differential-linear cryptanalysis from an algebraic perspective. In: CRYPTO (2021)
Liu, Y., Sun, S., Li, C.: Rotational cryptanalysis from a differential-linear perspective - practical distinguishers for round-reduced FRIET, Xoodoo, and Alzette. In: EUROCRYPT (2021)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: EUROCRYPT (1993)
Rohit, R., Hu, K., Sarkar, S., Sun, S.: Misuse-free key-recovery and distinguishing attacks on 7-Round Ascon. IACR ToSC, 2021(1) (2021)
Shi, D., Sun, S., Sasaki, Y., Li, C., Hu, L.: Correlation of quadratic Boolean functions: cryptanalysis of all versions of full MORUS. In: CRYPTO (2019)
Tezcan, C.: Analysis of Ascon, DryGASCON, and Shamash Permutations. IACR Cryptol. ePrint Arch., 2020/1458
Todo, Y.: Structural evaluation by generalized integral property. In: EUROCRYPT (2015)
Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: FSE (2016)
Vaudenay, S.: Provable security for block ciphers by decorrelation. In: STACS (1998)
Wagner, D.: The Boomerang Attack. In: FSE (1999)
Xuejia, L.: Higher order derivatives and differential cryptanalysis. In: Communications and Cryptography, pp. 227–233 (1994)
Zhou, H., Li, Z., Dong, X., Jia, K., Meier, W.: Practical key-recovery attacks on round-reduced Ketje Jr, Xoodoo-AE and Xoodyak. Comput. J. 63(8), 1231–1246 (2020)
Acknowledgments
We are grateful to the anonymous referees for their comments that improved the quality of this article. Kai Hu thanks Yang Wang for the fruitful discussion. The authors are supported by the France-Singapore NRF-ANR research grant NRF2020-NRF-ANR072 and the Singapore NRF Investigatorship research grant NRF-NRFI08-2022-0013.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Hu, K., Peyrin, T., Tan, Q.Q., Yap, T. (2023). Revisiting Higher-Order Differential-Linear Attacks from an Algebraic Perspective. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14440. Springer, Singapore. https://doi.org/10.1007/978-981-99-8727-6_14
Download citation
DOI: https://doi.org/10.1007/978-981-99-8727-6_14
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8726-9
Online ISBN: 978-981-99-8727-6
eBook Packages: Computer ScienceComputer Science (R0)