Differential-linear and related key cryptanalysis of round-reduced scream

https://doi.org/10.1016/j.ipl.2018.03.010Get rights and content

Abstract

We have analysed tweakable block cipher Scream which is used by cipher SCREAM, with the techniques linear cryptanalysis, differential cryptanalysis and related key cryptanalysis. Tweakable block cipher Scream is already analysed with linear, differential-linear and impossible differential cryptanalysis in our previous paper. In this paper we extend our work by adding related key attack along with the differential-linear attack.

Introduction

Authenticated Encryption (AE) or Authenticated Encryption with Associated Data (AEAD) is a type of encryption that simultaneously provides integrity and confidentiality both, when passing the messages over an insecure channel. It encrypts and authenticates messages using both a secret key (shared by the sender and the receiver) as well as a public number (called a nonce). AE algorithms are often built as various combinations of stream ciphers, block ciphers, hash functions and message-authentication codes.

The great interest and importance of AE have been manifested by the announcement of a new public call for AE algorithms — the CAESAR competition [1]. The contest has started in 2014 and has received worldwide attention. CAESAR candidates are evaluated in terms of robustness, size, security, performance and flexibility. In the first round, 57 algorithms were submitted to CAESAR competition and SCREAM (Side-Channel Resistant Authenticated Encryption with Masking) [4] — the cipher we focus on, is one of the 29 CAESAR round two candidates. However, SCREAM is no longer a candidate to the CAESAR competition in round 3 as it is broken with a new type of attack, called nonlinear invariant attack by Leander et al. [9].

SCREAM is a family of the authenticated encryption algorithms which uses tweakable block cipher Scream introduced in Tweakable Authenticated Encryption (TAE) proposed by Liskov et al. [7]. Compared to conventional block cipher, a tweakable block cipher takes an additional input called tweak (Fig. 1). Please note in our paper SCREAM represent Side-Channel Resistant Authenticated Encryption with Masking and Scream is Tweakable Authenticated Encryption used by SCREAM.

Section snippets

Related cryptanalysis

Leander et al. [9] presented a paper in Asiacrypt 2016 where they introduced a attack called nonlinear invariant attack. In that paper authors showed how to distinguish the full version of tweakable block cipher Scream, i-Scream and Midori64 in a weak key setting. For the authenticated encryption schemes i-SCREAM and SCREAM, the plaintext can be practically recovered only from the ciphertext in the nonce-respecting setting.

In 2017, Dwivedi et al. [2] presented a paper Differential-linear and

SCREAM

SCREAM uses tweakable block cipher Scream based on LS-design variant [3] which is denoted as Tweakable LS-designs (TLS-design).

Related key-differential-linear cryptanalysis

We tried to extend our previous work on Scream [2] to cover few more round by using related key cryptanalysis along with differential-linear cryptanalysis.

Differential cryptanalysis is the study of how difference in input can affect the resultant difference at the output, while a related key attack is where attacker don't know the keys but he can observe the cipher operation by applying several different keys where some mathematical relationship between the keys are known to the attacker.

Conclusion

The attack uses 6 rounds of related key path, 1.5 rounds of differential path with probability 1 along with 2.5 rounds of linear path with bias value 217. By this way we pass total 10 rounds. A bias for the approximation is ϵ=217 and we need ϵ4=268 chosen plaintexts to detect the bias. Therefore the time complexity of the attack is 248+68=2116 as in the attack we peel off the 11th round by guessing 48 key bits.

Acknowledgements

Project was financed by Polish National Science Centre, project DEC-2014/15/B/ST6/05130.

References (9)

  • CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness

  • Ashutosh Dhar Dwivedi et al.

    Differential-linear and impossible differential cryptanalysis of round-reduced scream

  • Vincent Grosso et al.

    Bitslice encryption for efficient masked software implementations

  • Vincent Grosso et al.
There are more references available in the full text version of this article.

Cited by (12)

  • Design and realization of efficient & secure multi-homed systems based on random linear network coding

    2019, Computer Networks
    Citation Excerpt :

    This proves that the proposed scheme is robust against linear/differential attacks. Sensitivity analysis also demonstrate the efficiency of the proposed cryptographic solution against related key attacks [33]. Since a dynamic key derivation function is used to produce cryptographic primitives and update cryptographic primitives, it has been shown that no useful information can be detected from the encrypted/encoded segments.

  • Advanced security model for multimedia data sharing in Internet of Things

    2023, Transactions on Emerging Telecommunications Technologies
  • Chosen-message forgery attack on SCREAM

    2022, Proceedings of SPIE - The International Society for Optical Engineering
  • PalCom Middleware-Based Blockchain Challenges on Healthcare System

    2022, EAI/Springer Innovations in Communication and Computing
View all citing articles on Scopus
View full text