Cryptanalysis of the AEAD and hash algorithm DryGASCON

Abstract

The DryGASCON scheme was one of authenticated encryption (AE) algorithms submitted to the ongoing NIST Lightweight Cryptography Standardization Process. Such a competition aims to standardize lightweight cryptographic algorithms and determine lightweight AE schemes that are suitable for use in constrained environments suitable for several emerging areas in which highly-constrained devices are interconnected. This article deals with DryGASCON and aims to evaluate its security. The reasons for this choice are twofold. The first reason is related to its unique design. The second one is that no forgery cryptanalysis has been performed on it in the literature to the best of our knowledge. Specifically, this paper presents practical forgery attacks on DryGASCON by exploiting internal collisions of the underlying permutation. During our cryptanalysis, we investigate collisions and discuss how to find them. Next, we mounted forgery attacks on DryGASCON128 with an optimal probability 2^− 13 for a class of weak keys and with certainty (optimal probability 1) for pairs of related keys. We show that the number of elements from the weak-key class depends on the size of the secret keys. In addition, we also find forgeries of DryGASCON256 in the related-key scenario. Forgery attacks succeeded without the reuse of nonce. Our results threaten the authenticity and robustness of DryGASCON. However, thanks to our analysis, we shed light on the causes of its weaknesses, and we manage to draw constructive conclusions and recommendations for future AE designs schemes, notably similar to DryGASCON.

Appendices

Appendix A: Key Setup permutation

Fig. 6

Key Setup permutations for DryGASCON128

Fig. 7

Key Setup permutations for DryGASCON256

Appendix B: MixSX32 permutation from DryGASCON256

Fig. 8

MixSX32 permutation for DryGASCON256

Fig. 9

Differential characteristic with probability 2^− 6 for Property 3

MixSX32 permutation for 576-bit c, 128-bit x and 18-bit i could be written as \(c \leftarrow \textit {MixSX32}(i, c, x ),\) where

$$ \begin{array}{@{}rcl@{}} i &=& i_{17}\|i_{16}\|i_{15}\|i_{14}\|i_{13}\|i_{12}\|i_{11}\|i_{10}\|i_{9}\|i_{8}\|i_{7}\|i_{6}\|i_{5}\|i_{4}\|i_{3}\|i_{2}\|i_{1}\|i_{0},\\ c& =& c_{17}\|c_{16}\|c_{15}\|c_{14}\|c_{13}\|c_{12}\|c_{11}\|c_{10}\|c_{9}\|c_{8}\|c_{7}\|c_{6}\|c_{5}\|c_{4}\|c_{3}\|c_{2}\|c_{1}\|c_{0},\\ x &=& x_{3}\|x_{2}\|x_{1}\|x_{0}. \end{array} $$

For example, let i be equal to 011000110001101100, and the output of MixSX32 permutation is

$$ \begin{array}{@{}rcl@{}} && c \leftarrow \\ &&c_{17}\|(c_{16}\oplus x_{i[17:16]})\|c_{15}\|(c_{14}\oplus x_{i[15:14]})\|c_{13}\|(c_{12}\oplus x_{i[13:12]})\|c_{11}\|(c_{10}\oplus x_{i[11:10]})\|c_{9}\| \\ && (c_{8}\oplus x_{i[9:8]})\|c_{7}\|(c_{6}\oplus x_{i[7:6]})\|c_{5}\|(c_{4}\oplus x_{i[5:4]})\|c_{3}\|(c_{2}\oplus x_{i[3:2]})\|c_{1}\|(c_{0}\oplus x_{i[1:0]})\\ && \leftarrow c_{17}\|(c_{16}\oplus x_{1})\|c_{15}\|(c_{14}\oplus x_{2})\|c_{13}\|(c_{12}\oplus x_{0})\|c_{11}\|(c_{10}\oplus x_{3})\|c_{9}\| \\ && (c_{8}\oplus x_{0})\|c_{7}\|(c_{6}\oplus x_{1})\|c_{5}\|(c_{4}\oplus x_{2})\|c_{3}\|(c_{2}\oplus x_{3})\|c_{1}\|(c_{0}\oplus x_{0}). \end{array} $$

Appendix C: Differential characteristics

Table 2 Differential Characteristic with Probability 2^− 6 for Property 3

Fig. 10

Differential Characteristic with Probability 2^− 13 for Property 5

Table 3 Differential Characteristic with Probability 2^− 13 for Property 5

Fig. 11

Differential Characteristic with Probability 2^− 10 for Property 6

Table 4 Differential Characteristic with Probability 2^− 10 for Property 6