Abstract
The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an n-bit core block cipher with a \(\kappa \)-bit key by using two additional n-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE, PRIDE and MANTIS (presented at ASIACRYPT 2012, CRYPTO 2014 and CRYPTO 2016, respectively). In this paper, we devise new cryptanalytic time–memory–data trade-off attacks on FX-constructions. By fine-tuning the parameters to the recent FX-construction proposals, we show that the security margin of these ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time–memory–data trade-offs, typically applied to stream ciphers, with a cryptanalytic technique by Fouque, Joux and Mavromati. In the final part of the paper, we show that the techniques we use in cryptanalysis of the FX-construction are applicable to additional schemes. In particular, we use related methods in order to devise new time–memory trade-offs for solving the affine equivalence problem. In this problem, the input consists of two functions \(F,G: \{0,1\}^n \rightarrow \{0,1\}^n\), and the goal is to determine whether there exist invertible affine transformations \(A_1,A_2\) over \(GF(2)^n\) such that \(G = A_2 \circ F \circ A_1\).
Similar content being viewed by others
Notes
PRINCE, PRIDE and MANTIS are FX-constructions of a particular type, where \(k_2\) linearly depends on \(k_1\). However, it is shown in [9] that the smaller key size does not reduce the security of the schemes against generic attacks.
PRINCE and MANTIS guarantee slightly less than \(127 - d\) bits of security, as their core ciphers were designed to preserve a special property that allows small footprint implementations.
The paper of [18] refers to this situation as the chains becoming parallel.
Our definitions are related to the definitions of full name, output name, and short name in the context of stream ciphers with low sampling resistance [5].
Note that the stopping rule in the previous attack was \(T' \cdot T'M'=2^{\kappa } < 2^{\kappa -n+2d}\).
References
M.R. Albrecht, B. Driessen, E.B. Kavun, G. Leander, C. Paar, T. Yalçin, Block ciphers—focus on the linear layer (feat. PRIDE), in J.A. Garay, R. Gennaro, editors, Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014), pp. 57–76
E. Barkan, E. Biham, A. Shamir, Rigorous bounds on cryptanalytic time/memory tradeoffs, in C. Dwork, editor, CRYPTO. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 1–21
C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw, J. Katz, editors, Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9815 (Springer, 2016), pp. 123–153
A. Biryukov, C.D. Cannière, A. Braeken, B. Preneel, A toolbox for cryptanalysis: linear and affine equivalence algorithms, in E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2656 (Springer, 2003), pp. 33–50
A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in T. Okamoto, editor, ASIACRYPT. Lecture Notes in Computer Science, vol. 1976 (Springer, 2000), pp. 1–13
A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC, in B. Schneier, editor, FSE. Lecture Notes in Computer Science, vol. 1978 (Springer, 2000), pp. 1–18
A. Biryukov, D. Wagner, Advanced slide attacks, in B. Preneel, editor, EUROCRYPT. Lecture Notes in Computer Science, vol. 1807 (Springer, 2000), pp. 589–606
Bitcoin network graphs. http://bitcoin.sipa.be/
J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, T. Yalçin, PRINCE—a low-latency block cipher for pervasive computing applications—extended abstract, in X. Wang, K. Sako, editors, ASIACRYPT. Lecture Notes in Computer Science, vol. 7658 (Springer, 2012), pp. 208–225
J. Borst, B. Preneel, J. Vandewalle, On the time–memory tradeoff between exhaustive key search and table precomputation, in Proceedings of 19th Symposium in Information Theory in the Benelux, WIC (1998), pp. 111–118
M. Brinkmann, G. Leander. On the classification of APN functions up to dimension five. Des. Codes Cryptogr.49(1–3), 273–288 (2008)
A. Canteaut, J. Roué, On the behaviors of affine equivalent sboxes regarding differential and linear attacks, in Oswald, Fischlin [24], pp. 45–74
J. Daemen, Limitations of the Even–Mansour construction, in ASIACRYPT, pp. 495–498 (1991)
I. Dinur. Cryptanalytic time–memory–data tradeoffs for FX-constructions with applications to PRINCE and PRIDE, in Oswald, Fischlin [24], pp. 231–253
I. Dinur, An improved affine equivalence algorithm for random permutations, in J.B. Nielsen, V. Rijmen, editors, Advances in Cryptology—EUROCRYPT 2018—37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29–May 3, 2018 Proceedings, Part I. Lecture Notes in Computer Science, vol. 10820 (Springer, 2018), pp. 413–442
O. Dunkelman, N. Keller, A. Shamir, Minimalism in cryptography: the Even–Mansour scheme revisited, in D. Pointcheval, T. Johansson, editors, EUROCRYPT. Lecture Notes in Computer Science, vol. 7237 (Springer, 2012), pp. 336–354
S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation. J. Cryptol., 10(3), 151–162 (1997)
P. Fouque, A. Joux, C. Mavromati, Multi-user collisions: applications to discrete logarithm, Even–Mansour and PRINCE, in P. Sarkar, T. Iwata, editors, Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873 (Springer, 2014), pp. 420–438
M.E. Hellman, A cryptanalytic time–memory trade-off. IEEE Trans. Inf. Theory, 26(4), 401–406 (1980)
J. Kilian, P. Rogaway, How to protect DES against exhaustive key search, in N. Koblitz, editor, CRYPTO. Lecture Notes in Computer Science, vol. 1109 (Springer, 1996), pp. 252–267
G. Leander, A. Poschmann, On the classification of 4 bit s-boxes, in C. Carlet, B. Sunar, editors, Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 21–22, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4547 (Springer, 2007), pp. 159–176
W. Michiels, P. Gorissen, H.D.L. Hollmann, Cryptanalysis of a generic class of white-box implementations, in R.M. Avanzi, L. Keliher, F. Sica, editors, Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14–15, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5381 (Springer, 2008), pp. 414–428
N. I. of Standards and Technology. Recommendation for Key Management—Part 1: General (Revision 3). NIST Special Publication 800–57 (2012)
E. Oswald, M. Fischlin, editors. Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015)
J. Patarin, Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms, in U.M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12–16, 1996, Proceeding. Lecture Notes in Computer Science, vol. 1070 (Springer, 1996), pp. 33–48
R.L. Rivest. DESX. Never Published (1984)
F.-X. Standaert, G. Rouvroy, J.-J. Quisquater, J.-D. Legat, A time-memory tradeoff using distinguished points: new analysis & FPGA results, in B.S.K. Jr., Çetin Kaya Koç, C. Paar, editors, CHES. Lecture Notes in Computer Science, vol. 2523 (Springer, 2002), pp. 593–609
P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol, 12(1), 1–28 (1999)
Acknowledgements
The author would like to thank the anonymous reviewers of EUROCRYPT 2015 and the Journal of Cryptology for their valuable comments that helped improve the presentation of this paper. The author was supported in part by the Israeli Science Foundation through Grant No. 573/16.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Kaisa Nyberg.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A shortened version of this paper was presented at EUROCRYPT 2015 [14].
Rights and permissions
About this article
Cite this article
Dinur, I. Cryptanalytic Time–Memory–Data Trade-offs for FX-Constructions and the Affine Equivalence Problem. J Cryptol 33, 874–909 (2020). https://doi.org/10.1007/s00145-019-09332-0
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-019-09332-0