Skip to main content
SpringerLink
Log in

Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a \(\kappa \)-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE, PRIDE and MANTIS (presented at ASIACRYPT 2012, CRYPTO 2014 and CRYPTO 2016, respectively). In this paper, we devise new cryptanalytic time–memory–data trade-off attacks on FX-constructions. By fine-tuning the parameters to the recent FX-construction proposals, we show that the security margin of these ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time–memory–data trade-offs, typically applied to stream ciphers, with a cryptanalytic technique by Fouque, Joux and Mavromati. In the final part of the paper, we show that the techniques we use in cryptanalysis of the FX-construction are applicable to additional schemes. In particular, we use related methods in order to devise new time–memory trade-offs for solving the affine equivalence problem. In this problem, the input consists of two functions \(F,G: \{0,1\}^n \rightarrow \{0,1\}^n\), and the goal is to determine whether there exist invertible affine transformations \(A_1,A_2\) over \(GF(2)^n\) such that \(G = A_2 \circ F \circ A_1\).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. PRINCE, PRIDE and MANTIS are FX-constructions of a particular type, where \(k_2\) linearly depends on \(k_1\). However, it is shown in [9] that the smaller key size does not reduce the security of the schemes against generic attacks.

  2. PRINCE and MANTIS guarantee slightly less than \(127 - d\) bits of security, as their core ciphers were designed to preserve a special property that allows small footprint implementations.

  3. The paper of [18] refers to this situation as the chains becoming parallel.

  4. Our definitions are related to the definitions of full name, output name, and short name in the context of stream ciphers with low sampling resistance [5].

  5. Note that the stopping rule in the previous attack was \(T' \cdot T'M'=2^{\kappa } < 2^{\kappa -n+2d}\).

References

  1. M.R. Albrecht, B. Driessen, E.B. Kavun, G. Leander, C. Paar, T. Yalçin, Block ciphers—focus on the linear layer (feat. PRIDE), in J.A. Garay, R. Gennaro, editors, Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014), pp. 57–76

  2. E. Barkan, E. Biham, A. Shamir, Rigorous bounds on cryptanalytic time/memory tradeoffs, in C. Dwork, editor, CRYPTO. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 1–21

  3. C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw, J. Katz, editors, Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9815 (Springer, 2016), pp. 123–153

  4. A. Biryukov, C.D. Cannière, A. Braeken, B. Preneel, A toolbox for cryptanalysis: linear and affine equivalence algorithms, in E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2656 (Springer, 2003), pp. 33–50

  5. A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in T. Okamoto, editor, ASIACRYPT. Lecture Notes in Computer Science, vol. 1976 (Springer, 2000), pp. 1–13

  6. A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC, in B. Schneier, editor, FSE. Lecture Notes in Computer Science, vol. 1978 (Springer, 2000), pp. 1–18

  7. A. Biryukov, D. Wagner, Advanced slide attacks, in B. Preneel, editor, EUROCRYPT. Lecture Notes in Computer Science, vol. 1807 (Springer, 2000), pp. 589–606

  8. Bitcoin network graphs. http://bitcoin.sipa.be/

  9. J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, T. Yalçin, PRINCE—a low-latency block cipher for pervasive computing applications—extended abstract, in X. Wang, K. Sako, editors, ASIACRYPT. Lecture Notes in Computer Science, vol. 7658 (Springer, 2012), pp. 208–225

  10. J. Borst, B. Preneel, J. Vandewalle, On the time–memory tradeoff between exhaustive key search and table precomputation, in Proceedings of 19th Symposium in Information Theory in the Benelux, WIC (1998), pp. 111–118

  11. M. Brinkmann, G. Leander. On the classification of APN functions up to dimension five. Des. Codes Cryptogr.49(1–3), 273–288 (2008)

    Article  MathSciNet  Google Scholar 

  12. A. Canteaut, J. Roué, On the behaviors of affine equivalent sboxes regarding differential and linear attacks, in Oswald, Fischlin [24], pp. 45–74

  13. J. Daemen, Limitations of the Even–Mansour construction, in ASIACRYPT, pp. 495–498 (1991)

  14. I. Dinur. Cryptanalytic time–memory–data tradeoffs for FX-constructions with applications to PRINCE and PRIDE, in Oswald, Fischlin [24], pp. 231–253

  15. I. Dinur, An improved affine equivalence algorithm for random permutations, in J.B. Nielsen, V. Rijmen, editors, Advances in Cryptology—EUROCRYPT 2018—37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29–May 3, 2018 Proceedings, Part I. Lecture Notes in Computer Science, vol. 10820 (Springer, 2018), pp. 413–442

  16. O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even–Mansour scheme revisited, in D. Pointcheval, T. Johansson, editors, EUROCRYPT. Lecture Notes in Computer Science, vol. 7237 (Springer, 2012), pp. 336–354

  17. S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol., 10(3), 151–162 (1997)

    Article  MathSciNet  Google Scholar 

  18. P. Fouque, A. Joux, C. Mavromati, Multi-user collisions: applications to discrete logarithm, Even–Mansour and PRINCE, in P. Sarkar, T. Iwata, editors, Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873 (Springer, 2014), pp. 420–438

  19. M.E. Hellman, A cryptanalytic time–memory trade-off. IEEE Trans. Inf. Theory, 26(4), 401–406 (1980)

    Article  MathSciNet  Google Scholar 

  20. J. Kilian, P. Rogaway, How to protect DES against exhaustive key search, in N. Koblitz, editor, CRYPTO. Lecture Notes in Computer Science, vol. 1109 (Springer, 1996), pp. 252–267

  21. G. Leander, A. Poschmann, On the classification of 4 bit s-boxes, in C. Carlet, B. Sunar, editors, Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 21–22, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4547 (Springer, 2007), pp. 159–176

  22. W. Michiels, P. Gorissen, H.D.L. Hollmann, Cryptanalysis of a generic class of white-box implementations, in R.M. Avanzi, L. Keliher, F. Sica, editors, Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14–15, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5381 (Springer, 2008), pp. 414–428

  23. N. I. of Standards and Technology. Recommendation for Key Management—Part 1: General (Revision 3). NIST Special Publication 800–57 (2012)

  24. E. Oswald, M. Fischlin, editors. Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015)

  25. J. Patarin, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, in U.M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12–16, 1996, Proceeding. Lecture Notes in Computer Science, vol. 1070 (Springer, 1996), pp. 33–48

  26. R.L. Rivest. DESX. Never Published (1984)

  27. F.-X. Standaert, G. Rouvroy, J.-J. Quisquater, J.-D. Legat, A time-memory tradeoff using distinguished points: new analysis & FPGA results, in B.S.K. Jr., Çetin Kaya Koç, C. Paar, editors, CHES. Lecture Notes in Computer Science, vol. 2523 (Springer, 2002), pp. 593–609

  28. P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol, 12(1), 1–28 (1999)

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

The author would like to thank the anonymous reviewers of EUROCRYPT 2015 and the Journal of Cryptology for their valuable comments that helped improve the presentation of this paper. The author was supported in part by the Israeli Science Foundation through Grant No. 573/16.

Author information

Authors and Affiliations

  1. Department of Computer Science, Ben-Gurion University, Beersheba, Israel

    Itai Dinur

Authors
  1. Itai Dinur
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Itai Dinur.

Additional information

Communicated by Kaisa Nyberg.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A shortened version of this paper was presented at EUROCRYPT 2015 [14].

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dinur, I. Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem. J Cryptol 33, 874–909 (2020). https://doi.org/10.1007/s00145-019-09332-0

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00145-019-09332-0

Keywords

Search

Navigation