Differential-linear and related key cryptanalysis of round-reduced scream
Introduction
Authenticated Encryption (AE) or Authenticated Encryption with Associated Data (AEAD) is a type of encryption that simultaneously provides integrity and confidentiality both, when passing the messages over an insecure channel. It encrypts and authenticates messages using both a secret key (shared by the sender and the receiver) as well as a public number (called a nonce). AE algorithms are often built as various combinations of stream ciphers, block ciphers, hash functions and message-authentication codes.
The great interest and importance of AE have been manifested by the announcement of a new public call for AE algorithms — the CAESAR competition [1]. The contest has started in 2014 and has received worldwide attention. CAESAR candidates are evaluated in terms of robustness, size, security, performance and flexibility. In the first round, 57 algorithms were submitted to CAESAR competition and SCREAM (Side-Channel Resistant Authenticated Encryption with Masking) [4] — the cipher we focus on, is one of the 29 CAESAR round two candidates. However, SCREAM is no longer a candidate to the CAESAR competition in round 3 as it is broken with a new type of attack, called nonlinear invariant attack by Leander et al. [9].
SCREAM is a family of the authenticated encryption algorithms which uses tweakable block cipher Scream introduced in Tweakable Authenticated Encryption (TAE) proposed by Liskov et al. [7]. Compared to conventional block cipher, a tweakable block cipher takes an additional input called tweak (Fig. 1). Please note in our paper SCREAM represent Side-Channel Resistant Authenticated Encryption with Masking and Scream is Tweakable Authenticated Encryption used by SCREAM.
Section snippets
Related cryptanalysis
Leander et al. [9] presented a paper in Asiacrypt 2016 where they introduced a attack called nonlinear invariant attack. In that paper authors showed how to distinguish the full version of tweakable block cipher Scream, i-Scream and Midori64 in a weak key setting. For the authenticated encryption schemes i-SCREAM and SCREAM, the plaintext can be practically recovered only from the ciphertext in the nonce-respecting setting.
In 2017, Dwivedi et al. [2] presented a paper Differential-linear and
SCREAM
SCREAM uses tweakable block cipher Scream based on LS-design variant [3] which is denoted as Tweakable LS-designs (TLS-design).
Related key-differential-linear cryptanalysis
We tried to extend our previous work on Scream [2] to cover few more round by using related key cryptanalysis along with differential-linear cryptanalysis.
Differential cryptanalysis is the study of how difference in input can affect the resultant difference at the output, while a related key attack is where attacker don't know the keys but he can observe the cipher operation by applying several different keys where some mathematical relationship between the keys are known to the attacker.
Conclusion
The attack uses 6 rounds of related key path, 1.5 rounds of differential path with probability 1 along with 2.5 rounds of linear path with bias value . By this way we pass total 10 rounds. A bias for the approximation is and we need chosen plaintexts to detect the bias. Therefore the time complexity of the attack is as in the attack we peel off the round by guessing 48 key bits.
Acknowledgements
Project was financed by Polish National Science Centre, project DEC-2014/15/B/ST6/05130.
References (9)
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness
- et al.
Differential-linear and impossible differential cryptanalysis of round-reduced scream
- et al.
Bitslice encryption for efficient masked software implementations
- et al.
Cited by (12)
Design and realization of efficient & secure multi-homed systems based on random linear network coding
2019, Computer NetworksCitation Excerpt :This proves that the proposed scheme is robust against linear/differential attacks. Sensitivity analysis also demonstrate the efficiency of the proposed cryptographic solution against related key attacks [33]. Since a dynamic key derivation function is used to produce cryptographic primitives and update cryptographic primitives, it has been shown that no useful information can be detected from the encrypted/encoded segments.
Advanced security model for multimedia data sharing in Internet of Things
2023, Transactions on Emerging Telecommunications TechnologiesCropland prediction using remote sensing, ancillary data, and machine learning
2023, Journal of Applied Remote SensingChosen-message forgery attack on SCREAM
2022, Proceedings of SPIE - The International Society for Optical EngineeringImproved Ciphertext-Only Attack on GMR-1
2022, IEEE AccessPalCom Middleware-Based Blockchain Challenges on Healthcare System
2022, EAI/Springer Innovations in Communication and Computing